diff --git a/assets/amd/amd-gpu-0.12.0.tgz b/assets/amd/amd-gpu-0.12.0.tgz new file mode 100644 index 000000000..47cc1b169 Binary files /dev/null and b/assets/amd/amd-gpu-0.12.0.tgz differ diff --git a/assets/argo/argo-cd-5.53.8.tgz b/assets/argo/argo-cd-5.53.8.tgz index ba825cef4..88f0b5bcb 100644 Binary files a/assets/argo/argo-cd-5.53.8.tgz and b/assets/argo/argo-cd-5.53.8.tgz differ diff --git a/assets/argo/argo-cd-6.0.5.tgz b/assets/argo/argo-cd-6.0.5.tgz new file mode 100644 index 000000000..97de361be Binary files /dev/null and b/assets/argo/argo-cd-6.0.5.tgz differ diff --git a/assets/bitnami/airflow-16.5.5.tgz b/assets/bitnami/airflow-16.5.5.tgz new file mode 100644 index 000000000..2bd13e917 Binary files /dev/null and b/assets/bitnami/airflow-16.5.5.tgz differ diff --git a/assets/bitnami/cassandra-10.9.0.tgz b/assets/bitnami/cassandra-10.9.0.tgz new file mode 100644 index 000000000..d1e1552dc Binary files /dev/null and b/assets/bitnami/cassandra-10.9.0.tgz differ diff --git a/assets/bitnami/kafka-26.8.5.tgz b/assets/bitnami/kafka-26.8.5.tgz new file mode 100644 index 000000000..4fb5101ae Binary files /dev/null and b/assets/bitnami/kafka-26.8.5.tgz differ diff --git a/assets/bitnami/mariadb-16.0.1.tgz b/assets/bitnami/mariadb-16.0.1.tgz new file mode 100644 index 000000000..68219a9d8 Binary files /dev/null and b/assets/bitnami/mariadb-16.0.1.tgz differ diff --git a/assets/bitnami/mysql-9.19.1.tgz b/assets/bitnami/mysql-9.19.1.tgz new file mode 100644 index 000000000..4b4eb0eac Binary files /dev/null and b/assets/bitnami/mysql-9.19.1.tgz differ diff --git a/assets/bitnami/postgresql-14.0.4.tgz b/assets/bitnami/postgresql-14.0.4.tgz new file mode 100644 index 000000000..f3d145c3c Binary files /dev/null and b/assets/bitnami/postgresql-14.0.4.tgz differ diff --git a/assets/bitnami/redis-18.12.1.tgz b/assets/bitnami/redis-18.12.1.tgz new file mode 100644 index 000000000..1a17c5682 Binary files /dev/null and b/assets/bitnami/redis-18.12.1.tgz differ diff --git a/assets/bitnami/spark-8.5.2.tgz b/assets/bitnami/spark-8.5.2.tgz new file mode 100644 index 000000000..f10694a68 Binary files /dev/null and b/assets/bitnami/spark-8.5.2.tgz differ diff --git a/assets/bitnami/tomcat-10.13.5.tgz b/assets/bitnami/tomcat-10.13.5.tgz new file mode 100644 index 000000000..2f22bcec9 Binary files /dev/null and b/assets/bitnami/tomcat-10.13.5.tgz differ diff --git a/assets/bitnami/wordpress-19.2.6.tgz b/assets/bitnami/wordpress-19.2.6.tgz new file mode 100644 index 000000000..2a8ed9ff8 Binary files /dev/null and b/assets/bitnami/wordpress-19.2.6.tgz differ diff --git a/assets/bitnami/zookeeper-12.8.1.tgz b/assets/bitnami/zookeeper-12.8.1.tgz new file mode 100644 index 000000000..257bb21d2 Binary files /dev/null and b/assets/bitnami/zookeeper-12.8.1.tgz differ diff --git a/assets/cert-manager/cert-manager-v1.14.2.tgz b/assets/cert-manager/cert-manager-v1.14.2.tgz new file mode 100644 index 000000000..34035fad2 Binary files /dev/null and b/assets/cert-manager/cert-manager-v1.14.2.tgz differ diff --git a/assets/clastix/kamaji-0.14.1.tgz b/assets/clastix/kamaji-0.14.1.tgz new file mode 100644 index 000000000..b4c9cdd96 Binary files /dev/null and b/assets/clastix/kamaji-0.14.1.tgz differ diff --git a/assets/cockroach-labs/cockroachdb-12.0.0.tgz b/assets/cockroach-labs/cockroachdb-12.0.0.tgz new file mode 100644 index 000000000..9273d9b04 Binary files /dev/null and b/assets/cockroach-labs/cockroachdb-12.0.0.tgz differ diff --git a/assets/crate/crate-operator-2.34.1.tgz b/assets/crate/crate-operator-2.34.1.tgz new file mode 100644 index 000000000..51ae1de1d Binary files /dev/null and b/assets/crate/crate-operator-2.34.1.tgz differ diff --git a/assets/crowdstrike/falcon-sensor-1.25.2.tgz b/assets/crowdstrike/falcon-sensor-1.25.2.tgz new file mode 100644 index 000000000..fa903923c Binary files /dev/null and b/assets/crowdstrike/falcon-sensor-1.25.2.tgz differ diff --git a/assets/datadog/datadog-3.53.3.tgz b/assets/datadog/datadog-3.53.3.tgz new file mode 100644 index 000000000..66916e53a Binary files /dev/null and b/assets/datadog/datadog-3.53.3.tgz differ diff --git a/assets/dell/csi-isilon-2.9.1.tgz b/assets/dell/csi-isilon-2.9.1.tgz new file mode 100644 index 000000000..d59b4892a Binary files /dev/null and b/assets/dell/csi-isilon-2.9.1.tgz differ diff --git a/assets/dell/csi-powermax-2.9.1.tgz b/assets/dell/csi-powermax-2.9.1.tgz new file mode 100644 index 000000000..96b734301 Binary files /dev/null and b/assets/dell/csi-powermax-2.9.1.tgz differ diff --git a/assets/dell/csi-powerstore-2.9.1.tgz b/assets/dell/csi-powerstore-2.9.1.tgz new file mode 100644 index 000000000..fc0679e14 Binary files /dev/null and b/assets/dell/csi-powerstore-2.9.1.tgz differ diff --git a/assets/dell/csi-unity-2.9.1.tgz b/assets/dell/csi-unity-2.9.1.tgz new file mode 100644 index 000000000..423a9f5f6 Binary files /dev/null and b/assets/dell/csi-unity-2.9.1.tgz differ diff --git a/assets/dell/csi-vxflexos-2.9.1.tgz b/assets/dell/csi-vxflexos-2.9.1.tgz new file mode 100644 index 000000000..b0fc27503 Binary files /dev/null and b/assets/dell/csi-vxflexos-2.9.1.tgz differ diff --git a/assets/dh2i/dxemssql-1.0.5.tgz b/assets/dh2i/dxemssql-1.0.5.tgz new file mode 100644 index 000000000..0ff34dcec Binary files /dev/null and b/assets/dh2i/dxemssql-1.0.5.tgz differ diff --git a/assets/digitalis/vals-operator-0.7.9.tgz b/assets/digitalis/vals-operator-0.7.9.tgz new file mode 100644 index 000000000..990f39751 Binary files /dev/null and b/assets/digitalis/vals-operator-0.7.9.tgz differ diff --git a/assets/external-secrets/external-secrets-0.9.12.tgz b/assets/external-secrets/external-secrets-0.9.12.tgz new file mode 100644 index 000000000..ae35d7c9b Binary files /dev/null and b/assets/external-secrets/external-secrets-0.9.12.tgz differ diff --git a/assets/hashicorp/consul-1.3.2.tgz b/assets/hashicorp/consul-1.3.2.tgz new file mode 100644 index 000000000..a640a1c84 Binary files /dev/null and b/assets/hashicorp/consul-1.3.2.tgz differ diff --git a/assets/jenkins/jenkins-5.0.13.tgz b/assets/jenkins/jenkins-5.0.13.tgz new file mode 100644 index 000000000..ce33b26d4 Binary files /dev/null and b/assets/jenkins/jenkins-5.0.13.tgz differ diff --git a/assets/jfrog/artifactory-ha-107.77.5.tgz b/assets/jfrog/artifactory-ha-107.77.5.tgz new file mode 100644 index 000000000..cf406bb9a Binary files /dev/null and b/assets/jfrog/artifactory-ha-107.77.5.tgz differ diff --git a/assets/jfrog/artifactory-jcr-107.77.5.tgz b/assets/jfrog/artifactory-jcr-107.77.5.tgz new file mode 100644 index 000000000..eaf2ac2e9 Binary files /dev/null and b/assets/jfrog/artifactory-jcr-107.77.5.tgz differ diff --git a/assets/kasten/k10-6.5.301.tgz b/assets/kasten/k10-6.5.301.tgz new file mode 100644 index 000000000..8ab7bab57 Binary files /dev/null and b/assets/kasten/k10-6.5.301.tgz differ diff --git a/assets/kasten/k10-6.5.401.tgz b/assets/kasten/k10-6.5.401.tgz new file mode 100644 index 000000000..3fa3b7142 Binary files /dev/null and b/assets/kasten/k10-6.5.401.tgz differ diff --git a/assets/kong/kong-2.35.1.tgz b/assets/kong/kong-2.35.1.tgz new file mode 100644 index 000000000..9d96cab99 Binary files /dev/null and b/assets/kong/kong-2.35.1.tgz differ diff --git a/assets/kubecost/cost-analyzer-1.108.1.tgz b/assets/kubecost/cost-analyzer-1.108.1.tgz index 9cb7cd486..08406224a 100644 Binary files a/assets/kubecost/cost-analyzer-1.108.1.tgz and b/assets/kubecost/cost-analyzer-1.108.1.tgz differ diff --git a/assets/kubecost/cost-analyzer-2.0.2.tgz b/assets/kubecost/cost-analyzer-2.0.2.tgz new file mode 100644 index 000000000..661892e11 Binary files /dev/null and b/assets/kubecost/cost-analyzer-2.0.2.tgz differ diff --git a/assets/kuma/kuma-2.6.0.tgz b/assets/kuma/kuma-2.6.0.tgz new file mode 100644 index 000000000..83eface5c Binary files /dev/null and b/assets/kuma/kuma-2.6.0.tgz differ diff --git a/assets/loft/loft-3.3.4.tgz b/assets/loft/loft-3.3.4.tgz new file mode 100644 index 000000000..219219374 Binary files /dev/null and b/assets/loft/loft-3.3.4.tgz differ diff --git a/assets/metallb/metallb-0.14.3.tgz b/assets/metallb/metallb-0.14.3.tgz new file mode 100644 index 000000000..372f502a6 Binary files /dev/null and b/assets/metallb/metallb-0.14.3.tgz differ diff --git a/assets/minio/minio-operator-5.0.12.tgz b/assets/minio/minio-operator-5.0.12.tgz new file mode 100644 index 000000000..063bfc10f Binary files /dev/null and b/assets/minio/minio-operator-5.0.12.tgz differ diff --git a/assets/nats/nats-1.1.8.tgz b/assets/nats/nats-1.1.8.tgz new file mode 100644 index 000000000..ec28f92a7 Binary files /dev/null and b/assets/nats/nats-1.1.8.tgz differ diff --git a/assets/new-relic/nri-bundle-5.0.63.tgz b/assets/new-relic/nri-bundle-5.0.63.tgz new file mode 100644 index 000000000..b67fb555c Binary files /dev/null and b/assets/new-relic/nri-bundle-5.0.63.tgz differ diff --git a/assets/percona/psmdb-db-1.15.3.tgz b/assets/percona/psmdb-db-1.15.3.tgz new file mode 100644 index 000000000..e6970ea2f Binary files /dev/null and b/assets/percona/psmdb-db-1.15.3.tgz differ diff --git a/assets/percona/psmdb-operator-1.15.2.tgz b/assets/percona/psmdb-operator-1.15.2.tgz new file mode 100644 index 000000000..95dec9eab Binary files /dev/null and b/assets/percona/psmdb-operator-1.15.2.tgz differ diff --git a/assets/percona/pxc-db-1.13.6.tgz b/assets/percona/pxc-db-1.13.6.tgz new file mode 100644 index 000000000..df875ab51 Binary files /dev/null and b/assets/percona/pxc-db-1.13.6.tgz differ diff --git a/assets/percona/pxc-operator-1.13.5.tgz b/assets/percona/pxc-operator-1.13.5.tgz new file mode 100644 index 000000000..89bdc6201 Binary files /dev/null and b/assets/percona/pxc-operator-1.13.5.tgz differ diff --git a/assets/redpanda/redpanda-5.7.23.tgz b/assets/redpanda/redpanda-5.7.23.tgz new file mode 100644 index 000000000..832a21644 Binary files /dev/null and b/assets/redpanda/redpanda-5.7.23.tgz differ diff --git a/assets/speedscale/speedscale-operator-2.0.11.tgz b/assets/speedscale/speedscale-operator-2.0.11.tgz new file mode 100644 index 000000000..8e648798c Binary files /dev/null and b/assets/speedscale/speedscale-operator-2.0.11.tgz differ diff --git a/assets/stackstate/stackstate-k8s-agent-1.0.68.tgz b/assets/stackstate/stackstate-k8s-agent-1.0.68.tgz new file mode 100644 index 000000000..f0a16d757 Binary files /dev/null and b/assets/stackstate/stackstate-k8s-agent-1.0.68.tgz differ diff --git a/assets/yugabyte/yugabyte-2.16.9.tgz b/assets/yugabyte/yugabyte-2.16.9.tgz new file mode 100644 index 000000000..de7ada546 Binary files /dev/null and b/assets/yugabyte/yugabyte-2.16.9.tgz differ diff --git a/assets/yugabyte/yugabyte-2.18.6.tgz b/assets/yugabyte/yugabyte-2.18.6.tgz new file mode 100644 index 000000000..0f1a2d11b Binary files /dev/null and b/assets/yugabyte/yugabyte-2.18.6.tgz differ diff --git a/assets/yugabyte/yugaware-2.16.9.tgz b/assets/yugabyte/yugaware-2.16.9.tgz new file mode 100644 index 000000000..a4363237a Binary files /dev/null and b/assets/yugabyte/yugaware-2.16.9.tgz differ diff --git a/assets/yugabyte/yugaware-2.18.6.tgz b/assets/yugabyte/yugaware-2.18.6.tgz new file mode 100644 index 000000000..56f78ded9 Binary files /dev/null and b/assets/yugabyte/yugaware-2.18.6.tgz differ diff --git a/charts/amd/amd-gpu/Chart.lock b/charts/amd/amd-gpu/Chart.lock index df1448888..533c43af3 100644 --- a/charts/amd/amd-gpu/Chart.lock +++ b/charts/amd/amd-gpu/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: node-feature-discovery repository: https://kubernetes-sigs.github.io/node-feature-discovery/charts - version: 0.15.0 -digest: sha256:35fafe91e8fe2c76d852ca87cfece3ce6475d9b0719284757e2f093f4be1cac4 -generated: "2024-01-15T04:05:45.773461678Z" + version: 0.15.1 +digest: sha256:946597a8562956f1e563f07ced1d906d550a641d30cb0e6e5532449f6eb640d6 +generated: "2024-01-26T03:50:06.036231897Z" diff --git a/charts/amd/amd-gpu/Chart.yaml b/charts/amd/amd-gpu/Chart.yaml index 2116fb80d..6d9b03e83 100644 --- a/charts/amd/amd-gpu/Chart.yaml +++ b/charts/amd/amd-gpu/Chart.yaml @@ -4,15 +4,15 @@ annotations: catalog.cattle.io/kube-version: '>= 1.18.0-0' catalog.cattle.io/release-name: amd-gpu apiVersion: v2 -appVersion: 1.25.2.6 +appVersion: 1.25.2.7 dependencies: - condition: nfd.enabled name: node-feature-discovery repository: file://./charts/node-feature-discovery version: '>= 0.8.1-0' description: A Helm chart for deploying Kubernetes AMD GPU device plugin -home: https://github.com/RadeonOpenCompute/k8s-device-plugin -icon: https://raw.githubusercontent.com/RadeonOpenCompute/k8s-device-plugin/master/helm/logo.png +home: https://github.com/ROCm/k8s-device-plugin +icon: https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/helm/logo.png keywords: - kubernetes - cluster @@ -23,6 +23,6 @@ maintainers: - name: Kenny Ho name: amd-gpu sources: -- https://github.com/RadeonOpenCompute/k8s-device-plugin +- https://github.com/ROCm/k8s-device-plugin type: application -version: 0.11.0 +version: 0.12.0 diff --git a/charts/amd/amd-gpu/README.md b/charts/amd/amd-gpu/README.md index ef3dbbc73..c94f53dd6 100644 --- a/charts/amd/amd-gpu/README.md +++ b/charts/amd/amd-gpu/README.md @@ -1,6 +1,6 @@ # AMD GPU Helm Chart -![Version: 0.11.0](https://img.shields.io/badge/Version-0.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.2.6](https://img.shields.io/badge/AppVersion-1.25.2.6-informational?style=flat-square) +![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.25.2.7](https://img.shields.io/badge/AppVersion-1.25.2.7-informational?style=flat-square) A Helm chart for deploying Kubernetes AMD GPU device plugin @@ -34,7 +34,7 @@ Kubernetes: `>= 1.18.0` ## More information -https://github.com/RadeonOpenCompute/k8s-device-plugin +https://github.com/ROCm/k8s-device-plugin ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml b/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml index b85993272..7efeace98 100644 --- a/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml +++ b/charts/amd/amd-gpu/charts/node-feature-discovery/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.15.0 +appVersion: v0.15.1 description: 'Detects hardware features available on each node in a Kubernetes cluster, and advertises those features using node labels. ' home: https://github.com/kubernetes-sigs/node-feature-discovery @@ -11,4 +11,4 @@ name: node-feature-discovery sources: - https://github.com/kubernetes-sigs/node-feature-discovery type: application -version: 0.15.0 +version: 0.15.1 diff --git a/charts/amd/amd-gpu/templates/labeller.yaml b/charts/amd/amd-gpu/templates/labeller.yaml index caaeec0b2..4f4fd22b2 100644 --- a/charts/amd/amd-gpu/templates/labeller.yaml +++ b/charts/amd/amd-gpu/templates/labeller.yaml @@ -1,5 +1,5 @@ {{- if .Values.labeller.enabled }} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cr-{{ .Chart.Name }}-node-labeller @@ -8,7 +8,7 @@ rules: resources: ["nodes"] verbs: ["watch", "get", "list", "update"] --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: crb-{{ .Chart.Name }}-labeller diff --git a/charts/amd/amd-gpu/values.yaml b/charts/amd/amd-gpu/values.yaml index 2f9c9a581..361afafdc 100644 --- a/charts/amd/amd-gpu/values.yaml +++ b/charts/amd/amd-gpu/values.yaml @@ -10,13 +10,13 @@ dp: image: repository: docker.io/rocm/k8s-device-plugin # Overrides the image tag whose default is the chart appVersion. - tag: "1.25.2.6" + tag: "1.25.2.7" resources: {} lbl: image: repository: docker.io/rocm/k8s-device-plugin - tag: "labeller-1.25.2.6" + tag: "labeller-1.25.2.7" resources: {} imagePullSecrets: [] diff --git a/charts/argo/argo-cd/Chart.yaml b/charts/argo/argo-cd/Chart.yaml index a31d99935..1b38f39c8 100644 --- a/charts/argo/argo-cd/Chart.yaml +++ b/charts/argo/argo-cd/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/changes: | - kind: changed - description: Updated documented default value for application.instanceLabelKey. + description: Improved documentation for various ingress setups artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -11,7 +11,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 -appVersion: v2.9.5 +appVersion: v2.10.0 dependencies: - condition: redis-ha.enabled name: redis-ha @@ -33,4 +33,4 @@ name: argo-cd sources: - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd - https://github.com/argoproj/argo-cd -version: 5.53.8 +version: 6.0.5 diff --git a/charts/argo/argo-cd/README.md b/charts/argo/argo-cd/README.md index 88280075b..e8369d23b 100644 --- a/charts/argo/argo-cd/README.md +++ b/charts/argo/argo-cd/README.md @@ -64,7 +64,170 @@ applicationSet: replicas: 2 ``` -### Synchronizing Changes from Original Repository +## Ingress configuration + +Please refer to the [Operator Manual](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ingress-configurationh) for details as the samples +below corespond to their respective sections. + +### SSL-Passthrough + +The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place. + +```yaml +certificate: + enabled: true + domain: argocd.example.com + +server: + ingress: + enabled: true + hostname: argocd.example.com + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + tls: true +``` + +### SSL Termination at Ingress Controller + +```yaml +configs: + params: + server.insecure: true + +server: + ingress: + enabled: true + hostname: argocd.example.com + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "HTTP" + extraTls: + - hosts: + - argocd.example.com + # Based on the ingress controller used secret might be optional + secretName: wildcard-tls +``` + +> **Note:** +> If you don't plan on using a wildcard certificate it's also possible to use `tls: true` without `extraTls` section. + +### Multiple ingress resources for gRPC protocol support + +Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour). + +```yaml +configs: + params: + server.insecure: true + +server: + ingress: + enabled: true + hostname: argocd.example.com + ingressClassName: contour-internal + extraTls: + - hosts: + - argocd.example.com + secretName: wildcard-tls + + ingressGrpc: + enabled: true + hostname: grpc.argocd.example.com + ingressClassName: contour-internal + extraTls: + - hosts: + - grpc.argocd.example.com + secretName: wildcard-tls +``` + +### Multiple ingress domains + +```yaml +server: + ingress: + enabled: true + hostname: argocd.example.com + ingressClassName: nginx + annotations: + cert-manager.io/cluster-issuer: "" + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + tls: true + extraHosts: + - name: argocd-alias.example.com + path: / +``` + +### AWS Application Load Balancer + +Refer to the Operator Manual for [AWS Application Load Balancer mode](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode). +The provided example assumes you are using TLS off-loading via AWS ACM service. + +> **Note:** +> Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section. + +```yaml +configs: + params: + server.insecure: true + +server: + ingress: + enabled: true + hostname: argocd.example.com + controller: aws + ingressClassName: alb + annotations: + alb.ingress.kubernetes.io/scheme: internal + alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/backend-protocol: HTTP + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":80}, {"HTTPS":443}]' + alb.ingress.kubernetes.io/ssl-redirect" '443' + aws: + serviceType: ClusterIP # <- Used with target-type: ip + backendProtocolVersion: GRPC +``` + +### GKE Application Load Balancer + +The implementation will populate `ingressClassName`, `networking.gke.io/managed-certificates` and `networking.gke.io/v1beta1.FrontendConfig` annotations +automatically if you provide configuration for GKE resources. + +```yaml +configs: + params: + server.insecure: true + +server: + service: + annotations: + cloud.google.com/neg: '{"ingress": true}' + cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}' + + ingress: + enabled: true + hostname: argocd.example.com + controller: gke + gke: + backendConfig: + healthCheck: + checkIntervalSec: 30 + timeoutSec: 5 + healthyThreshold: 1 + unhealthyThreshold: 2 + type: HTTP + requestPath: /healthz + port: 8080 + frontendConfig: + redirectToHttps: + enabled: true + managedCertificate: + enabled: true +``` + +## Synchronizing Changes from Original Repository In the original [Argo CD repository](https://github.com/argoproj/argo-cd/) an [`manifests/install.yaml`](https://github.com/argoproj/argo-cd/blob/master/manifests/install.yaml) is generated using `kustomize`. It's the basis for the installation as [described in the docs](https://argo-cd.readthedocs.io/en/stable/getting_started/#1-install-argo-cd). @@ -105,15 +268,38 @@ For full list of changes please check ArtifactHub [changelog]. Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version. +### 6.0.0 + +This version **removes support for**: + +* deprecated component options `logLevel` and `logFormat` +* deprecated component arguments `.args.` that were replaced with `configs.params` +* deprecated configuration `server.config` that was replaced with `configs.cm` +* deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac` + +Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations. +Please review your setup and adjust to new configuration options: + +* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname +* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path +* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname +* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `-tls` secret when `tls: true` +* additional hostnames and routing can be provided via `extraHosts` configuration section +* additional TLS secrets can be provided via `extraTls` configuration section + +Please refer to [ingress configuration](#ingress-configuration) for examples. + ### 5.53.0 Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir() ### 5.52.0 + Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server. If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml. ### 5.35.0 + This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach. Please see more information about EoL: [Amazon EKS EoL][EKS EoL]. @@ -399,7 +585,7 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| -| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart | +| apiVersionOverrides | object | `{}` | | | crds.additionalLabels | object | `{}` | Addtional labels to be added to all CRDs | | crds.annotations | object | `{}` | Annotations to be added to all CRDs | | crds.install | bool | `true` | Install and upgrade CRDs | @@ -516,7 +702,6 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| | controller.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment | -| controller.args | object | `{}` | DEPRECATED - Application controller commandline flags | | controller.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the application controller's ClusterRole resource | | controller.clusterRoleRules.rules | list | `[]` | List of custom rules for the application controller's ClusterRole resource | | controller.containerPorts.metrics | int | `8082` | Metrics container port | @@ -575,6 +760,7 @@ NAME: my-release | controller.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out | | controller.replicas | int | `1` | The number of application controller pods to run. Additional replicas will cause sharding of managed clusters across number of replicas. | | controller.resources | object | `{}` | Resource limits and requests for the application controller pods | +| controller.revisionHistoryLimit | int | `5` | Maximum number of controller revisions that will be maintained in StatefulSet history | | controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | | controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | controller.serviceAccount.create | bool | `true` | Create a service account for the application controller | @@ -686,12 +872,6 @@ NAME: my-release | Key | Type | Default | Description | |-----|------|---------|-------------| -| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine | -| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] | -| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine | -| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] | -| server.GKEmanagedCertificate.domains | list | `["argocd.example.com"]` | Domains for the Google Managed Certificate | -| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. | | server.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment | | server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. | | server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server | @@ -744,28 +924,37 @@ NAME: my-release | server.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Argo CD server | | server.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | server.ingress.annotations | object | `{}` | Additional ingress annotations | +| server.ingress.aws.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | +| server.ingress.aws.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | +| server.ingress.controller | string | `"generic"` | Specific implementation for ingress controller. One of `generic`, `aws` or `gke` | | server.ingress.enabled | bool | `false` | Enable an ingress resource for the Argo CD server | -| server.ingress.extraPaths | list | `[]` | Additional ingress paths | -| server.ingress.hosts | list | `[]` | List of ingress hosts | -| server.ingress.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` | +| server.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record | +| server.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | +| server.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| server.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration | +| server.ingress.gke.backendConfig | object | `{}` (See [values.yaml]) | Google [BackendConfig] resource, for use with the GKE Ingress Controller | +| server.ingress.gke.frontendConfig | object | `{}` (See [values.yaml]) | Google [FrontendConfig] resource, for use with the GKE Ingress Controller | +| server.ingress.gke.managedCertificate.create | bool | `true` | Create ManagedCertificate resource and annotations for Google Load balancer | +| server.ingress.gke.managedCertificate.extraDomains | list | `[]` | Additional domains for ManagedCertificate resource | +| server.ingress.hostname | string | `"argocd.example.com"` | Argo CD server hostname | | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | | server.ingress.labels | object | `{}` | Additional ingress labels | +| server.ingress.path | string | `"/"` | The path to Argo CD server | | server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingress.paths | list | `["/"]` | List of ingress paths | -| server.ingress.tls | list | `[]` | Ingress TLS configuration | +| server.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingress.hostname` | | server.ingressGrpc.annotations | object | `{}` | Additional ingress annotations for dedicated [gRPC-ingress] | -| server.ingressGrpc.awsALB.backendProtocolVersion | string | `"HTTP2"` | Backend protocol version for the AWS ALB gRPC service | -| server.ingressGrpc.awsALB.serviceType | string | `"NodePort"` | Service type for the AWS ALB gRPC service | | server.ingressGrpc.enabled | bool | `false` | Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] | -| server.ingressGrpc.extraPaths | list | `[]` | Additional ingress paths for dedicated [gRPC-ingress] | -| server.ingressGrpc.hosts | list | `[]` | List of ingress hosts for dedicated [gRPC-ingress] | -| server.ingressGrpc.https | bool | `false` | Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` | +| server.ingressGrpc.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record | +| server.ingressGrpc.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths for dedicated [gRPC-ingress] | +| server.ingressGrpc.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| server.ingressGrpc.extraTls | list | `[]` (See [values.yaml]) | Additional TLS configuration for dedicated [gRPC-ingress] | +| server.ingressGrpc.hostname | string | `""` | Argo CD server hostname for dedicated [gRPC-ingress] | | server.ingressGrpc.ingressClassName | string | `""` | Defines which ingress controller will implement the resource [gRPC-ingress] | | server.ingressGrpc.isAWSALB | bool | `false` | Setup up gRPC ingress to work with an AWS ALB | | server.ingressGrpc.labels | object | `{}` | Additional ingress labels for dedicated [gRPC-ingress] | +| server.ingressGrpc.path | string | `"/"` | Argo CD server ingress path for dedicated [gRPC-ingress] | | server.ingressGrpc.pathType | string | `"Prefix"` | Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| server.ingressGrpc.paths | list | `["/"]` | List of ingress paths for dedicated [gRPC-ingress] | -| server.ingressGrpc.tls | list | `[]` | Ingress TLS configuration for dedicated [gRPC-ingress] | +| server.ingressGrpc.tls | bool | `false` | Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` | | server.initContainers | list | `[]` | Init containers to add to the server pod | | server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for your argo-cd-server container | | server.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | @@ -837,28 +1026,6 @@ NAME: my-release | server.volumeMounts | list | `[]` | Additional volumeMounts to the server main container | | server.volumes | list | `[]` | Additional volumes to the server pod | -### Using AWS ALB Ingress Controller With GRPC - -If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service. - -Example: - -```yaml -server: - ingress: - enabled: true - annotations: - alb.ingress.kubernetes.io/backend-protocol: HTTPS - alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]' - alb.ingress.kubernetes.io/scheme: internal - alb.ingress.kubernetes.io/target-type: ip - ingressGrpc: - enabled: true - isAWSALB: true - awsALB: - serviceType: ClusterIP -``` - ## Dex | Key | Type | Default | Description | @@ -885,7 +1052,7 @@ server: | dex.extraContainers | list | `[]` | Additional containers to be added to the dex pod | | dex.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Dex imagePullPolicy | | dex.image.repository | string | `"ghcr.io/dexidp/dex"` | Dex image repository | -| dex.image.tag | string | `"v2.37.0"` | Dex image tag | +| dex.image.tag | string | `"v2.38.0"` | Dex image tag | | dex.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | dex.initContainers | list | `[]` | Init containers to add to the dex pod | | dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy | @@ -967,15 +1134,33 @@ server: | redis.exporter.env | list | `[]` | Environment variables to pass to the Redis exporter | | redis.exporter.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the redis-exporter | | redis.exporter.image.repository | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter | -| redis.exporter.image.tag | string | `"1.53.0"` | Tag to use for the redis-exporter | +| redis.exporter.image.tag | string | `"1.57.0"` | Tag to use for the redis-exporter | +| redis.exporter.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis exporter | +| redis.exporter.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| redis.exporter.livenessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated | +| redis.exporter.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] | +| redis.exporter.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| redis.exporter.livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | +| redis.exporter.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis exporter (optional) | +| redis.exporter.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| redis.exporter.readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated | +| redis.exporter.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] | +| redis.exporter.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| redis.exporter.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | | redis.exporter.resources | object | `{}` | Resource limits and requests for redis-exporter sidecar | | redis.extraArgs | list | `[]` | Additional command line arguments to pass to redis-server | | redis.extraContainers | list | `[]` | Additional containers to be added to the redis pod | | redis.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Redis image pull policy | | redis.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | -| redis.image.tag | string | `"7.0.13-alpine"` | Redis tag | +| redis.image.tag | string | `"7.0.15-alpine"` | Redis tag | | redis.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry | | redis.initContainers | list | `[]` | Init containers to add to the redis pod | +| redis.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis server | +| redis.livenessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| redis.livenessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated | +| redis.livenessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] | +| redis.livenessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| redis.livenessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | | redis.metrics.enabled | bool | `false` | Deploy metrics service | | redis.metrics.service.annotations | object | `{}` | Metrics service annotations | | redis.metrics.service.clusterIP | string | `"None"` | Metrics service clusterIP. `None` makes a "headless service" (no virtual IP) | @@ -1003,6 +1188,12 @@ server: | redis.podAnnotations | object | `{}` | Annotations to be added to the Redis server pods | | redis.podLabels | object | `{}` | Labels to be added to the Redis server pods | | redis.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for redis pods | +| redis.readinessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Redis server | +| redis.readinessProbe.failureThreshold | int | `5` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | +| redis.readinessProbe.initialDelaySeconds | int | `30` | Number of seconds after the container has started before [probe] is initiated | +| redis.readinessProbe.periodSeconds | int | `15` | How often (in seconds) to perform the [probe] | +| redis.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed | +| redis.readinessProbe.timeoutSeconds | int | `15` | Number of seconds after which the [probe] times out | | redis.resources | object | `{}` | Resource limits and requests for redis | | redis.securityContext | object | See [values.yaml] | Redis pod-level security context | | redis.service.annotations | object | `{}` | Redis service annotations | @@ -1032,7 +1223,7 @@ The main options are listed here: | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment | | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar | | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter | -| redis-ha.exporter.tag | string | `"1.53.0"` | Tag to use for the redis-exporter | +| redis-ha.exporter.tag | string | `"1.57.0"` | Tag to use for the redis-exporter | | redis-ha.haproxy.additionalAffinities | object | `{}` | Additional affinities to add to the haproxy pods. | | redis-ha.haproxy.affinity | string | `""` | Assign custom [affinity] rules to the haproxy pods. | | redis-ha.haproxy.containerSecurityContext | object | See [values.yaml] | HAProxy container-level security context | @@ -1042,7 +1233,7 @@ The main options are listed here: | redis-ha.haproxy.tolerations | list | `[]` | [Tolerations] for use with node taints for haproxy pods. | | redis-ha.hardAntiAffinity | bool | `true` | Whether the Redis server pods should be forced to run on separate nodes. | | redis-ha.image.repository | string | `"public.ecr.aws/docker/library/redis"` | Redis repository | -| redis-ha.image.tag | string | `"7.0.13-alpine"` | Redis tag | +| redis-ha.image.tag | string | `"7.0.15-alpine"` | Redis tag | | redis-ha.persistentVolume.enabled | bool | `false` | Configures persistence on Redis nodes | | redis-ha.redis.config | object | See [values.yaml] | Any valid redis config options in this section will be applied to each server (see `redis-ha` chart) | | redis-ha.redis.config.save | string | `'""'` | Will save the DB if both the given number of seconds and the given number of write operations against the DB occurred. `""` is disabled | @@ -1077,7 +1268,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | Key | Type | Default | Description | |-----|------|---------|-------------| | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules | -| applicationSet.args | object | `{}` | DEPRECATED - ApplicationSet controller command line flags | | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) | | applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate | | applicationSet.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) | @@ -1101,7 +1291,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.dnsConfig | object | `{}` | [DNS configuration] | | applicationSet.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for ApplicationSet controller pods | | applicationSet.enabled | bool | `true` | Enable ApplicationSet controller | -| applicationSet.extraArgs | list | `[]` | List of extra cli args to add | +| applicationSet.extraArgs | list | `[]` | ApplicationSet controller command line flags | | applicationSet.extraContainers | list | `[]` | Additional containers to be added to the ApplicationSet controller pod | | applicationSet.extraEnv | list | `[]` | Environment variables to pass to the ApplicationSet controller | | applicationSet.extraEnvFrom | list | `[]` (See [values.yaml]) | envFrom to pass to the ApplicationSet controller | @@ -1111,6 +1301,18 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the ApplicationSet controller | | applicationSet.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the ApplicationSet controller | | applicationSet.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | If defined, uses a Secret to pull an image from a private Docker registry or repository. | +| applicationSet.ingress.annotations | object | `{}` | Additional ingress annotations | +| applicationSet.ingress.enabled | bool | `false` | Enable an ingress resource for ApplicationSet webhook | +| applicationSet.ingress.extraHosts | list | `[]` (See [values.yaml]) | The list of additional hostnames to be covered by ingress record | +| applicationSet.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths | +| applicationSet.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules | +| applicationSet.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration | +| applicationSet.ingress.hostname | string | `"argocd.example.com"` | Argo CD ApplicationSet hostname | +| applicationSet.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource | +| applicationSet.ingress.labels | object | `{}` | Additional ingress labels | +| applicationSet.ingress.path | string | `"/api/webhook"` | List of ingress paths | +| applicationSet.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | +| applicationSet.ingress.tls | bool | `false` | Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` | | applicationSet.initContainers | list | `[]` | Init containers to add to the ApplicationSet controller pod | | applicationSet.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for ApplicationSet controller | | applicationSet.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded | @@ -1166,15 +1368,6 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide | applicationSet.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | | applicationSet.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints | | applicationSet.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the ApplicationSet controller | -| applicationSet.webhook.ingress.annotations | object | `{}` | Additional ingress annotations | -| applicationSet.webhook.ingress.enabled | bool | `false` | Enable an ingress resource for Webhooks | -| applicationSet.webhook.ingress.extraPaths | list | `[]` | Additional ingress paths | -| applicationSet.webhook.ingress.hosts | list | `[]` | List of ingress hosts | -| applicationSet.webhook.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource | -| applicationSet.webhook.ingress.labels | object | `{}` | Additional ingress labels | -| applicationSet.webhook.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | -| applicationSet.webhook.ingress.paths | list | `["/api/webhook"]` | List of ingress paths | -| applicationSet.webhook.ingress.tls | list | `[]` | Ingress TLS configuration | ## Notifications diff --git a/charts/argo/argo-cd/templates/NOTES.txt b/charts/argo/argo-cd/templates/NOTES.txt index 1b6267969..f2dbdfab3 100644 --- a/charts/argo/argo-cd/templates/NOTES.txt +++ b/charts/argo/argo-cd/templates/NOTES.txt @@ -1,133 +1,3 @@ -{{- if .Values.controller.args.statusProcessors }} -DEPRECATED option controller.args.statusProcessors - Use configs.params.controller.status.processors -{{- end }} -{{- if .Values.controller.args.operationProcessors }} -DEPRECATED option controller.args.operationProcessors - Use configs.params.controller.operation.processors -{{- end }} -{{- if .Values.controller.args.appResyncPeriod }} -DEPRECATED option controller.args.appResyncPeriod - Use server.config.timeout.reconciliation -{{- end }} -{{- if .Values.controller.args.appHardResyncPeriod }} -DEPRECATED option controller.args.appHardResyncPeriod - Use server.config.timeout.hard.reconciliation -{{- end }} -{{- if .Values.controller.args.selfHealTimeout }} -DEPRECATED option controller.args.selfHealTimeout - Use configs.params.controller.self.heal.timeout.seconds -{{- end }} -{{- if .Values.controller.args.repoServerTimeoutSeconds }} -DEPRECATED option controller.args.repoServerTimeoutSeconds - Use configs.params.controller.repo.server.timeout.seconds -{{- end }} -{{- if .Values.controller.logFormat }} -DEPRECATED option controller.logFormat - Use configs.params.controller.log.format -{{- end }} -{{- if .Values.controller.logLevel }} -DEPRECATED option controller.logLevel - Use configs.params.controller.log.level -{{- end }} -{{- if .Values.server.logFormat }} -DEPRECATED option server.logFormat - Use configs.params.server.log.format -{{- end }} -{{- if .Values.server.logLevel }} -DEPRECATED option server.logLevel - Use configs.params.server.log.level -{{- end }} -{{- if has "--insecure" .Values.server.extraArgs }} -DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure -{{- end }} -{{- if .Values.repoServer.logFormat }} -DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format -{{- end }} -{{- if .Values.repoServer.logLevel }} -DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level -{{- end }} -{{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }} -DEPRECATED option server.config - Use configs.cm -{{- end }} -{{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }} -DEPRECATED option server.rbacConfig - Use configs.rbac -{{- end }} -{{- if .Values.configs.secret.argocdServerTlsConfig }} -DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret -{{- end }} -{{- if .Values.configs.gpgKeys }} -DEPRECATED option configs.gpgKeys - Use config.gpg.keys -{{- end }} -{{- if .Values.configs.gpgKeysAnnotations }} -DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations -{{- end }} -{{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }} -DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles -{{- end }} -{{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }} -DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles -{{- end }} -{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }} -DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles -{{- end }} -{{- if .Values.configs.knownHostsAnnotations }} -DEPRECATED option configs.knownHostsAnnotations - Use configs.ssh.annotations -{{- end }} -{{- if hasKey .Values.configs "knownHosts" }} -DEPRECATED option configs.knownHosts.data.ssh_known_hosts - Use configs.ssh.knownHosts -{{- end }} -{{- if .Values.configs.tlsCertsAnnotations }} -DEPRECATED option configs.tlsCertsAnnotations - Use configs.tls.annotations -{{- end }} -{{- if hasKey .Values.configs "tlsCerts" }} -DEPRECATED option configs.tlsCerts.data - Use configs.tls.certificates -{{- end }} -{{- if .Values.applicationSet.replicaCount }} -DEPRECATED option applicationSet.replicaCount - Use applicationSet.replicas -{{- end }} -{{- if .Values.applicationSet.logFormat }} -DEPRECATED option applicationSet.logFormat - Use configs.params.applicationsetcontroller.log.format -{{- end }} -{{- if .Values.applicationSet.logLevel }} -DEPRECATED option applicationSet.logLevel - Use configs.params.applicationsetcontroller.log.level -{{- end }} -{{- if .Values.applicationSet.args.policy }} -DEPRECATED option applicationSet.args.policy - Use configs.params.applicationsetcontroller.policy -{{- end }} -{{- if .Values.applicationSet.args.dryRun }} -DEPRECATED option applicationSet.args.dryRun - Use configs.params.applicationsetcontroller.dryRun -{{- end }} -{{- if .Values.controller.service }} -REMOVED option controller.service - Use controller.metrics -{{- end }} -{{- if .Values.repoServer.copyutil }} -REMOVED option repoSever.copyutil.resources - Use repoServer.resources -{{- end }} -{{- if .Values.applicationSet.args.debug }} -REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug -{{- end }} -{{- if .Values.applicationSet.args.enableLeaderElection }} -REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas -{{- end }} -{{- if .Values.controller.containerPort }} -REMOVED option controller.containerPort - Use controller.containerPorts -{{- end }} -{{- if .Values.server.containerPort }} -REMOVED option server.containerPort - Use server.containerPorts -{{- end }} -{{- if .Values.repoServer.containerPort }} -REMOVED option repoServer.containerPort - Use repoServer.containerPorts -{{- end }} -{{- if .Values.applicationSet.args.metricsAddr }} -REMOVED option applicationSet.args.metricsAddr - Use applicationSet.containerPorts -{{- end }} -{{- if .Values.applicationSet.args.probeBindAddr }} -REMOVED option applicationSet.args.probeBindAddr - Use applicationSet.containerPorts -{{- end }} -{{- if .Values.redis.containerPort }} -REMOVED option redis.containerPort - Use redis.containerPorts -{{- end }} -{{- if .Values.redis.metrics.containerPort }} -REMOVED option redis.metrics.containerPort - Use redis.containerPorts -{{- end }} -{{- if .Values.apiVersionOverrides.autoscaling }} -REMOVED option apiVersionOverrides.autoscaling - API autoscaling/v2 is GA from 1.23 -{{- end }} -{{- if .Values.apiVersionOverrides.certmanager }} -REMOVED option apiVersionOverrides.certmanager - API v1 is only possible option after K8s 1.22 -{{- end }} - In order to access the server UI you have the following options: 1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443 @@ -139,7 +9,7 @@ In order to access the server UI you have the following options: - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts -{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}} +{{ if eq (toString (index .Values.configs.cm "admin.enabled")) "true" -}} After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running: kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d diff --git a/charts/argo/argo-cd/templates/_helpers.tpl b/charts/argo/argo-cd/templates/_helpers.tpl index 97ba5c259..4898172f2 100644 --- a/charts/argo/argo-cd/templates/_helpers.tpl +++ b/charts/argo/argo-cd/templates/_helpers.tpl @@ -173,7 +173,7 @@ Argo Configuration Preset Values (Incluenced by Values configuration) Merge Argo Configuration with Preset Configuration */}} {{- define "argo-cd.config.cm" -}} -{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict)) -}} +{{- $config := omit .Values.configs.cm "create" "annotations" -}} {{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}} {{- range $key, $value := mergeOverwrite $preset $config }} {{- $fmted := $value | toString }} diff --git a/charts/argo/argo-cd/templates/_versions.tpl b/charts/argo/argo-cd/templates/_versions.tpl index 5d65fcd6d..966dad979 100644 --- a/charts/argo/argo-cd/templates/_versions.tpl +++ b/charts/argo/argo-cd/templates/_versions.tpl @@ -5,16 +5,3 @@ Return the target Kubernetes version {{- define "argo-cd.kubeVersion" -}} {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }} {{- end }} - -{{/* -Return the appropriate apiVersion for GKE resources -*/}} -{{- define "argo-cd.apiVersions.cloudgoogle" -}} -{{- if .Values.apiVersionOverrides.cloudgoogle -}} -{{- print .Values.apiVersionOverrides.cloudgoogle -}} -{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}} -{{- print "cloud.google.com/v1" -}} -{{- else -}} -{{- print "cloud.google.com/v1beta1" -}} -{{- end -}} -{{- end -}} diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrole.yaml index 5ebe00b3f..615b56f9a 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrole.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.controller.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml index 9ebe80ad1..7b6df7820 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.controller.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml index 6d1d3e2f2..c08a4a344 100644 --- a/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml +++ b/charts/argo/argo-cd/templates/argocd-application-controller/statefulset.yaml @@ -13,8 +13,7 @@ metadata: {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} spec: replicas: {{ .Values.controller.replicas }} - # TODO: Remove for breaking release as history limit cannot be patched - revisionHistoryLimit: 5 + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }} serviceName: {{ include "argo-cd.controller.fullname" . }} selector: matchLabels: @@ -66,38 +65,6 @@ spec: - {{ . }} {{- end }} {{- end }} - {{- with .Values.controller.args.statusProcessors }} - - --status-processors - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.args.operationProcessors }} - - --operation-processors - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.args.appResyncPeriod }} - - --app-resync - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.args.appHardResyncPeriod }} - - --app-hard-resync - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.args.selfHealTimeout }} - - --self-heal-timeout-seconds - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.args.repoServerTimeoutSeconds }} - - --repo-server-timeout-seconds - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.logFormat }} - - --logformat - - {{ . | quote }} - {{- end }} - {{- with .Values.controller.logLevel }} - - --loglevel - - {{ . | quote }} - {{- end }} {{- with .Values.controller.extraArgs }} {{- toYaml . | nindent 8 }} {{- end }} @@ -122,6 +89,18 @@ spec: name: argocd-cm key: timeout.hard.reconciliation optional: true + - name: ARGOCD_RECONCILIATION_JITTER + valueFrom: + configMapKeyRef: + key: timeout.reconciliation.jitter + name: argocd-cm + optional: true + - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.repo.error.grace.period.seconds + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER valueFrom: configMapKeyRef: @@ -236,6 +215,18 @@ spec: name: argocd-cmd-params-cm key: otlp.address optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.insecure + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.headers + optional: true - name: ARGOCD_APPLICATION_NAMESPACES valueFrom: configMapKeyRef: @@ -254,6 +245,24 @@ spec: name: argocd-cmd-params-cm key: controller.kubectl.parallelism.limit optional: true + - name: ARGOCD_K8SCLIENT_RETRY_MAX + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8sclient.retry.max + optional: true + - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8sclient.retry.base.backoff + optional: true + - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.diff.server.side + optional: true {{- with .Values.controller.envFrom }} envFrom: {{- toYaml . | nindent 10 }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml index 655e8f196..96fc38044 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/deployment.yaml @@ -17,7 +17,7 @@ spec: strategy: {{- trim . | nindent 4 }} {{- end }} - replicas: {{ .Values.applicationSet.replicas | default .Values.applicationSet.replicaCount }} + replicas: {{ .Values.applicationSet.replicas }} revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} selector: matchLabels: @@ -65,20 +65,6 @@ spec: - --metrics-addr=:{{ .Values.applicationSet.containerPorts.metrics }} - --probe-addr=:{{ .Values.applicationSet.containerPorts.probe }} - --webhook-addr=:{{ .Values.applicationSet.containerPorts.webhook }} - {{- with .Values.applicationSet.args.policy }} - - --policy={{ . }} - {{- end }} - {{- with .Values.applicationSet.args.dryRun }} - - --dry-run={{ . }} - {{- end }} - {{- with .Values.applicationSet.logFormat }} - - --logformat - - {{ . }} - {{- end }} - {{- with .Values.applicationSet.logLevel }} - - --loglevel - - {{ . }} - {{- end }} {{- with .Values.applicationSet.extraArgs }} {{- toYaml . | nindent 12 }} {{- end }} @@ -210,6 +196,12 @@ spec: name: argocd-cmd-params-cm key: applicationsetcontroller.allowed.scm.providers optional: true + - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.enable.scm.providers + optional: true {{- with .Values.applicationSet.extraEnvFrom }} envFrom: {{- toYaml . | nindent 12 }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml new file mode 100644 index 000000000..ad2db8654 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-applicationset/ingress.yaml @@ -0,0 +1,64 @@ +{{- if and .Values.applicationSet.enabled .Values.applicationSet.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "argo-cd.applicationSet.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} + {{- with .Values.applicationSet.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.applicationSet.ingress.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + {{- with .Values.applicationSet.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + rules: + {{- if .Values.applicationSet.ingress.hostname }} + - host: {{ .Values.applicationSet.ingress.hostname }} + http: + paths: + {{- with .Values.applicationSet.ingress.extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ .Values.applicationSet.ingress.path }} + pathType: {{ .Values.applicationSet.ingress.pathType }} + backend: + service: + name: {{ include "argo-cd.applicationSet.fullname" . }} + port: + number: {{ .Values.applicationSet.service.port }} + {{- end }} + {{- range .Values.applicationSet.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default $.Values.applicationSet.ingress.path .path }} + pathType: {{ default $.Values.applicationSet.ingress.pathType .pathType }} + backend: + service: + name: {{ include "argo-cd.applicationSet.fullname" $ }} + port: + number: {{ $.Values.applicationSet.service.port }} + {{- end }} + {{- with .Values.applicationSet.ingress.extraRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }} + tls: + {{- if .Values.applicationSet.ingress.tls }} + - hosts: + - {{ .Values.applicationSet.ingress.hostname }} + secretName: argocd-application-controller-tls + {{- end }} + {{- with .Values.applicationSet.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/networkpolicy.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/networkpolicy.yaml index 81020f54c..c6333f883 100644 --- a/charts/argo/argo-cd/templates/argocd-applicationset/networkpolicy.yaml +++ b/charts/argo/argo-cd/templates/argocd-applicationset/networkpolicy.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.applicationSet.enabled .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.webhook.ingress.enabled) }} +{{- if and .Values.applicationSet.enabled .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.ingress.enabled) }} apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -8,7 +8,7 @@ metadata: {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} spec: ingress: - {{- if .Values.applicationSet.webhook.ingress.enabled }} + {{- if .Values.applicationSet.ingress.enabled }} - ports: - port: webhook {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml b/charts/argo/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml deleted file mode 100644 index d98f94237..000000000 --- a/charts/argo/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml +++ /dev/null @@ -1,73 +0,0 @@ -{{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}} -{{- $servicePort := .Values.applicationSet.service.portName -}} -{{- $paths := .Values.applicationSet.webhook.ingress.paths -}} -{{- $extraPaths := .Values.applicationSet.webhook.ingress.extraPaths -}} -{{- $pathType := .Values.applicationSet.webhook.ingress.pathType -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ include "argo-cd.applicationSet.fullname" . }} - namespace: {{ .Release.Namespace | quote }} - labels: - {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }} - {{- with .Values.applicationSet.webhook.ingress.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.applicationSet.webhook.ingress.annotations }} - annotations: - {{- range $key, $value := . }} - {{ $key }}: {{ $value | quote }} - {{- end }} - {{- end }} -spec: - {{- with .Values.applicationSet.webhook.ingress.ingressClassName }} - ingressClassName: {{ . }} - {{- end }} - rules: - {{- if .Values.applicationSet.webhook.ingress.hosts }} - {{- range $host := .Values.applicationSet.webhook.ingress.hosts }} - - host: {{ $host }} - http: - paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- range $p := $paths }} - - path: {{ $p }} - pathType: {{ $pathType }} - backend: - service: - name: {{ include "argo-cd.applicationSet.fullname" $ }} - port: - {{- if kindIs "float64" $servicePort }} - number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- else }} - - http: - paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- range $p := $paths }} - - path: {{ $p }} - pathType: {{ $pathType }} - backend: - service: - name: {{ include "argo-cd.applicationSet.fullname" $ }} - port: - {{- if kindIs "float64" $servicePort }} - number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- with .Values.applicationSet.webhook.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- end -}} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-cm.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-cm.yaml index 829a67769..c0c8bc86f 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-cm.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-cm.yaml @@ -1,4 +1,4 @@ -{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }} +{{- if .Values.configs.cm.create }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }} - {{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }} + {{- with .Values.configs.cm.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml index 982867f92..f94113a26 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml @@ -5,13 +5,13 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }} - {{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}} + {{- with .Values.configs.gpg.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} -{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}} +{{- with .Values.configs.gpg.keys }} data: {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml index c882cb394..f9b62f760 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml @@ -1,4 +1,4 @@ -{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }} +{{- if .Values.configs.rbac.create }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,13 +6,13 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }} - {{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }} + {{- with .Values.configs.rbac.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} -{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }} +{{- with (omit .Values.configs.rbac "create" "annotations") }} data: {{- toYaml . | nindent 2 }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml index 4561440a7..9e25e376e 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-secret.yaml @@ -16,7 +16,7 @@ metadata: {{- end }} {{- end }} type: Opaque -{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }} +{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.extra) }} # Setting a blank data again will wipe admin password/key/cert data: {{- with .Values.configs.secret.githubSecret }} @@ -38,10 +38,6 @@ data: webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }} webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }} {{- end }} - {{- with .Values.configs.secret.argocdServerTlsConfig }} - tls.key: {{ .key | b64enc }} - tls.crt: {{ .crt | b64enc }} - {{- end }} {{- if .Values.configs.secret.argocdServerAdminPassword }} admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }} admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") .Values.configs.secret.argocdServerAdminPasswordMtime | b64enc }} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml index a7f3abdf8..845d219db 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml @@ -5,7 +5,7 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }} - {{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.knownHostsAnnotations | default dict)) }} + {{- with .Values.configs.ssh.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} @@ -13,11 +13,7 @@ metadata: {{- end }} data: ssh_known_hosts: | - {{- if hasKey .Values.configs "knownHosts" }} - {{- .Values.configs.knownHosts.data.ssh_known_hosts | nindent 4 }} - {{- else }} - {{- .Values.configs.ssh.knownHosts | nindent 4 }} - {{- end }} + {{- .Values.configs.ssh.knownHosts | nindent 4 }} {{- with .Values.configs.ssh.extraHosts }} {{- . | nindent 4 }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml b/charts/argo/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml index 6a5a95e54..fa6e74330 100644 --- a/charts/argo/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml +++ b/charts/argo/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml @@ -5,19 +5,13 @@ metadata: namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }} - {{- with (mergeOverwrite (deepCopy .Values.configs.tls.annotations) (.Values.configs.tlsCertsAnnotations | default dict)) }} + {{- with .Values.configs.tls.annotations }} annotations: {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} {{- end }} -{{- if hasKey .Values.configs "tlsCerts" }} - {{- with .Values.configs.tlsCerts }} - {{- toYaml . | nindent 0 }} - {{- end }} -{{- else }} {{- with .Values.configs.tls.certificates }} data: {{- toYaml . | nindent 2 }} {{- end }} -{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml index 927d30a05..793bb5d35 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/clusterrole.yaml @@ -10,13 +10,42 @@ rules: {{- toYaml . | nindent 2 }} {{- end }} - apiGroups: - - "argoproj.io" + - argoproj.io resources: - - "applications" + - applications + - appprojects verbs: - get - list - watch - update - patch + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - list + - watch + {{- if .Values.notifications.cm.create }} + - apiGroups: + - "" + resourceNames: + - argocd-notifications-cm + resources: + - configmaps + verbs: + - get + {{- end }} + {{- if .Values.notifications.secret.create }} + - apiGroups: + - "" + resourceNames: + - argocd-notifications-secret + resources: + - secrets + verbs: + - get + {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml index 2ed9f1e8e..f9b766f4a 100644 --- a/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-notifications/deployment.yaml @@ -91,6 +91,12 @@ spec: key: application.namespaces name: argocd-cmd-params-cm optional: true + - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED + valueFrom: + configMapKeyRef: + key: notificationscontroller.selfservice.enabled + name: argocd-cmd-params-cm + optional: true {{- with .Values.notifications.extraEnvFrom }} envFrom: {{- toYaml . | nindent 12 }} diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrole.yaml index 21dff1a92..e6efa08a7 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrole.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml index ba156d241..f15b1cec4 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml index 2a18df6c8..2d232591e 100644 --- a/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-repo-server/deployment.yaml @@ -74,14 +74,6 @@ spec: - /usr/local/bin/argocd-repo-server - --port={{ .Values.repoServer.containerPorts.server }} - --metrics-port={{ .Values.repoServer.containerPorts.metrics }} - {{- with .Values.repoServer.logFormat }} - - --logformat - - {{ . | quote }} - {{- end }} - {{- with .Values.repoServer.logLevel }} - - --loglevel - - {{ . | quote }} - {{- end }} {{- with .Values.repoServer.extraArgs }} {{- toYaml . | nindent 8 }} {{- end }} @@ -201,6 +193,18 @@ spec: name: argocd-cmd-params-cm key: otlp.address optional: true + - name: ARGOCD_REPO_SERVER_OTLP_INSECURE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.insecure + optional: true + - name: ARGOCD_REPO_SERVER_OTLP_HEADERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.headers + optional: true - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE valueFrom: configMapKeyRef: @@ -249,6 +253,18 @@ spec: key: reposerver.enable.git.submodule name: argocd-cmd-params-cm optional: true + - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT + valueFrom: + configMapKeyRef: + key: reposerver.git.lsremote.parallelism.limit + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_GIT_REQUEST_TIMEOUT + valueFrom: + configMapKeyRef: + key: reposerver.git.request.timeout + name: argocd-cmd-params-cm + optional: true {{- if .Values.repoServer.useEphemeralHelmWorkingDir }} - name: HELM_CACHE_HOME value: /helm-working-dir diff --git a/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml new file mode 100644 index 000000000..940ed4278 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-server/aws/ingress.yaml @@ -0,0 +1,71 @@ +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }} +{{- $insecure := index .Values.configs.params "server.insecure" | toString -}} +{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "argo-cd.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + alb.ingress.kubernetes.io/conditions.{{ include "argo-cd.server.fullname" . }}-grpc: | + [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}] + {{- range $key, $value := .Values.server.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- with .Values.server.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + rules: + - host: {{ .Values.server.ingress.hostname }} + http: + paths: + {{- with .Values.server.ingress.extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ .Values.server.ingress.path }} + pathType: {{ $.Values.server.ingress.pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" . }} + port: + number: {{ $servicePort }} + - path: {{ .Values.server.ingress.path }} + pathType: {{ $.Values.server.ingressGrpc.pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" $ }}-grpc + port: + number: {{ $servicePort }} + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default $.Values.server.ingress.path .path }} + pathType: {{ default $.Values.server.ingress.pathType .pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" $ }} + port: + number: {{ $servicePort }} + {{- end }} + {{- with .Values.server.ingress.extraRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} + tls: + {{- if .Values.server.ingress.tls }} + - hosts: + - {{ .Values.server.ingress.hostname }} + secretName: argocd-server-tls + {{- end }} + {{- with .Values.server.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/aws/service.yaml b/charts/argo/argo-cd/templates/argocd-server/aws/service.yaml index e9032f92b..376699e38 100644 --- a/charts/argo/argo-cd/templates/argocd-server/aws/service.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/aws/service.yaml @@ -1,9 +1,9 @@ -{{- if and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.isAWSALB -}} +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }} apiVersion: v1 kind: Service metadata: annotations: - alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingressGrpc.awsALB.backendProtocolVersion }} + alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingress.aws.backendProtocolVersion }} labels: {{- include "argo-cd.labels" (dict "context" . "component" (print .Values.server.name "-gprc") "name" (print .Values.server.name "-grpc")) | nindent 4 }} name: {{ template "argo-cd.server.fullname" . }}-grpc @@ -21,5 +21,5 @@ spec: selector: {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }} sessionAffinity: None - type: {{ .Values.server.ingressGrpc.awsALB.serviceType }} + type: {{ .Values.server.ingress.aws.serviceType }} {{- end -}} diff --git a/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml b/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml index bd10316b4..f4877980e 100644 --- a/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/clusterrole.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.server.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -31,7 +30,7 @@ rules: - pods/log verbs: - get - {{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }} + {{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }} - apiGroups: - "" resources: diff --git a/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml b/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml index 27fd13d6d..1e5a98fa7 100644 --- a/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/clusterrolebinding.yaml @@ -1,5 +1,4 @@ -{{- $config := .Values.server.clusterAdminAccess | default dict -}} -{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }} +{{- if .Values.createClusterRoles }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml index a09b56565..6de12319e 100644 --- a/charts/argo/argo-cd/templates/argocd-server/deployment.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/deployment.yaml @@ -27,6 +27,9 @@ spec: metadata: annotations: checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }} + {{- if .Values.configs.cm.create }} + checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }} + {{- end }} {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }} {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} @@ -65,14 +68,6 @@ spec: - /usr/local/bin/argocd-server - --port={{ .Values.server.containerPorts.server }} - --metrics-port={{ .Values.server.containerPorts.metrics }} - {{- with .Values.server.logFormat }} - - --logformat - - {{ . | quote }} - {{- end }} - {{- with .Values.server.logLevel }} - - --loglevel - - {{ . | quote }} - {{- end }} {{- with .Values.server.extraArgs }} {{- toYaml . | nindent 8 }} {{- end }} @@ -284,6 +279,18 @@ spec: name: argocd-cmd-params-cm key: otlp.address optional: true + - name: ARGOCD_SERVER_OTLP_INSECURE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.insecure + optional: true + - name: ARGOCD_SERVER_OTLP_HEADERS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: otlp.headers + optional: true - name: ARGOCD_APPLICATION_NAMESPACES valueFrom: configMapKeyRef: @@ -296,6 +303,24 @@ spec: name: argocd-cmd-params-cm key: server.enable.proxy.extension optional: true + - name: ARGOCD_K8SCLIENT_RETRY_MAX + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8sclient.retry.max + optional: true + - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8sclient.retry.base.backoff + optional: true + - name: ARGOCD_API_CONTENT_TYPES + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.api.content.types + optional: true {{- with .Values.server.envFrom }} envFrom: {{- toYaml . | nindent 10 }} diff --git a/charts/argo/argo-cd/templates/argocd-server/gke/backendconfig.yaml b/charts/argo/argo-cd/templates/argocd-server/gke/backendconfig.yaml index e2ae3d844..cd040c906 100644 --- a/charts/argo/argo-cd/templates/argocd-server/gke/backendconfig.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/gke/backendconfig.yaml @@ -1,11 +1,13 @@ -{{- if .Values.server.GKEbackendConfig.enabled }} -apiVersion: {{ include "argo-cd.apiVersions.cloudgoogle" . }} +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.backendConfig }} +apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +{{- with .Values.server.ingress.gke.backendConfig }} spec: - {{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/gke/frontendconfig.yaml b/charts/argo/argo-cd/templates/argocd-server/gke/frontendconfig.yaml index 316875969..d8b3b1ea1 100644 --- a/charts/argo/argo-cd/templates/argocd-server/gke/frontendconfig.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/gke/frontendconfig.yaml @@ -1,11 +1,13 @@ -{{- if .Values.server.GKEfrontendConfig.enabled }} +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.frontendConfig }} apiVersion: networking.gke.io/v1beta1 kind: FrontendConfig metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +{{- with .Values.server.ingress.gke.frontendConfig }} spec: - {{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }} + {{- toYaml . | nindent 2 }} +{{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml new file mode 100644 index 000000000..31d98e103 --- /dev/null +++ b/charts/argo/argo-cd/templates/argocd-server/gke/ingress.yaml @@ -0,0 +1,69 @@ +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") }} +{{- $insecure := index .Values.configs.params "server.insecure" | toString -}} +{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "argo-cd.server.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- with .Values.server.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + ingressClassName: "gce" + {{- if .Values.server.ingress.gke.managedCertificate.create }} + networking.gke.io/managed-certificates: {{ include "argo-cd.server.fullname" . }} + {{- end }} + {{- if .Values.server.ingress.gke.frontendConfig }} + networking.gke.io/v1beta1.FrontendConfig: {{ include "argo-cd.server.fullname" . }} + {{- end }} + {{- range $key, $value := .Values.server.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- with .Values.server.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + rules: + - host: {{ .Values.server.ingress.hostname }} + http: + paths: + {{- with .Values.server.ingress.extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ .Values.server.ingress.path }} + pathType: {{ .Values.server.ingress.pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" . }} + port: + number: {{ $servicePort }} + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: + paths: + - path: {{ default $.Values.server.ingress.path .path }} + pathType: {{ default $.Values.server.ingress.pathType .pathType }} + backend: + service: + name: {{ include "argo-cd.server.fullname" $ }} + port: + number: {{ $servicePort }} + {{- end }} + {{- with .Values.server.ingress.extraRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} + tls: + {{- if .Values.server.ingress.tls }} + - hosts: + - {{ .Values.server.ingress.hostname }} + secretName: argocd-server-tls + {{- end }} + {{- with .Values.server.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/gke/managedcertificate.yaml b/charts/argo/argo-cd/templates/argocd-server/gke/managedcertificate.yaml index 942c6b3f8..569063be0 100644 --- a/charts/argo/argo-cd/templates/argocd-server/gke/managedcertificate.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/gke/managedcertificate.yaml @@ -1,12 +1,15 @@ -{{- if .Values.server.GKEmanagedCertificate.enabled }} +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "gke") .Values.server.ingress.gke.managedCertificate.create }} apiVersion: networking.gke.io/v1 kind: ManagedCertificate metadata: - name: {{ template "argo-cd.server.fullname" . }} + name: {{ include "argo-cd.server.fullname" . }} namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} spec: domains: - {{- with .Values.server.GKEmanagedCertificate.domains }} - {{- toYaml . | nindent 4 }} + - {{ .Values.server.ingress.hostname }} + {{- with .Values.server.ingress.gke.managedCertificate.extraDomains }} + {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml b/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml index b671f86fc..bfa9a2423 100644 --- a/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/ingress-grpc.yaml @@ -1,8 +1,7 @@ -{{- if and .Values.server.ingressGrpc.enabled (not .Values.server.ingressGrpc.isAWSALB) -}} -{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingressGrpc.https -}} -{{- $paths := .Values.server.ingressGrpc.paths -}} -{{- $extraPaths := .Values.server.ingressGrpc.extraPaths -}} -{{- $pathType := .Values.server.ingressGrpc.pathType -}} +{{- if and .Values.server.ingressGrpc.enabled (eq .Values.server.ingress.controller "generic") -}} +{{- $hostname := .Values.server.ingressGrpc.hostname | default (printf "grpc.%s" .Values.server.ingress.hostname) -}} +{{- $insecure := index .Values.configs.params "server.insecure" | toString -}} +{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -24,50 +23,43 @@ spec: ingressClassName: {{ . }} {{- end }} rules: - {{- if .Values.server.ingressGrpc.hosts }} - {{- range $host := .Values.server.ingressGrpc.hosts }} - - host: {{ $host }} + - host: {{ $hostname }} http: paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} + {{- with .Values.server.ingressGrpc.extraPaths }} + {{- toYaml . | nindent 10 }} {{- end }} - {{- range $p := $paths }} - - path: {{ $p }} - pathType: {{ $pathType }} + - path: {{ .Values.server.ingressGrpc.path }} + pathType: {{ .Values.server.ingressGrpc.pathType }} backend: service: - name: {{ include "argo-cd.server.fullname" $ }} + name: {{ include "argo-cd.server.fullname" . }} port: - {{- if kindIs "float64" $servicePort }} number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- else }} - - http: + {{- range .Values.server.ingressGrpc.extraHosts }} + - host: {{ .name | quote }} + http: paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- range $p := $paths }} - - path: {{ $p }} - pathType: {{ $pathType }} + - path: {{ default $.Values.server.ingressGrpc.path .path }} + pathType: {{ default $.Values.server.ingressGrpc.pathType .pathType }} backend: service: name: {{ include "argo-cd.server.fullname" $ }} port: - {{- if kindIs "float64" $servicePort }} number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- with .Values.server.ingressGrpc.tls }} + {{- end }} + {{- with .Values.server.ingressGrpc.extraRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.server.ingressGrpc.tls .Values.server.ingressGrpc.extraTls }} tls: - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- end -}} + {{- if .Values.server.ingressGrpc.tls }} + - hosts: + - {{ $hostname }} + secretName: {{ printf "%s-tls" $hostname }} + {{- end }} + {{- with .Values.server.ingressGrpc.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/ingress.yaml b/charts/argo/argo-cd/templates/argocd-server/ingress.yaml index a142bb666..627f56b9e 100644 --- a/charts/argo/argo-cd/templates/argocd-server/ingress.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/ingress.yaml @@ -1,8 +1,6 @@ -{{- if .Values.server.ingress.enabled -}} -{{- $servicePort := ternary .Values.server.service.servicePortHttps .Values.server.service.servicePortHttp .Values.server.ingress.https -}} -{{- $paths := .Values.server.ingress.paths -}} -{{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $pathType := .Values.server.ingress.pathType -}} +{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "generic") }} +{{- $insecure := index .Values.configs.params "server.insecure" | toString -}} +{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -13,78 +11,59 @@ metadata: {{- with .Values.server.ingress.labels }} {{- toYaml . | nindent 4 }} {{- end }} - {{- if .Values.server.ingress.annotations }} + {{- with .Values.server.ingress.annotations }} annotations: - {{- range $key, $value := .Values.server.ingress.annotations }} + {{- range $key, $value := . }} {{ $key }}: {{ $value | quote }} {{- end }} - {{- if and .Values.server.ingressGrpc.isAWSALB .Values.server.ingressGrpc.enabled }} - alb.ingress.kubernetes.io/conditions.{{ template "argo-cd.server.fullname" . }}-grpc: | - [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}] - {{- end }} {{- end }} spec: {{- with .Values.server.ingress.ingressClassName }} ingressClassName: {{ . }} {{- end }} rules: - {{- if .Values.server.ingress.hosts }} - {{- range $host := .Values.server.ingress.hosts }} - - host: {{ $host | quote }} + - host: {{ .Values.server.ingress.hostname }} http: paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} + {{- with .Values.server.ingress.extraPaths }} + {{- toYaml . | nindent 10 }} {{- end }} - {{- range $p := $paths }} - {{- if and $.Values.server.ingressGrpc.isAWSALB $.Values.server.ingressGrpc.enabled }} - - path: {{ $p }} - pathType: {{ $.Values.server.ingressGrpc.pathType }} + - path: {{ .Values.server.ingress.path }} + pathType: {{ $.Values.server.ingress.pathType }} backend: service: - name: {{ template "argo-cd.server.fullname" $ }}-grpc + name: {{ include "argo-cd.server.fullname" . }} port: - {{- if kindIs "float64" $servicePort }} number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end }} - - path: {{ $p }} - pathType: {{ $pathType }} - backend: - service: - name: {{ include "argo-cd.server.fullname" $ }} - port: - {{- if kindIs "float64" $servicePort }} - number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- else }} - - http: + {{- range .Values.server.ingress.extraHosts }} + - host: {{ .name | quote }} + http: paths: - {{- with $extraPaths }} - {{- toYaml . | nindent 10 }} - {{- end }} - {{- range $p := $paths }} - - path: {{ $p }} - pathType: {{ $pathType }} + - path: {{ default $.Values.server.ingress.path .path }} + pathType: {{ default $.Values.server.ingress.pathType .pathType }} backend: service: name: {{ include "argo-cd.server.fullname" $ }} port: - {{- if kindIs "float64" $servicePort }} number: {{ $servicePort }} - {{- else }} - name: {{ $servicePort }} - {{- end }} - {{- end -}} - {{- end -}} - {{- with .Values.server.ingress.tls }} + {{- end }} + {{- with .Values.server.ingress.extraRules }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }} tls: - {{- toYaml . | nindent 4 }} - {{- end -}} -{{- end -}} + {{- if .Values.server.ingress.tls }} + - hosts: + - {{ .Values.server.ingress.hostname }} + {{- range .Values.server.ingress.extraHosts }} + {{- if .name }} + - {{ .name }} + {{- end }} + {{- end }} + secretName: argocd-server-tls + {{- end }} + {{- with .Values.server.ingress.extraTls }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml b/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml index 12f571fde..a8efe1e5a 100644 --- a/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml +++ b/charts/argo/argo-cd/templates/argocd-server/serviceaccount.yaml @@ -13,7 +13,7 @@ metadata: {{- end }} labels: {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} - {{- range $key, $value := .Values.server.serviceAccount.labels }} + {{- with .Values.server.serviceAccount.labels }} {{- toYaml . | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/argo/argo-cd/templates/crds/crd-application.yaml b/charts/argo/argo-cd/templates/crds/crd-application.yaml index 034015741..9869efbbc 100644 --- a/charts/argo/argo-cd/templates/crds/crd-application.yaml +++ b/charts/argo/argo-cd/templates/crds/crd-application.yaml @@ -330,6 +330,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for @@ -658,6 +664,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -1103,6 +1115,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize components + to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps @@ -1421,6 +1439,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize components + to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize @@ -1892,6 +1916,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -2224,6 +2254,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -2700,6 +2736,13 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before + building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations @@ -3049,6 +3092,13 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of + kustomize components to add to the kustomization + before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations @@ -3513,6 +3563,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -3855,6 +3911,13 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before + building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -4341,6 +4404,12 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources @@ -4683,6 +4752,13 @@ spec: description: CommonLabels is a list of additional labels to add to rendered manifests type: object + components: + description: Components specifies a list of kustomize + components to add to the kustomization before + building + items: + type: string + type: array forceCommonAnnotations: description: ForceCommonAnnotations specifies whether to force applying common annotations to resources diff --git a/charts/argo/argo-cd/templates/crds/crd-applicationset.yaml b/charts/argo/argo-cd/templates/crds/crd-applicationset.yaml index 8d7409e57..02623f6c3 100644 --- a/charts/argo/argo-cd/templates/crds/crd-applicationset.yaml +++ b/charts/argo/argo-cd/templates/crds/crd-applicationset.yaml @@ -255,6 +255,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -465,6 +469,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -834,6 +842,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -1044,6 +1056,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -1417,6 +1433,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -1627,6 +1647,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -1980,6 +2004,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -2190,6 +2218,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -2567,6 +2599,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -2777,6 +2813,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -3146,6 +3186,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -3356,6 +3400,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -3729,6 +3777,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -3939,6 +3991,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -4292,6 +4348,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -4502,6 +4562,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -4865,6 +4929,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -5075,6 +5143,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -5618,6 +5690,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -5828,6 +5904,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -6366,6 +6446,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -6576,6 +6660,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -6943,6 +7031,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -7153,6 +7245,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -7530,6 +7626,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -7740,6 +7840,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -8109,6 +8213,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -8319,6 +8427,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -8692,6 +8804,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -8902,6 +9018,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -9255,6 +9375,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -9465,6 +9589,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -9828,6 +9956,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -10038,6 +10170,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -10581,6 +10717,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -10791,6 +10931,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -11329,6 +11473,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -11539,6 +11687,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -11910,6 +12062,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -12120,6 +12276,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -12480,6 +12640,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -12690,6 +12854,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -13233,6 +13401,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -13443,6 +13615,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -13981,6 +14157,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -14191,6 +14371,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -14633,6 +14817,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -14843,6 +15031,10 @@ spec: additionalProperties: type: string type: object + components: + items: + type: string + type: array forceCommonAnnotations: type: boolean forceCommonLabels: @@ -15002,6 +15194,8 @@ spec: - metadata - spec type: object + templatePatch: + type: string required: - generators - template diff --git a/charts/argo/argo-cd/templates/crds/crd-project.yaml b/charts/argo/argo-cd/templates/crds/crd-project.yaml index 0a6da4f0f..388014693 100644 --- a/charts/argo/argo-cd/templates/crds/crd-project.yaml +++ b/charts/argo/argo-cd/templates/crds/crd-project.yaml @@ -14,7 +14,7 @@ metadata: app.kubernetes.io/part-of: argocd {{- with .Values.crds.additionalLabels }} {{- toYaml . | nindent 4}} - {{- end }} + {{- end }} name: appprojects.argoproj.io spec: group: argoproj.io @@ -99,7 +99,8 @@ spec: properties: name: description: Name is an alternate way of specifying the target - cluster by its symbolic name + cluster by its symbolic name. This must be set if Server is + not set. type: string namespace: description: Namespace specifies the target namespace for the @@ -107,8 +108,9 @@ spec: namespace-scoped resources that have not set a value for .metadata.namespace type: string server: - description: Server specifies the URL of the target cluster - and must be set to the Kubernetes control plane API + description: Server specifies the URL of the target cluster's + Kubernetes control plane API. This must be set if Name is + not set. type: string type: object type: array diff --git a/charts/argo/argo-cd/templates/redis/deployment.yaml b/charts/argo/argo-cd/templates/redis/deployment.yaml index b3182245f..94c445c8f 100644 --- a/charts/argo/argo-cd/templates/redis/deployment.yaml +++ b/charts/argo/argo-cd/templates/redis/deployment.yaml @@ -72,6 +72,32 @@ spec: envFrom: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.redis.livenessProbe.enabled }} + livenessProbe: + initialDelaySeconds: {{ .Values.redis.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redis.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.redis.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.redis.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.livenessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/redis_liveness.sh + {{- end }} + {{- if .Values.redis.readinessProbe.enabled }} + readinessProbe: + initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.redis.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.redis.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.readinessProbe.failureThreshold }} + exec: + command: + - sh + - -c + - /health/redis_readiness.sh + {{- end }} ports: - name: redis containerPort: {{ .Values.redis.containerPorts.redis }} @@ -82,8 +108,10 @@ spec: securityContext: {{- toYaml . | nindent 10 }} {{- end }} - {{- with .Values.redis.volumeMounts }} volumeMounts: + - mountPath: /health + name: health + {{- with .Values.redis.volumeMounts }} {{- toYaml . | nindent 10 }} {{- end }} {{- if .Values.redis.exporter.enabled }} @@ -102,6 +130,28 @@ spec: - name: metrics containerPort: {{ .Values.redis.containerPorts.metrics }} protocol: TCP + {{- if .Values.redis.exporter.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /metrics + port: {{ .Values.redis.containerPorts.metrics }} + initialDelaySeconds: {{ .Values.redis.exporter.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.redis.exporter.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.redis.exporter.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.redis.exporter.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.exporter.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.redis.exporter.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /metrics + port: {{ .Values.redis.containerPorts.metrics }} + initialDelaySeconds: {{ .Values.redis.exporter.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.redis.exporter.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.redis.exporter.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.redis.exporter.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.redis.exporter.readinessProbe.failureThreshold }} + {{- end }} resources: {{- toYaml .Values.redis.exporter.resources | nindent 10 }} {{- with .Values.redis.exporter.containerSecurityContext }} @@ -139,8 +189,12 @@ spec: {{- end }} {{- end }} {{- end }} - {{- with .Values.redis.volumes }} volumes: + - name: health + configMap: + name: {{ include "argo-cd.redis.fullname" . }}-health-configmap + defaultMode: 0755 + {{- with .Values.redis.volumes }} {{- toYaml . | nindent 8}} {{- end }} {{- with .Values.redis.dnsConfig }} diff --git a/charts/argo/argo-cd/templates/redis/health-configmap.yaml b/charts/argo/argo-cd/templates/redis/health-configmap.yaml new file mode 100644 index 000000000..fd0ecff7d --- /dev/null +++ b/charts/argo/argo-cd/templates/redis/health-configmap.yaml @@ -0,0 +1,35 @@ +{{- $redisHa := index .Values "redis-ha" -}} +{{- if and .Values.redis.enabled (not $redisHa.enabled) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "argo-cd.redis.fullname" . }}-health-configmap + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "argo-cd.labels" (dict "context" . "component" .Values.redis.name "name" .Values.redis.name) | nindent 4 }} +data: + redis_liveness.sh: | + response=$( + redis-cli \ + -h localhost \ + -p {{ .Values.redis.containerPorts.redis }} \ + ping + ) + if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then + echo "$response" + exit 1 + fi + echo "response=$response" + redis_readiness.sh: | + response=$( + redis-cli \ + -h localhost \ + -p {{ .Values.redis.containerPorts.redis }} \ + ping + ) + if [ "$response" != "PONG" ] ; then + echo "$response" + exit 1 + fi + echo "response=$response" +{{- end }} diff --git a/charts/argo/argo-cd/values.yaml b/charts/argo/argo-cd/values.yaml index 58560eb59..146dac34e 100644 --- a/charts/argo/argo-cd/values.yaml +++ b/charts/argo/argo-cd/values.yaml @@ -11,9 +11,7 @@ kubeVersionOverride: "" # Override APIVersions # If you want to template helm charts but cannot access k8s API server # you can set api versions here -apiVersionOverrides: - # -- String to override apiVersion of GKE resources rendered by this helm chart - cloudgoogle: "" # cloud.google.com/v1 +apiVersionOverrides: {} # -- Create aggregated roles that extend existing cluster roles to interact with argo-cd resources ## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles @@ -442,16 +440,6 @@ configs: # insecure: false # caData: "" - # DEPRECATED - Moved to configs.ssh.annotations - # knownHostsAnnotations: {} - # DEPRECATED - Moved to configs.ssh.knownHosts - # knownHosts: {} - - # DEPRECATED - Moved to configs.tls.annotations - # tlsCertsAnnotations: {} - # DEPRECATED - Moved to configs.tls.certificates - # tlsCerts: {} - # -- Repository credentials to be used as Templates for other repos ## Creates a secret for each key/value specified below to create repository credentials credentialTemplates: {} @@ -533,12 +521,6 @@ configs: {} # LDAP_PASSWORD: "mypassword" - # -- Argo TLS Data - # DEPRECATED - Use server.certificate or server.certificateSecret - # argocdServerTlsConfig: - # key: '' - # crt: '' - # -- Bcrypt hashed admin password ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` @@ -595,6 +577,9 @@ controller: # Additional replicas will cause sharding of managed clusters across number of replicas. replicas: 1 + # -- Maximum number of controller revisions that will be maintained in StatefulSet history + revisionHistoryLimit: 5 + ## Application controller Pod Disruption Budget ## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ pdb: @@ -627,22 +612,6 @@ controller: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] - # -- DEPRECATED - Application controller commandline flags - args: {} - # DEPRECATED - Use configs.params to override - # # -- define the application controller `--status-processors` - # statusProcessors: "20" - # # -- define the application controller `--operation-processors` - # operationProcessors: "10" - # # -- define the application controller `--app-hard-resync` - # appHardResyncPeriod: "0" - # # -- define the application controller `--app-resync` - # appResyncPeriod: "180" - # # -- define the application controller `--self-heal-timeout-seconds` - # selfHealTimeout: "5" - # # -- define the application controller `--repo-server-timeout-seconds` - # repoServerTimeoutSeconds: "60" - # -- Additional command line arguments to pass to application controller extraArgs: [] @@ -944,7 +913,7 @@ dex: # -- Dex image repository repository: ghcr.io/dexidp/dex # -- Dex image tag - tag: v2.37.0 + tag: v2.38.0 # -- Dex imagePullPolicy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1182,7 +1151,7 @@ redis: # -- Redis repository repository: public.ecr.aws/docker/library/redis # -- Redis tag - tag: 7.0.13-alpine + tag: 7.0.15-alpine # -- Redis image pull policy # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1198,7 +1167,7 @@ redis: # -- Repository to use for the redis-exporter repository: public.ecr.aws/bitnami/redis-exporter # -- Tag to use for the redis-exporter - tag: 1.53.0 + tag: 1.57.0 # -- Image pull policy for the redis-exporter # @default -- `""` (defaults to global.image.imagePullPolicy) imagePullPolicy: "" @@ -1215,6 +1184,35 @@ redis: drop: - ALL + ## Probes for Redis exporter (optional) + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Enable Kubernetes liveness probe for Redis exporter (optional) + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 15 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 15 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 5 + livenessProbe: + # -- Enable Kubernetes liveness probe for Redis exporter + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 15 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 15 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 5 + # -- Resource limits and requests for redis-exporter sidecar resources: {} # limits: @@ -1244,6 +1242,35 @@ redis: # - secretRef: # name: secret-name + ## Probes for Redis server (optional) + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ + readinessProbe: + # -- Enable Kubernetes liveness probe for Redis server + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 15 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 15 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 5 + livenessProbe: + # -- Enable Kubernetes liveness probe for Redis server + enabled: false + # -- Number of seconds after the container has started before [probe] is initiated + initialDelaySeconds: 30 + # -- How often (in seconds) to perform the [probe] + periodSeconds: 15 + # -- Number of seconds after which the [probe] times out + timeoutSeconds: 15 + # -- Minimum consecutive successes for the [probe] to be considered successful after having failed + successThreshold: 1 + # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded + failureThreshold: 5 + # -- Additional containers to be added to the redis pod ## Note: Supports use of custom Helm templates extraContainers: [] @@ -1405,7 +1432,7 @@ redis-ha: # -- Redis repository repository: public.ecr.aws/docker/library/redis # -- Redis tag - tag: 7.0.13-alpine + tag: 7.0.15-alpine ## Prometheus redis-exporter sidecar exporter: # -- Enable Prometheus redis-exporter sidecar @@ -1413,7 +1440,7 @@ redis-ha: # -- Repository to use for the redis-exporter image: public.ecr.aws/bitnami/redis-exporter # -- Tag to use for the redis-exporter - tag: 1.53.0 + tag: 1.57.0 persistentVolume: # -- Configures persistence on Redis nodes enabled: false @@ -1934,29 +1961,47 @@ server: # -- Automount API credentials for the Service Account automountServiceAccountToken: true + # Argo CD server ingress configuration ingress: # -- Enable an ingress resource for the Argo CD server enabled: false - # -- Additional ingress annotations - annotations: {} + # -- Specific implementation for ingress controller. One of `generic`, `aws` or `gke` + ## Additional configuration might be required in related configuration sections + controller: generic # -- Additional ingress labels labels: {} + # -- Additional ingress annotations + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough + annotations: {} + # nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # nginx.ingress.kubernetes.io/ssl-passthrough: "true" + # -- Defines which ingress controller will implement the resource ingressClassName: "" - # -- List of ingress hosts - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - hosts: [] - # - argocd.example.com + # -- Argo CD server hostname + ## NOTE: Hostname must be provided if Ingress is enabled + hostname: argocd.example.com + + # -- The path to Argo CD server + path: / - # -- List of ingress paths - paths: - - / # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + + # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls` + ## You can create this secret via `certificate` or `certificateSecret` option + tls: false + + # -- The list of additional hostnames to be covered by ingress record + # @default -- `[]` (See [values.yaml]) + extraHosts: [] + # - name: argocd.example.com + # path: / + # -- Additional ingress paths + # @default -- `[]` (See [values.yaml]) extraPaths: [] # - path: /* # pathType: Prefix @@ -1966,17 +2011,70 @@ server: # port: # name: use-annotation - # -- Ingress TLS configuration - tls: [] - # - secretName: your-certificate-name - # hosts: - # - argocd.example.com + # -- Additional ingress rules + # @default -- `[]` (See [values.yaml]) + extraRules: [] + # - host: example.example.com + # http: + # path: / + # backend: + # service: + # name: example-svc + # port: + # name: http - # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` - https: false + # -- Additional TLS configuration + # @default -- `[]` (See [values.yaml]) + extraTls: [] + # - hosts: + # - argocd.example.com + # secretName: your-certificate-name - # dedicated ingress for gRPC as documented at - # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/ + # AWS specific options for Application Load Balancer + # Applies only when `serv.ingress.controller` is set to `aws` + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode + aws: + # -- Backend protocol version for the AWS ALB gRPC service + ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features + backendProtocolVersion: HTTP2 + # -- Service type for the AWS ALB gRPC service + ## Can be of type NodePort or ClusterIP depending on which mode you are running. + ## Instance mode needs type NodePort, IP mode needs type ClusterIP + ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic + serviceType: NodePort + + # Google specific options for Google Application Load Balancer + # Applies only when `server.ingress.controller` is set to `gke` + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#google-cloud-load-balancers-with-kubernetes-ingress + gke: + # -- Google [BackendConfig] resource, for use with the GKE Ingress Controller + # @default -- `{}` (See [values.yaml]) + ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters + backendConfig: {} + # iap: + # enabled: true + # oauthclientCredentials: + # secretName: argocd-secret + + # -- Google [FrontendConfig] resource, for use with the GKE Ingress Controller + # @default -- `{}` (See [values.yaml]) + ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters + frontendConfig: {} + # redirectToHttps: + # enabled: true + # responseCodeName: RESPONSE_CODE + + # Managed GKE certificate for ingress hostname + managedCertificate: + # -- Create ManagedCertificate resource and annotations for Google Load balancer + ## Ref: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs + create: true + # -- Additional domains for ManagedCertificate resource + extraDomains: [] + # - argocd.example.com + + # Dedicated gRPC ingress for ingress controllers that supports only single backend protocol per Ingress resource + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts ingressGrpc: # -- Enable an ingress resource for the Argo CD server for dedicated [gRPC-ingress] enabled: false @@ -1989,32 +2087,27 @@ server: # -- Defines which ingress controller will implement the resource [gRPC-ingress] ingressClassName: "" - awsALB: - # -- Service type for the AWS ALB gRPC service - ## Service Type if isAWSALB is set to true - ## Can be of type NodePort or ClusterIP depending on which mode you are - ## are running. Instance mode needs type NodePort, IP mode needs type - ## ClusterIP - ## Ref: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/how-it-works/#ingress-traffic - serviceType: NodePort - # -- Backend protocol version for the AWS ALB gRPC service - ## This tells AWS to send traffic from the ALB using HTTP2. Can use gRPC as well if you want to leverage gRPC specific features - backendProtocolVersion: HTTP2 + # -- Argo CD server hostname for dedicated [gRPC-ingress] + hostname: "" - # -- List of ingress hosts for dedicated [gRPC-ingress] - ## Argo Ingress. - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - ## - hosts: [] - # - argocd.example.com + # -- Argo CD server ingress path for dedicated [gRPC-ingress] + path: / - # -- List of ingress paths for dedicated [gRPC-ingress] - paths: - - / # -- Ingress path type for dedicated [gRPC-ingress]. One of `Exact`, `Prefix` or `ImplementationSpecific` pathType: Prefix + + # -- Enable TLS configuration for the hostname defined at `server.ingressGrpc.hostname` + ## TLS certificate will be retrieved from a TLS secret with name: `-tls` + tls: false + + # -- The list of additional hostnames to be covered by ingress record + # @default -- `[]` (See [values.yaml]) + extraHosts: [] + # - name: grpc.argocd.example.com + # path: / + # -- Additional ingress paths for dedicated [gRPC-ingress] + # @default -- `[]` (See [values.yaml]) extraPaths: [] # - path: /* # pathType: Prefix @@ -2024,15 +2117,25 @@ server: # port: # name: use-annotation - # -- Ingress TLS configuration for dedicated [gRPC-ingress] - tls: [] + # -- Additional ingress rules + # @default -- `[]` (See [values.yaml]) + extraRules: [] + # - host: example.example.com + # http: + # path: / + # backend: + # service: + # name: example-svc + # port: + # name: http + + # -- Additional TLS configuration for dedicated [gRPC-ingress] + # @default -- `[]` (See [values.yaml]) + extraTls: [] # - secretName: your-certificate-name # hosts: # - argocd.example.com - # -- Uses `server.service.servicePortHttps` instead `server.service.servicePortHttp` - https: false - # Create a OpenShift Route with SSL passthrough for UI and CLI # Consider setting 'hostname' e.g. https://argocd.apps-crc.testing/ using your Default Ingress Controller Domain # Find your domain with: kubectl describe --namespace=openshift-ingress-operator ingresscontroller/default | grep Domain: @@ -2049,38 +2152,6 @@ server: # -- Termination policy of Openshift Route termination_policy: None - GKEbackendConfig: - # -- Enable BackendConfig custom resource for Google Kubernetes Engine - enabled: false - # -- [BackendConfigSpec] - spec: {} - # spec: - # iap: - # enabled: true - # oauthclientCredentials: - # secretName: argocd-secret - - ## Create a Google Managed Certificate for use with the GKE Ingress Controller - ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs - GKEmanagedCertificate: - # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine. - enabled: false - # -- Domains for the Google Managed Certificate - domains: - - argocd.example.com - - ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller - ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters - GKEfrontendConfig: - # -- Enable FrontConfig custom resource for Google Kubernetes Engine - enabled: false - # -- [FrontendConfigSpec] - spec: {} - # spec: - # redirectToHttps: - # enabled: true - # responseCodeName: RESPONSE_CODE - ## Repo Server repoServer: # -- Repo server name @@ -2500,16 +2571,7 @@ applicationSet: # @default -- `[]` (defaults to global.imagePullSecrets) imagePullSecrets: [] - # -- DEPRECATED - ApplicationSet controller command line flags - args: {} - # DEPRECATED - Use configs.params.applicationsetcontroller.policy to override - # -- How application is synced between the generator and the cluster - # policy: sync - # DEPRECATED - Use configs.params.applicationsetcontroller.dryrun to override - # -- Enable dry run mode - # dryRun: false - - # -- List of extra cli args to add + # -- ApplicationSet controller command line flags extraArgs: [] # -- Environment variables to pass to the ApplicationSet controller @@ -2714,51 +2776,6 @@ applicationSet: # @default -- `""` (defaults to global.priorityClassName) priorityClassName: "" - ## Webhook for the Git Generator - ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration) - webhook: - ingress: - # -- Enable an ingress resource for Webhooks - enabled: false - # -- Additional ingress annotations - annotations: {} - # -- Additional ingress labels - labels: {} - # -- Defines which ingress ApplicationSet controller will implement the resource - ingressClassName: "" - - # -- List of ingress hosts - ## Hostnames must be provided if Ingress is enabled. - ## Secrets must be manually created in the namespace - hosts: [] - # - argocd-applicationset.example.com - - # -- List of ingress paths - paths: - - /api/webhook - # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` - pathType: Prefix - # -- Additional ingress paths - extraPaths: [] - # - path: /* - # backend: - # serviceName: ssl-redirect - # servicePort: use-annotation - ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) - # - path: /* - # pathType: Prefix - # backend: - # service: - # name: ssl-redirect - # port: - # name: use-annotation - - # -- Ingress TLS configuration - tls: [] - # - secretName: argocd-applicationset-tls - # hosts: - # - argocd-applicationset.example.com - # TLS certificate configuration via cert-manager ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/tls/#tls-configuration certificate: @@ -2800,6 +2817,69 @@ applicationSet: # -- Annotations to be applied to the ApplicationSet Certificate annotations: {} + ## Ingress for the Git Generator webhook + ## Ref: https://argocd-applicationset.readthedocs.io/en/master/Generators-Git/#webhook-configuration) + ingress: + # -- Enable an ingress resource for ApplicationSet webhook + enabled: false + # -- Additional ingress labels + labels: {} + # -- Additional ingress annotations + annotations: {} + + # -- Defines which ingress ApplicationSet controller will implement the resource + ingressClassName: "" + + # -- Argo CD ApplicationSet hostname + ## NOTE: Hostname must be provided if Ingress is enabled + hostname: argocd.example.com + + # -- List of ingress paths + path: /api/webhook + + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + + # -- Enable TLS configuration for the hostname defined at `applicationSet.webhook.ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret with name:`argocd-application-controller-tls` + tls: false + + # -- The list of additional hostnames to be covered by ingress record + # @default -- `[]` (See [values.yaml]) + extraHosts: [] + # - name: argocd.example.com + # path: / + + # -- Additional ingress paths + # @default -- `[]` (See [values.yaml]) + extraPaths: [] + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + # -- Additional ingress rules + # @default -- `[]` (See [values.yaml]) + extraRules: [] + # - host: example.example.com + # http: + # path: / + # backend: + # service: + # name: example-svc + # port: + # name: http + + # -- Additional ingress TLS configuration + # @default -- `[]` (See [values.yaml]) + extraTls: [] + # - secretName: argocd-applicationset-tls + # hosts: + # - argocd-applicationset.example.com + ## Notifications controller notifications: # -- Enable notifications controller diff --git a/charts/bitnami/airflow/.helmignore b/charts/bitnami/airflow/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/airflow/.helmignore +++ b/charts/bitnami/airflow/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/airflow/Chart.lock b/charts/bitnami/airflow/Chart.lock index d37d9aca7..308272de0 100644 --- a/charts/bitnami/airflow/Chart.lock +++ b/charts/bitnami/airflow/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 18.7.0 + version: 18.12.1 - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 13.3.0 + version: 13.4.4 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:5ccdd0a9b98fdac3ad60b2fe1fe5776e2aa267addd60501166de8166377bad94 -generated: "2024-01-17T19:54:42.562153805Z" +digest: sha256:49f55036d61c3a75346caddd96eb54503c4ba8afb6158614f16bb7a2a6dd034f +generated: "2024-02-09T10:01:48.735049564Z" diff --git a/charts/bitnami/airflow/Chart.yaml b/charts/bitnami/airflow/Chart.yaml index 3320db34e..9a9cdc5aa 100644 --- a/charts/bitnami/airflow/Chart.yaml +++ b/charts/bitnami/airflow/Chart.yaml @@ -6,20 +6,20 @@ annotations: category: WorkFlow images: | - name: airflow-exporter - image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r443 + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r448 - name: airflow-scheduler - image: docker.io/bitnami/airflow-scheduler:2.8.0-debian-11-r1 + image: docker.io/bitnami/airflow-scheduler:2.8.1-debian-11-r4 - name: airflow-worker - image: docker.io/bitnami/airflow-worker:2.8.0-debian-11-r1 + image: docker.io/bitnami/airflow-worker:2.8.1-debian-11-r4 - name: airflow - image: docker.io/bitnami/airflow:2.8.0-debian-11-r2 + image: docker.io/bitnami/airflow:2.8.1-debian-11-r4 - name: git - image: docker.io/bitnami/git:2.43.0-debian-11-r5 + image: docker.io/bitnami/git:2.43.0-debian-11-r9 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 -appVersion: 2.8.0 +appVersion: 2.8.1 dependencies: - condition: redis.enabled name: redis @@ -50,4 +50,4 @@ maintainers: name: airflow sources: - https://github.com/bitnami/charts/tree/main/bitnami/airflow -version: 16.4.0 +version: 16.5.5 diff --git a/charts/bitnami/airflow/README.md b/charts/bitnami/airflow/README.md index 758ac183e..53f03ceb3 100644 --- a/charts/bitnami/airflow/README.md +++ b/charts/bitnami/airflow/README.md @@ -153,7 +153,7 @@ The command removes all the Kubernetes components associated with the chart and | `web.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `web.podSecurityContext.fsGroup` | Set Airflow web pod's Security Context fsGroup | `1001` | | `web.containerSecurityContext.enabled` | Enabled Airflow web containers' Security Context | `true` | -| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `web.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `web.containerSecurityContext.runAsUser` | Set Airflow web containers' Security Context runAsUser | `1001` | | `web.containerSecurityContext.runAsNonRoot` | Set Airflow web containers' Security Context runAsNonRoot | `true` | | `web.containerSecurityContext.privileged` | Set web container's Security Context privileged | `false` | @@ -186,6 +186,12 @@ The command removes all the Kubernetes components associated with the chart and | `web.pdb.create` | Deploy a pdb object for the Airflow web pods | `false` | | `web.pdb.minAvailable` | Maximum number/percentage of unavailable Airflow web replicas | `1` | | `web.pdb.maxUnavailable` | Maximum number/percentage of unavailable Airflow web replicas | `""` | +| `web.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `web.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `web.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `web.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `web.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `web.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Airflow scheduler parameters @@ -227,7 +233,7 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `scheduler.podSecurityContext.fsGroup` | Set Airflow scheduler pod's Security Context fsGroup | `1001` | | `scheduler.containerSecurityContext.enabled` | Enabled Airflow scheduler containers' Security Context | `true` | -| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `scheduler.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `scheduler.containerSecurityContext.runAsUser` | Set Airflow scheduler containers' Security Context runAsUser | `1001` | | `scheduler.containerSecurityContext.runAsNonRoot` | Set Airflow scheduler containers' Security Context runAsNonRoot | `true` | | `scheduler.containerSecurityContext.privileged` | Set scheduler container's Security Context privileged | `false` | @@ -260,6 +266,12 @@ The command removes all the Kubernetes components associated with the chart and | `scheduler.pdb.create` | Deploy a pdb object for the Airflow scheduler pods | `false` | | `scheduler.pdb.minAvailable` | Maximum number/percentage of unavailable Airflow scheduler replicas | `1` | | `scheduler.pdb.maxUnavailable` | Maximum number/percentage of unavailable Airflow scheduler replicas | `""` | +| `scheduler.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `scheduler.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `scheduler.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `scheduler.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `scheduler.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `scheduler.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Airflow worker parameters @@ -308,7 +320,7 @@ The command removes all the Kubernetes components associated with the chart and | `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `worker.podSecurityContext.fsGroup` | Set Airflow worker pod's Security Context fsGroup | `1001` | | `worker.containerSecurityContext.enabled` | Enabled Airflow worker containers' Security Context | `true` | -| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.runAsUser` | Set Airflow worker containers' Security Context runAsUser | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set Airflow worker containers' Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set worker container's Security Context privileged | `false` | @@ -348,6 +360,12 @@ The command removes all the Kubernetes components associated with the chart and | `worker.autoscaling.maxReplicas` | Configure a maximum amount of pods | `3` | | `worker.autoscaling.targetCPU` | Define the CPU target to trigger the scaling actions (utilization percentage) | `80` | | `worker.autoscaling.targetMemory` | Define the memory target to trigger the scaling actions (utilization percentage) | `80` | +| `worker.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `worker.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `worker.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `worker.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `worker.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `worker.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Airflow git sync parameters @@ -461,7 +479,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `metrics.podSecurityContext.fsGroup` | Set Airflow exporter pod's Security Context fsGroup | `1001` | | `metrics.containerSecurityContext.enabled` | Enable Airflow exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set Airflow exporter containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set Airflow exporter containers' Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -496,6 +514,12 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | | `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | | `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `metrics.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `metrics.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `metrics.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `metrics.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `metrics.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Airflow database parameters @@ -743,9 +767,163 @@ NOTE: Due to an error in our release process, Redis®' chart versions higher This major updates the PostgreSQL subchart to its newest major, 12.0.0. [Here](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#to-1200) you can find more information about the changes introduced in that version. -### To any previous version +### To 13.0.0 -Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/apache-airflow/administration/upgrade/). +This major update the Redis® subchart to its newest major, 17.0.0, which updates Redis® from its version 6.2 to the latest 7.0. + +### To 12.0.0 + +This major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. Additionally updates the PostgreSQL & Redis subcharts to their newest major 11.x.x and 16.x.x, respectively, which contain similar changes. + +- *auth.forcePassword* parameter is deprecated. The new version uses Helm's lookup functionalities and forcing passwords isn't required anymore. +- *config* and *configurationConfigMap* have been renamed to *configuration* and *existingConfigmap*, respectively. +- *dags.configMap* and *web.configMap* have been renamed to *dags.existingConfigmap* and *web.existingConfigmap*, respectively. +- *web.containerPort* and *worker.port* have been regrouped under the *web.containerPorts* and *worker.containerPorts* maps, respectively. +- *web.podDisruptionBudget*, *scheduler.podDisruptionBudget* and *worker.podDisruptionBudget* maps have been renamed to *web.pdb*, *scheduler.pdb* and *worker.pdb*, respectively. +- *worker.autoscaling.replicas.min*, *worker.autoscaling.replicas.max*, *worker.autoscaling.targets.cpu* and *worker.autoscaling.targets.memory* have been renamed to *worker.autoscaling.minReplicas*, *worker.autoscaling.maxReplicas*, *worker.autoscaling.targetCPU* and *.Values.worker.autoscaling.targetMemory*, respectively. +- *service.port* and *service.httpsPort* have been regrouped under the *service.ports* map. +- *ingress* map is completely redefined. +- *metrics.service.port* has been regrouped under the *metrics.service.ports* map. +- Support for Network Policies is dropped and it'll be properly added in the future. +- The secret keys *airflow-fernetKey* and *airflow-secretKey* were renamed to *airflow-fernet-key* and *airflow-secret-key*, respectively. + +#### How to upgrade to version 12.0.0 + +To upgrade to *12.0.0* from *11.x*, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is *airflow* and the release namespace *default*): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the data on your current release: + +```console + export AIRFLOW_PASSWORD=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-password}" | base64 --decode) + export AIRFLOW_FERNET_KEY=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-fernetKey}" | base64 --decode) + export AIRFLOW_SECRET_KEY=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-secretKey}" | base64 --decode) + export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default airflow-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) + export REDIS_PASSWORD=$(kubectl get secret --namespace default airflow-redis -o jsonpath="{.data.redis-password}" | base64 --decode) + export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=airflow,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the Airflow worker & PostgreSQL statefulset (notice the option *--cascade=false*) and secrets: + +```console + kubectl delete statefulsets.apps --cascade=false airflow-postgresql + kubectl delete statefulsets.apps --cascade=false airflow-worker + kubectl delete secret postgresql --namespace default + kubectl delete secret airflow --namespace default +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console + CURRENT_PG_VERSION=$(kubectl exec airflow-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') + helm upgrade airflow bitnami/airflow \ + --set loadExamples=true \ + --set web.baseUrl=http://127.0.0.1:8080 \ + --set auth.password=$AIRFLOW_PASSWORD \ + --set auth.fernetKey=$AIRFLOW_FERNET_KEY \ + --set auth.secretKey=$AIRFLOW_SECRET_KEY \ + --set postgresql.image.tag=$CURRENT_VERSION \ + --set postgresql.auth.password=$POSTGRESQL_PASSWORD \ + --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC \ + --set redis.password=$REDIS_PASSWORD \ + --set redis.cluster.enabled=true +``` + +1. Delete the existing Airflow worker & PostgreSQL pods and the new statefulset will create a new one: + +```console + kubectl delete pod airflow-postgresql-0 + kubectl delete pod airflow-worker-0 +``` + +### To 11.0.0 + +This major update the Redis® subchart to its newest major, 15.0.0. [Here](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1500) you can find more info about the specific changes. + +### To 10.0.0 + +This major updates the Redis® subchart to it newest major, 14.0.0, which contains breaking changes. For more information on this subchart's major and the steps needed to migrate your data from your previous release, please refer to [Redis® upgrade notes.](https://github.com/bitnami/charts/tree/main/bitnami/redis#to-1400). + +### To 7.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. The following changes were introduced in this version: + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the *requirements.yaml* to the *Chart.yaml* +- After running *helm dependency update*, a *Chart.lock* file is generated containing the same structure used in the previous *requirements.lock* +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. +- Several parameters were renamed or disappeared in favor of new ones on this major version: + - The image objects have been moved to its corresponding component object, e.g: *workerImage* now is located at *worker.image*. + - The prefix *airflow* has been removed. Therefore, parameters prefixed with *airflow* are now at root level, e.g. *airflow.loadExamples* now is *loadExamples* or *airflow.worker.resources* now is *worker.resources*. + - Parameters related to the *git* features has completely been refactored: + - They have been regrouped under the *git* map. + - *airflow.cloneDagsFromGit* no longer exists, instead you must use *git.dags* and *git.dags.repositories* has been introduced that will add support for multiple repositories. + - *airflow.clonePluginsFromGit* no longer exists, instead you must use *git.plugins*. *airflow.clonePluginsFromGit.repository*, *airflow.clonePluginsFromGit.branch* and *airflow.clonePluginsFromGit.path* have been removed in favour of *git.dags.repositories*. + - Liveness and readiness probe have been separated by components *airflow.livenessProbe.** and *airflow.readinessProbe* have been removed in favour of *web.livenessProbe*, *worker.livenessProbe*, *web.readinessProbe* and *worker.readinessProbe*. + - *airflow.baseUrl* has been moved to *web.baseUrl*. + - Security context has been migrated to the bitnami standard way so that *securityContext* has been divided into *podSecurityContext* that will define the **fsGroup** for all the containers in the pod and *containerSecurityContext* that will define the user id that will run the main containers. + - *./files/dags/*.py* will not be include in the deployment any more. +- Additionally updates the PostgreSQL & Redis subcharts to their newest major 10.x.x and 11.x.x, respectively, which contain similar changes. + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. + +#### Useful links + +- [Bitnami Tutorial](https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues) +- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) +- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) + +#### How to upgrade to version 7.0.0 + +To upgrade to *7.0.0* from *6.x*, it should be done reusing the PVC(s) used to hold the data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is *airflow* and the release namespace *default*): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the data on your current release: + +```console + export AIRFLOW_PASSWORD=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-password}" | base64 --decode) + export AIRFLOW_FERNET_KEY=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-fernetKey}" | base64 --decode) + export AIRFLOW_SECRET_KEY=$(kubectl get secret --namespace default airflow -o jsonpath="{.data.airflow-secretKey}" | base64 --decode) + export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default airflow-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) + export REDIS_PASSWORD=$(kubectl get secret --namespace default airflow-redis -o jsonpath="{.data.redis-password}" | base64 --decode) + export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=airflow,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the Airflow worker & PostgreSQL statefulset (notice the option *--cascade=false*): + +```console + kubectl delete statefulsets.apps --cascade=false airflow-postgresql + kubectl delete statefulsets.apps --cascade=false airflow-worker +``` + +1. Upgrade your release: + +> NOTE: Please remember to migrate all the values to its new path following the above notes, e.g: `airflow.loadExamples` -> `loadExamples` or `airflow.baseUrl=http://127.0.0.1:8080` -> `web.baseUrl=http://127.0.0.1:8080`. + +```console + helm upgrade airflow bitnami/airflow \ + --set loadExamples=true \ + --set web.baseUrl=http://127.0.0.1:8080 \ + --set auth.password=$AIRFLOW_PASSWORD \ + --set auth.fernetKey=$AIRFLOW_FERNET_KEY \ + --set auth.secretKey=$AIRFLOW_SECRET_KEY \ + --set postgresql.postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set postgresql.persistence.existingClaim=$POSTGRESQL_PVC \ + --set redis.password=$REDIS_PASSWORD \ + --set redis.cluster.enabled=true +``` + +1. Delete the existing Airflow worker & PostgreSQL pods and the new statefulset will create a new one: + +```console + kubectl delete pod airflow-postgresql-0 + kubectl delete pod airflow-worker-0 +``` ## License diff --git a/charts/bitnami/airflow/charts/postgresql/.helmignore b/charts/bitnami/airflow/charts/postgresql/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/airflow/charts/postgresql/.helmignore +++ b/charts/bitnami/airflow/charts/postgresql/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/airflow/charts/postgresql/Chart.yaml b/charts/bitnami/airflow/charts/postgresql/Chart.yaml index 3f995edd0..1fb01b8ca 100644 --- a/charts/bitnami/airflow/charts/postgresql/Chart.yaml +++ b/charts/bitnami/airflow/charts/postgresql/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r95 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r5 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r7 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r19 + image: docker.io/bitnami/postgresql:16.1.0-debian-11-r25 licenses: Apache-2.0 apiVersion: v2 appVersion: 16.1.0 @@ -34,4 +34,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.3.0 +version: 13.4.4 diff --git a/charts/bitnami/airflow/charts/postgresql/README.md b/charts/bitnami/airflow/charts/postgresql/README.md index fd5a2bab2..24a4b1fe6 100644 --- a/charts/bitnami/airflow/charts/postgresql/README.md +++ b/charts/bitnami/airflow/charts/postgresql/README.md @@ -213,7 +213,7 @@ kubectl delete pvc -l release=my-release | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -221,6 +221,7 @@ kubectl delete pvc -l release=my-release | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `primary.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `primary.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | | `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | | `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | @@ -317,7 +318,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -325,6 +326,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `readReplicas.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `readReplicas.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `readReplicas.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | | `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | | `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | @@ -397,7 +399,7 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -450,7 +452,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -483,7 +485,7 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -572,7 +574,39 @@ At the top level, there is a service object which defines the services for both ### Use a different PostgreSQL version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- **ldap.enabled**: Enable LDAP support. Defaults to `false`. +- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. +- **ldap.base**: LDAP base DN. No defaults. +- **ldap.binddn**: LDAP bind DN. No defaults. +- **ldap.bindpw**: LDAP bind password. No defaults. +- **ldap.bslookup**: LDAP base lookup. No defaults. +- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. +- **ldap.scope**: LDAP search scope. No defaults. +- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. + +For example: + +```text +ldap.enabled="true" +ldap.uri="ldap://my_ldap_server" +ldap.base="dc=example\,dc=org" +ldap.binddn="cn=admin\,dc=example\,dc=org" +ldap.bindpw="admin" +ldap.bslookup="ou=group-ok\,dc=example\,dc=org" +ldap.nss_initgroups_ignoreusers="root\,nslcd" +ldap.scope="sub" +ldap.tls_reqcert="demand" +``` + +Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. + +> Note: Parameters including commas must be escaped as shown in the above example. ### postgresql.conf / pg_hba.conf files as configMap @@ -696,7 +730,7 @@ global.postgresql.auth.database=testdb This way, the credentials will be available in all of the subcharts. -## Persistence +### Persistence The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. @@ -705,7 +739,20 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. -## NetworkPolicy +### Backup and restore PostgreSQL deployments + +To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. + +These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. + +### NetworkPolicy To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. @@ -720,7 +767,7 @@ With NetworkPolicy enabled, traffic will be limited to just port 5432. For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. This label will be displayed in the output of a successful install. -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image +### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. - The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. @@ -748,9 +795,191 @@ This major version changes the default PostgreSQL image from 15.x to 16.x. Follo This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. -### To any previous version +### To 11.0.0 -Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). +In this version the application version was bumped to _14.x_ series. Also, this major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +- _replication.enabled_ parameter is deprecated in favor of _architecture_ parameter that accepts two values: _standalone_ and _replication_. +- _replication.singleService_ and _replication.uniqueServices_ parameters are deprecated. When using replication, each statefulset (primary and read-only) has its own headless service & service allowing to connect to read-only replicas through the service (round-robin) or individually. +- _postgresqlPostgresPassword_, _postgresqlUsername_, _postgresqlPassword_, _postgresqlDatabase_, _replication.user_, _replication.password_, and _existingSecret_ parameters have been regrouped under the _auth_ map. The _auth_ map uses a new perspective to configure authentication, so please read carefully each sub-parameter description. +- _extraEnv_ has been deprecated in favor of _primary.extraEnvVars_ and _readReplicas.extraEnvVars_. +- _postgresqlConfiguration_, _pgHbaConfiguration_, _configurationConfigMap_, _postgresqlExtendedConf_, and _extendedConfConfigMap_ have been deprecated in favor of _primary.configuration_, _primary.pgHbaConfiguration_, _primary.existingConfigmap_, _primary.extendedConfiguration_, and _primary.existingExtendedConfigmap_. +- _postgresqlInitdbArgs_, _postgresqlInitdbWalDir_, _initdbScripts_, _initdbScriptsConfigMap_, _initdbScriptsSecret_, _initdbUser_ and _initdbPassword_ have been regrouped under the _primary.initdb_ map. +- _postgresqlMaxConnections_, _postgresqlPostgresConnectionLimit_, _postgresqlDbUserConnectionLimit_, _postgresqlTcpKeepalivesInterval_, _postgresqlTcpKeepalivesIdle_, _postgresqlTcpKeepalivesCount_, _postgresqlStatementTimeout_ and _postgresqlPghbaRemoveFilters_ parameters are deprecated. Use _XXX.extraEnvVars_ instead. +- _primaryAsStandBy_ has been deprecated in favor of _primary.standby_. +- _securityContext_ and _containerSecurityContext_ have been deprecated in favor of _primary.podSecurityContext_, _primary.containerSecurityContext_, _readReplicas.podSecurityContext_, and _readReplicas.containerSecurityContext_. +- _livenessProbe_ and _readinessProbe_ maps have been deprecated in favor of _primary.livenessProbe_, _primary.readinessProbe_, _readReplicas.livenessProbe_ and _readReplicas.readinessProbe_ maps. +- _persistence_ map has been deprecated in favor of _primary.persistence_ and _readReplicas.persistence_ maps. +- _networkPolicy_ map has been completely refactored. +- _service_ map has been deprecated in favor of _primary.service_ and _readReplicas.service_ maps. +- _metrics.service.port_ has been regrouped under the _metrics.service.ports_ map. +- _serviceAccount.enabled_ and _serviceAccount.autoMount_ have been deprecated in favor of _serviceAccount.create_ and _serviceAccount.automountServiceAccountToken_. + +#### How to upgrade to version 11.0.0 + +To upgrade to _11.0.0_ from _10.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of these actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_) and secret: + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +kubectl delete secret postgresql --namespace default +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +CURRENT_VERSION=$(kubectl exec postgresql-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') +helm upgrade postgresql bitnami/postgresql \ + --set auth.postgresPassword=$POSTGRESQL_PASSWORD \ + --set primary.persistence.existingClaim=$POSTGRESQL_PVC \ + --set image.tag=$CURRENT_VERSION +``` + +1. You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +> NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the [official PostgreSQL documentation](https://www.postgresql.org/docs/current/upgrading.html) for more information about this. + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") + ... +postgresql 08:10:14.72 INFO ==> ** Starting PostgreSQL ** +2022-02-01 08:10:14.734 GMT [1] FATAL: database files are incompatible with server +2022-02-01 08:10:14.734 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1. +``` + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the _requirements.yaml_ to the _Chart.yaml_ +- After running _helm dependency update_, a _Chart.lock_ file is generated containing the same structure used in the previous _requirements.lock_ +- The different fields present in the _Chart.yaml_ file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. +- The term _master_ has been replaced with _primary_ and _slave_ with _readReplicas_ throughout the chart. Role names have changed from _master_ and _slave_ to _primary_ and _read_. + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. + +#### Useful links + +- [Bitnami Tutorial](https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues) +- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) +- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) + +#### How to upgrade to version 10.0.0 + +To upgrade to _10.0.0_ from _9.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the [Helm standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). + +- Some inmutable objects were modified to adopt Helm standard labels introducing backward incompatibilities. + +#### How to upgrade to version 9.0.0 + +To upgrade to _9.0.0_ from _8.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` ## License diff --git a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml index cb9374d6b..1f0c96203 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/primary/statefulset.yaml @@ -49,6 +49,7 @@ spec: {{- end }} serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.primary.automountServiceAccountToken }} {{- if .Values.primary.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml index 826870065..f11ae0a89 100644 --- a/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml +++ b/charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml @@ -47,6 +47,7 @@ spec: {{- end }} serviceAccountName: {{ include "postgresql.v1.serviceAccountName" . }} {{- include "postgresql.v1.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.readReplicas.automountServiceAccountToken }} {{- if .Values.readReplicas.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/airflow/charts/postgresql/values.yaml b/charts/bitnami/airflow/charts/postgresql/values.yaml index 307cc9574..2a353ff63 100644 --- a/charts/bitnami/airflow/charts/postgresql/values.yaml +++ b/charts/bitnami/airflow/charts/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r19 + tag: 16.1.0-debian-11-r25 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -465,7 +465,7 @@ primary: ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context - ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged @@ -476,7 +476,7 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -486,6 +486,9 @@ primary: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + ## @param primary.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param primary.hostAliases PostgreSQL primary pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -837,7 +840,7 @@ readReplicas: ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context - ## @param readReplicas.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged @@ -848,7 +851,7 @@ readReplicas: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -858,6 +861,9 @@ readReplicas: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" + ## @param readReplicas.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1133,7 +1139,7 @@ backup: ## backup container's Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context - ## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged @@ -1143,7 +1149,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1324,7 +1330,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r95 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1346,14 +1352,14 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1427,7 +1433,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r5 + tag: 0.15.0-debian-11-r7 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1469,7 +1475,7 @@ metrics: ## PostgreSQL Prometheus exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -1480,7 +1486,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/airflow/charts/redis/.helmignore b/charts/bitnami/airflow/charts/redis/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/airflow/charts/redis/.helmignore +++ b/charts/bitnami/airflow/charts/redis/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/airflow/charts/redis/Chart.yaml b/charts/bitnami/airflow/charts/redis/Chart.yaml index f9e180e84..eaff8591d 100644 --- a/charts/bitnami/airflow/charts/redis/Chart.yaml +++ b/charts/bitnami/airflow/charts/redis/Chart.yaml @@ -2,13 +2,13 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r0 + image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r0 + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6 - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r0 + image: docker.io/bitnami/redis:7.2.4-debian-11-r5 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.4 @@ -33,4 +33,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.7.0 +version: 18.12.1 diff --git a/charts/bitnami/airflow/charts/redis/README.md b/charts/bitnami/airflow/charts/redis/README.md index 1fa7bd41c..6eb2bf85c 100644 --- a/charts/bitnami/airflow/charts/redis/README.md +++ b/charts/bitnami/airflow/charts/redis/README.md @@ -168,7 +168,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | | `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | @@ -180,6 +180,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.updateStrategy.type` | Redis® master statefulset strategy type | `RollingUpdate` | | `master.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | | `master.priorityClassName` | Redis® master pods' priorityClassName | `""` | +| `master.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `master.hostAliases` | Redis® master pods host aliases | `[]` | | `master.podLabels` | Extra labels for Redis® master pods | `{}` | | `master.podAnnotations` | Annotations for Redis® master pods | `{}` | @@ -286,7 +287,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | | `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | | `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | @@ -298,6 +299,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.minReadySeconds` | How many seconds a pod needs to be ready before killing the next, during update | `0` | | `replica.priorityClassName` | Redis® replicas pods' priorityClassName | `""` | | `replica.podManagementPolicy` | podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods | `""` | +| `replica.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `replica.hostAliases` | Redis® replicas pods host aliases | `[]` | | `replica.podLabels` | Extra labels for Redis® replicas pods | `{}` | | `replica.podAnnotations` | Annotations for Redis® replicas pods | `{}` | @@ -428,7 +430,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | | `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | | `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | @@ -460,8 +462,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | | `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -492,88 +495,92 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.port` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | ### Init Container Parameters @@ -587,7 +594,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | | `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | | `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | | `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | @@ -642,7 +649,7 @@ Bitnami will release a new chart updating its containers if a new version of the ### Use a different Redis® version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/redis/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. ### Bootstrapping with an External Cluster @@ -744,13 +751,27 @@ It's recommended to only change `master.count` if you know what you are doing. ### Using a password file -To use a password file for Redis® you need to create a secret containing the password and then deploy the chart using that secret. +To use a password file for Redis® you need to create a secret containing the password and then deploy the chart using that secret. Follow these instructions: -Refer to the chart documentation for more information on [using a password file for Redis®](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/use-password-file/). +- Create the secret with the password. It is important that the file with the password must be called `redis-password`. + +```console +kubectl create secret generic redis-password-secret --from-file=redis-password.yaml +``` + +- Deploy the Helm Chart using the secret name as parameter: + +```text +usePassword=true +usePasswordFile=true +existingSecret=redis-password-secret +sentinels.enabled=true +metrics.enabled=true +``` ### Securing traffic using TLS -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the cluster: - `tls.enabled`: Enable TLS support. Defaults to `false` - `tls.existingSecret`: Name of the secret that contains the certificates. No defaults. @@ -758,7 +779,23 @@ TLS support can be enabled in the chart by specifying the `tls.` parameters whil - `tls.certKeyFilename`: Certificate key filename. No defaults. - `tls.certCAFilename`: CA Certificate filename. No defaults. -Refer to the chart documentation for more information on [creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/). +For example: + +First, create the secret with the certificates files: + +```console +kubectl create secret generic certificates-tls-secret --from-file=./cert.pem --from-file=./cert.key --from-file=./ca.pem +``` + +Then, use the following parameters: + +```console +tls.enabled="true" +tls.existingSecret="certificates-tls-secret" +tls.certFilename="cert.pem" +tls.certKeyFilename="cert.key" +tls.certCAFilename="ca.pem" +``` ### Metrics @@ -774,11 +811,65 @@ tls-client-cert-file tls-ca-cert-file ``` +### Deploy a custom metrics script in the sidecar + +A custom Lua script can be added to the `redis-exporter` sidecar by way of the `metrics.extraArgs.script` parameter. The pathname of the script must exist on the container, or the `redis_exporter` process (and therefore the whole pod) will refuse to start. The script can be provided to the sidecar containers via the `metrics.extraVolumes` and `metrics.extraVolumeMounts` parameters: + +```yaml +metrics: + extraVolumeMounts: + - name: '{{ printf "%s-metrics-script-file" (include "common.names.fullname" .) }}' + mountPath: '{{ printf "/mnt/%s/" (include "common.names.name" .) }}' + readOnly: true + extraVolumes: + - name: '{{ printf "%s-metrics-script-file" (include "common.names.fullname" .) }}' + configMap: + name: '{{ printf "%s-metrics-script" (include "common.names.fullname" .) }}' + extraArgs: + script: '{{ printf "/mnt/%s/my_custom_metrics.lua" (include "common.names.name" .) }}' +``` + +Then deploy the script into the correct location via `extraDeploy`: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: '{{ printf "%s-metrics-script" (include "common.names.fullname" .) }}' + data: + my_custom_metrics.lua: | + -- LUA SCRIPT CODE HERE, e.g., + return {'bitnami_makes_the_best_charts', '1'} +``` + ### Host Kernel Settings -Redis® may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. +Redis® may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. To do so, you can set up a privileged `initContainer` with the `sysctlImage` config values, for example: -Refer to the chart documentation for more information on [configuring host kernel settings with an example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/configure-kernel-settings/). +```yaml +sysctlImage: + enabled: true + mountHostSys: true + command: + - /bin/sh + - -c + - |- + install_packages procps + sysctl -w net.core.somaxconn=10000 + echo never > /host-sys/kernel/mm/transparent_hugepage/enabled +``` + +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. ## Persistence @@ -798,13 +889,115 @@ helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://RE ## Backup and restore -Refer to the chart documentation for more information on [backing up and restoring Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/backup-restore/). +To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: + +### Step 1: Backup the deployment + +- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: + + ```text + $ kubectl exec -it my-release-master-0 bash + $ redis-cli + 127.0.0.1:6379> auth your_current_redis_password + OK + 127.0.0.1:6379> save + OK + ``` + +- Copy the dump file from the Redis node: + + ```console + kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis + ``` + +### Step 2: Restore the data on the destination cluster + +To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. + +Follow the following steps: + +- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* + + ```yaml + commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly no + # Disable RDB persistence, AOF persistence already enabled. + save "" + ``` + + > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* + +- Start the new cluster to create the PVCs. Use the command below as an example: + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. + + ```text + $ helm delete new-redis + + $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "redisvolpod" + }, + "spec": { + "containers": [{ + "command": [ + "tail", + "-f", + "/dev/null" + ], + "image": "bitnami/minideb", + "name": "mycontainer", + "volumeMounts": [{ + "mountPath": "/mnt", + "name": "redisdata" + }] + }], + "restartPolicy": "Never", + "volumes": [{ + "name": "redisdata", + "persistentVolumeClaim": { + "claimName": "redis-data-new-redis-master-0" + } + }] + } + }' --image="bitnami/minideb" + + $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb + $ kubectl delete pod volpod + ``` + +- Restart the cluster: + + > **INFO:** The *appendonly* parameter can be safely restored to your desired value. + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` ## NetworkPolicy To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. -Refer to the chart documenation for more information on [enabling the network policy in Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-network-policy/). +With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +```yaml +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` ### Setting Pod's affinity diff --git a/charts/bitnami/airflow/charts/redis/img/redis-cluster-topology.png b/charts/bitnami/airflow/charts/redis/img/redis-cluster-topology.png deleted file mode 100644 index f0a02a9f8..000000000 Binary files a/charts/bitnami/airflow/charts/redis/img/redis-cluster-topology.png and /dev/null differ diff --git a/charts/bitnami/airflow/charts/redis/img/redis-topology.png b/charts/bitnami/airflow/charts/redis/img/redis-topology.png deleted file mode 100644 index 3f5280feb..000000000 Binary files a/charts/bitnami/airflow/charts/redis/img/redis-topology.png and /dev/null differ diff --git a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml index 2da5bd5fc..b074aaae2 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/application.yaml @@ -65,7 +65,7 @@ spec: securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.masterServiceAccountName" . }} - automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }} {{- if .Values.master.priorityClassName }} priorityClassName: {{ .Values.master.priorityClassName | quote }} {{- end }} @@ -284,6 +284,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -312,7 +314,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml index 4ba3052fe..d442051de 100644 --- a/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/master/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.master.serviceAccount.create }} +{{- if and .Values.master.serviceAccount.create (or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled)) }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml b/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml index 5e24b6d35..84334318f 100644 --- a/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/metrics-svc.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.metrics.enabled }} +{{- if and .Values.metrics.enabled .Values.metrics.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -34,7 +34,7 @@ spec: {{- end }} ports: - name: http-metrics - port: {{ .Values.metrics.service.port }} + port: {{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }} protocol: TCP targetPort: metrics {{- if .Values.metrics.service.extraPorts }} diff --git a/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml b/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml index 84f5ada5d..3a274cdb9 100644 --- a/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/networkpolicy.yaml @@ -18,8 +18,11 @@ spec: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} policyTypes: - Ingress - {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }} - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: {{- if eq .Values.architecture "replication" }} # Allow dns resolution @@ -76,7 +79,7 @@ spec: {{- if .Values.metrics.enabled }} # Allow prometheus scrapes for metrics - ports: - - port: 9121 + - port: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.networkPolicy.metrics.allowExternal }} from: {{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }} diff --git a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml index 55bcd51ad..1d0d0c967 100644 --- a/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/podmonitor.yaml @@ -18,7 +18,7 @@ metadata: {{- end }} spec: podMetricsEndpoints: - - port: http-metrics + - port: metrics {{- if .Values.metrics.podMonitor.interval }} interval: {{ .Values.metrics.podMonitor.interval }} {{- end }} @@ -34,6 +34,24 @@ spec: {{- if .Values.metrics.podMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} {{- end }} + {{- range .Values.metrics.podMonitor.additionalEndpoints }} + - port: {{ .port }} + {{- if .interval }} + interval: {{ .interval }} + {{- end }} + {{- if .path }} + path: {{ .path }} + {{- end }} + {{- if .params }} + params: + {{- range $key, $value := .params }} + {{ $key }}: + {{- range $value }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.metrics.serviceMonitor.podTargetLabels }} podTargetLabels: {{- toYaml .Values.metrics.podMonitor.podTargetLabels | nindent 4 }} {{- end }} @@ -48,5 +66,4 @@ spec: - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: metrics {{- end }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml index 67d83c8ba..dde2726a3 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/application.yaml @@ -63,7 +63,7 @@ spec: securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ template "redis.replicaServiceAccountName" . }} - automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} {{- if .Values.replica.priorityClassName }} priorityClassName: {{ .Values.replica.priorityClassName | quote }} {{- end }} @@ -302,6 +302,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -330,7 +332,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml index ec5d66641..d7f47f43d 100644 --- a/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/replicas/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.replica.serviceAccount.create }} +{{- if and .Values.replica.serviceAccount.create (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml index 5b28f8c4e..8557aee6f 100644 --- a/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/sentinel/statefulset.yaml @@ -54,13 +54,13 @@ spec: {{- end }} spec: {{- include "redis.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }} {{- if .Values.replica.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }} {{- end }} {{- if .Values.replica.podSecurityContext.enabled }} securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} - automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} serviceAccountName: {{ template "redis.serviceAccountName" . }} {{- if .Values.replica.priorityClassName }} priorityClassName: {{ .Values.replica.priorityClassName | quote }} @@ -503,6 +503,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -531,7 +533,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml b/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml index 95432dd37..ac343a8fb 100644 --- a/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.serviceAccount.create (and (not .Values.master.serviceAccount.create) (not .Values.replica.serviceAccount.create)) }} +{{- if and .Values.serviceAccount.create .Values.sentinel.enabled }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml index 8641ea12a..757c87001 100644 --- a/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/airflow/charts/redis/templates/servicemonitor.yaml @@ -34,13 +34,31 @@ spec: {{- if .Values.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} {{- end }} + {{- range .Values.metrics.serviceMonitor.additionalEndpoints }} + - port: {{ .port }} + {{- if .interval }} + interval: {{ .interval }} + {{- end }} + {{- if .path }} + path: {{ .path }} + {{- end }} + {{- if .params }} + params: + {{- range $key, $value := .params }} + {{ $key }}: + {{- range $value }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.metrics.serviceMonitor.podTargetLabels }} podTargetLabels: {{- toYaml .Values.metrics.serviceMonitor.podTargetLabels | nindent 4 }} {{- end }} - {{ with .Values.metrics.serviceMonitor.sampleLimit }} + {{- with .Values.metrics.serviceMonitor.sampleLimit }} sampleLimit: {{ . }} {{- end }} - {{ with .Values.metrics.serviceMonitor.targetLimit }} + {{- with .Values.metrics.serviceMonitor.targetLimit }} targetLimit: {{ . }} {{- end }} namespaceSelector: diff --git a/charts/bitnami/airflow/charts/redis/values.yaml b/charts/bitnami/airflow/charts/redis/values.yaml index ffb71df73..cb2ded98f 100644 --- a/charts/bitnami/airflow/charts/redis/values.yaml +++ b/charts/bitnami/airflow/charts/redis/values.yaml @@ -94,7 +94,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.4-debian-11-r0 + tag: 7.2.4-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -290,7 +290,7 @@ master: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context - ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot @@ -300,7 +300,7 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -333,6 +333,9 @@ master: ## @param master.priorityClassName Redis® master pods' priorityClassName ## priorityClassName: "" + ## @param master.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param master.hostAliases Redis® master pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -749,7 +752,7 @@ replica: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context - ## @param replica.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param replica.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot @@ -759,7 +762,7 @@ replica: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -792,6 +795,9 @@ replica: ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies ## podManagementPolicy: "" + ## @param replica.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param replica.hostAliases Redis® replicas pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1087,7 +1093,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.4-debian-11-r0 + tag: 7.2.4-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1291,7 +1297,7 @@ sentinel: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context - ## @param sentinel.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param sentinel.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot @@ -1301,7 +1307,7 @@ sentinel: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1406,13 +1412,16 @@ serviceBindings: networkPolicy: ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param networkPolicy.allowExternal Don't require client label for connections ## When set to false, only pods with the correct client label will have network access to the ports ## Redis® is listening on. When true, Redis® will accept connections from any source ## (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1463,7 +1472,7 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - + ## PodSecurityPolicy configuration ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ ## @@ -1572,7 +1581,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.56.0-debian-11-r0 + tag: 1.57.0-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1583,6 +1592,11 @@ metrics: ## - myRegistryKeySecretName ## pullSecrets: [] + + ## @param metrics.containerPorts.http Metrics HTTP container port + ## + containerPorts: + http: 9121 ## Configure extra options for Redis® containers' liveness, readiness & startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ ## @param metrics.startupProbe.enabled Enable startupProbe on Redis® replicas nodes @@ -1659,7 +1673,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot @@ -1669,7 +1683,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1706,12 +1720,16 @@ metrics: ## Redis® exporter service parameters ## service: + ## @param metrics.service.enabled Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor + ## + enabled: true ## @param metrics.service.type Redis® exporter service type ## type: ClusterIP - ## @param metrics.service.port Redis® exporter service port + ## @param metrics.service.ports.http Redis® exporter service port ## - port: 9121 + ports: + http: 9121 ## @param metrics.service.externalTrafficPolicy Redis® exporter service external traffic policy ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## @@ -1778,6 +1796,16 @@ metrics: ## @param metrics.serviceMonitor.targetLimit Limit of how many targets should be scraped ## targetLimit: false + ## @param metrics.serviceMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) + ## + additionalEndpoints: [] + # uncomment in order to scrape sentinel metrics + # - port: http-metrics + # interval: 30s + # path: /scrape + # params: + # target: + # - localhost:26379 ## Prometheus Pod Monitor ## ref: https://github.com/coreos/prometheus-operator ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor @@ -1816,6 +1844,16 @@ metrics: ## @param metrics.podMonitor.targetLimit Limit of how many targets should be scraped ## targetLimit: false + ## @param metrics.podMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) + ## + additionalEndpoints: [] + # uncomment in order to scrape sentinel metrics + # - port: metrics + # interval: 30s + # path: /scrape + # params: + # target: + # - localhost:26379 ## Custom PrometheusRule to be defined ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions @@ -1890,7 +1928,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1911,14 +1949,14 @@ volumePermissions: requests: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## init-sysctl container parameters @@ -1940,7 +1978,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/airflow/files/dags/README.md b/charts/bitnami/airflow/files/dags/README.md index efb807bdc..d5808982b 100644 --- a/charts/bitnami/airflow/files/dags/README.md +++ b/charts/bitnami/airflow/files/dags/README.md @@ -1 +1,3 @@ +# How to use this folder + You can copy here your DAGs files so they are mounted at "/opt/bitnami/airflow/dags" inside the docker image. diff --git a/charts/bitnami/airflow/templates/metrics/networkpolicy.yaml b/charts/bitnami/airflow/templates/metrics/networkpolicy.yaml new file mode 100644 index 000000000..422e6d8db --- /dev/null +++ b/charts/bitnami/airflow/templates/metrics/networkpolicy.yaml @@ -0,0 +1,70 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.metrics.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-exporter" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: metrics + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ include "airflow.database.port" . | replace "\"" "" }} + - port: {{ .Values.metrics.service.ports.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.metrics.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.metrics.service.ports.http }} + - port: {{ include "airflow.database.port" . | replace "\"" "" }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- if not .Values.metrics.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-exporter" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.metrics.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.metrics.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.metrics.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.metrics.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.metrics.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/airflow/templates/scheduler/networkpolicy.yaml b/charts/bitnami/airflow/templates/scheduler/networkpolicy.yaml new file mode 100644 index 000000000..98edfd7f5 --- /dev/null +++ b/charts/bitnami/airflow/templates/scheduler/networkpolicy.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.scheduler.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-scheduler" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: scheduler + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.scheduler.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: scheduler + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.scheduler.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.scheduler.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + {{- if not .Values.scheduler.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-scheduler" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.scheduler.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.scheduler.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.scheduler.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.scheduler.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.scheduler.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.scheduler.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/airflow/templates/web/networkpolicy.yaml b/charts/bitnami/airflow/templates/web/networkpolicy.yaml new file mode 100644 index 000000000..0023549a4 --- /dev/null +++ b/charts/bitnami/airflow/templates/web/networkpolicy.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.web.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-web" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: web + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.web.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: web + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.web.containerPorts.http }} + - port: {{ .Values.service.ports.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.web.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.web.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.web.containerPorts.http }} + - port: {{ .Values.service.ports.http }} + {{- if not .Values.web.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-web" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.web.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.web.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.web.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.web.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.web.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.web.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/airflow/templates/worker/networkpolicy.yaml b/charts/bitnami/airflow/templates/worker/networkpolicy.yaml new file mode 100644 index 000000000..374ad47cd --- /dev/null +++ b/charts/bitnami/airflow/templates/worker/networkpolicy.yaml @@ -0,0 +1,69 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.worker.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-worker" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: worker + policyTypes: + - Ingress + - Egress + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other cluster pods + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.worker.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.service.ports.http }} + - port: {{ .Values.worker.containerPorts.http }} + {{- if not .Values.worker.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ printf "%s-worker" (include "common.names.fullname" .) }}-client: "true" + {{- if .Values.worker.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.worker.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/airflow/values.yaml b/charts/bitnami/airflow/values.yaml index 43e6da4a4..bc725e538 100644 --- a/charts/bitnami/airflow/values.yaml +++ b/charts/bitnami/airflow/values.yaml @@ -121,7 +121,7 @@ dags: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -188,7 +188,7 @@ web: image: registry: docker.io repository: bitnami/airflow - tag: 2.8.0-debian-11-r2 + tag: 2.8.1-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -315,7 +315,7 @@ web: ## Configure Airflow web containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param web.containerSecurityContext.enabled Enabled Airflow web containers' Security Context - ## @param web.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param web.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param web.containerSecurityContext.runAsUser Set Airflow web containers' Security Context runAsUser ## @param web.containerSecurityContext.runAsNonRoot Set Airflow web containers' Security Context runAsNonRoot ## @param web.containerSecurityContext.privileged Set web container's Security Context privileged @@ -325,7 +325,7 @@ web: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -451,6 +451,59 @@ web: minAvailable: 1 maxUnavailable: "" + ## Web Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param web.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param web.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Web is listening + ## on. When true, Web will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param web.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param web.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param web.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param web.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Airflow scheduler parameters scheduler: @@ -467,7 +520,7 @@ scheduler: image: registry: docker.io repository: bitnami/airflow-scheduler - tag: 2.8.0-debian-11-r1 + tag: 2.8.1-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -570,7 +623,7 @@ scheduler: ## Configure Airflow scheduler containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param scheduler.containerSecurityContext.enabled Enabled Airflow scheduler containers' Security Context - ## @param scheduler.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param scheduler.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param scheduler.containerSecurityContext.runAsUser Set Airflow scheduler containers' Security Context runAsUser ## @param scheduler.containerSecurityContext.runAsNonRoot Set Airflow scheduler containers' Security Context runAsNonRoot ## @param scheduler.containerSecurityContext.privileged Set scheduler container's Security Context privileged @@ -580,7 +633,7 @@ scheduler: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -706,6 +759,59 @@ scheduler: minAvailable: 1 maxUnavailable: "" + ## Scheduler Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param scheduler.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param scheduler.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Scheduler is listening + ## on. When true, Scheduler will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param scheduler.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param scheduler.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param scheduler.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param scheduler.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Airflow worker parameters worker: @@ -722,7 +828,7 @@ worker: image: registry: docker.io repository: bitnami/airflow-worker - tag: 2.8.0-debian-11-r1 + tag: 2.8.1-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -843,7 +949,7 @@ worker: ## Configure Airflow worker containers (only main one) Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param worker.containerSecurityContext.enabled Enabled Airflow worker containers' Security Context - ## @param worker.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set Airflow worker containers' Security Context runAsUser ## @param worker.containerSecurityContext.runAsNonRoot Set Airflow worker containers' Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set worker container's Security Context privileged @@ -853,7 +959,7 @@ worker: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -999,6 +1105,59 @@ worker: targetCPU: 80 targetMemory: 80 + ## Worker Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param worker.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param worker.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Worker is listening + ## on. When true, Worker will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param worker.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param worker.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param worker.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param worker.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Airflow git sync parameters ## Configure Git to pull dags and plugins @@ -1016,7 +1175,7 @@ git: image: registry: docker.io repository: bitnami/git - tag: 2.43.0-debian-11-r5 + tag: 2.43.0-debian-11-r9 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1379,7 +1538,7 @@ metrics: image: registry: docker.io repository: bitnami/airflow-exporter - tag: 0.20220314.0-debian-11-r443 + tag: 0.20220314.0-debian-11-r448 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1428,7 +1587,7 @@ metrics: ## Airflow exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable Airflow exporter containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Airflow exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set Airflow exporter containers' Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1444,7 +1603,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1572,6 +1731,58 @@ metrics: ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" + ## Metrics Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param metrics.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param metrics.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports Metrics is listening + ## on. When true, Metrics will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param metrics.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param metrics.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param metrics.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param metrics.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Airflow database parameters diff --git a/charts/bitnami/cassandra/.helmignore b/charts/bitnami/cassandra/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/cassandra/.helmignore +++ b/charts/bitnami/cassandra/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/cassandra/Chart.yaml b/charts/bitnami/cassandra/Chart.yaml index 636c53092..97503144f 100644 --- a/charts/bitnami/cassandra/Chart.yaml +++ b/charts/bitnami/cassandra/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: cassandra-exporter - image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r433 + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r436 - name: cassandra - image: docker.io/bitnami/cassandra:4.1.3-debian-11-r81 + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r85 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 appVersion: 4.1.3 @@ -35,4 +35,4 @@ maintainers: name: cassandra sources: - https://github.com/bitnami/charts/tree/main/bitnami/cassandra -version: 10.8.0 +version: 10.9.0 diff --git a/charts/bitnami/cassandra/README.md b/charts/bitnami/cassandra/README.md index 0285f1602..35f7ddfe0 100644 --- a/charts/bitnami/cassandra/README.md +++ b/charts/bitnami/cassandra/README.md @@ -140,7 +140,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Cassandra pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled Cassandra containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set Cassandra containers' Security Context runAsUser | `1001` | | `containerSecurityContext.allowPrivilegeEscalation` | Set Cassandra containers' Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | Set Cassandra containers' Security Context capabilities to be dropped | `["ALL"]` | @@ -202,24 +202,29 @@ The command removes all the Kubernetes components associated with the chart and ### Traffic Exposure Parameters -| Name | Description | Value | -| ---------------------------------- | ----------------------------------------------------------------------------- | ----------- | -| `service.type` | Cassandra service type | `ClusterIP` | -| `service.ports.cql` | Cassandra service CQL Port | `9042` | -| `service.ports.metrics` | Cassandra service metrics port | `8080` | -| `service.nodePorts.cql` | Node port for CQL | `""` | -| `service.nodePorts.metrics` | Node port for metrics | `""` | -| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` | -| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `""` | -| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` | -| `service.clusterIP` | Service Cluster IP | `""` | -| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` | -| `service.annotations` | Provide any additional annotations which may be required. | `{}` | -| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.headless.annotations` | Annotations for the headless service. | `{}` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | -| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------- | ----------- | +| `service.type` | Cassandra service type | `ClusterIP` | +| `service.ports.cql` | Cassandra service CQL Port | `9042` | +| `service.ports.metrics` | Cassandra service metrics port | `8080` | +| `service.nodePorts.cql` | Node port for CQL | `""` | +| `service.nodePorts.metrics` | Node port for metrics | `""` | +| `service.extraPorts` | Extra ports to expose in the service (normally used with the `sidecar` value) | `[]` | +| `service.loadBalancerIP` | LoadBalancerIP if service type is `LoadBalancer` | `""` | +| `service.loadBalancerSourceRanges` | Service Load Balancer sources | `[]` | +| `service.clusterIP` | Service Cluster IP | `""` | +| `service.externalTrafficPolicy` | Service external traffic policy | `Cluster` | +| `service.annotations` | Provide any additional annotations which may be required. | `{}` | +| `service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.headless.annotations` | Annotations for the headless service. | `{}` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Persistence parameters @@ -248,7 +253,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `volumePermissions.resources.limits` | The resources limits for the container | `{}` | | `volumePermissions.resources.requests` | The requested resources for the container | `{}` | -| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.securityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.securityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -338,23 +343,52 @@ This chart supports TLS between client and server and between nodes, as explaine - For internode cluster encryption, set the `tls.internodeEncryption` chart parameter to a value different from `none`. Available values are `all`, `dc` or `rack`. - For client-server encryption, set the `tls.clientEncryption` chart parameter to `true`. -In both cases, it is also necessary to create a secret containing the keystore and truststore certificates and their corresponding protection passwords. This secret is to be passed to the chart via the `tls.existingSecret` parameter at deployment-time. +In both cases, it is also necessary to create a secret containing the keystore and truststore certificates and their corresponding protection passwords. This secret is to be passed to the chart via the `tls.existingSecret` parameter at deployment-time, as shown below: -Refer to the chart documentation for more [information on creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/cassandra/administration/enable-tls/). +```text +tls.internodeEncryption=all +tls.clientEncryption=true +tls.existingSecret=my-exisiting-stores +tls.passwordsSecret=my-stores-password +``` -### Use a custom configuration file +> TIP: The secret may be created in the standard way with the `--from-file=./keystore`, `--from-file=./truststore`, `--from-literal=keystore-password=KEYSTORE_PASSWORD` and `--from-literal=truststore-password=TRUSTSTORE_PASSWORD` options. This assumes that the stores are in the current working directory and the KEYSTORE_PASSWORD and TRUSTSTORE_PASSWORD placeholders are replaced with the correct keystore and truststore passwords respectively. Example: -This chart also supports mounting custom configuration file(s) for Apache Cassandra. This is achieved by setting the `existingConfiguration` parameter with the name of a ConfigMap that includes the custom configuration file(s). +```console +kubectl create secret generic my-exisiting-stores --from-file=./keystore --from-file=./truststore +kubectl create secret generic my-stores-password --from-literal=keystore-password=KEYSTORE_PASSWORD --from-literal=truststore-password=TRUSTSTORE_PASSWORD +``` -> NOTE: This ConfigMap will override other Apache Cassandra configuration variables set in the chart. +Keystore and Truststore files can be dinamycally created from the certificates files. In this case a secret with the tls.crt, tls.key and ca.crt in pem format is required. The following example shows how the secret can be created and assumes that all certificate files are in the working directory: -Refer to the chart documentation for more [information on customizing an Apache Cassandra deployment](https://docs.bitnami.com/kubernetes/infrastructure/cassandra/configuration/customize-new-instance/). +```console +kubectl create secret tls my-certs --cert ./tls.crt --key ./tls.key +kubectl patch secret my-certs -p="{\"data\":{\"ca.crt\": \"$(cat ./ca.crt | base64 )\"}}" +``` + +To enable this feature `tls.autoGenerated` must be set and the new secret should be set in `tls.certificateSecret`: + +```text +tls.internodeEncryption=all +tls.clientEncryption=true +tls.autoGenerated=true +tls.certificatesSecret=my-certs +tls.passwordsSecret=my-stores-password +``` ### Initialize the database -The [Bitnami Apache Cassandra image](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image supports the use of custom scripts to initialize a fresh instance. This may be done by creating a Kubernetes ConfigMap that includes the necessary *sh* or *cql* scripts and passing this ConfigMap to the chart via the *initDBConfigMap* parameter. +The [Apache Cassandra](https://github.com/bitnami/containers/tree/main/bitnami/cassandra) image supports the use of custom scripts to initialize a fresh instance. This may be done by creating a Kubernetes ConfigMap that includes the necessary `.sh` or `.cql` scripts and passing this ConfigMap to the chart via the `initDBConfigMap` parameter. -Refer to the chart documentation for more [information on customizing an Apache Cassandra deployment](https://docs.bitnami.com/kubernetes/infrastructure/cassandra/configuration/customize-new-instance/). +### Use a custom configuration file + +This chart also supports mounting custom configuration file(s) for Apache Cassandra. This is achieved by setting the `existingConfiguration` parameter with the name of a ConfigMap that includes the custom configuration file(s). Here is an example of deploying the chart with a custom configuration file stored in a ConfigMap named `cassandra-configuration`: + +```text +existingConfiguration=cassandra-configuration +``` + +> NOTE: This ConfigMap will override other Apache Cassandra configuration variables set in the chart. ### Set pod affinity @@ -426,8 +460,6 @@ For this version, there have been [intensive efforts](https://cwiki.apache.org/c [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/cassandra/administration/upgrade-helm3/). - ### To 6.0.0 - Several parameters were renamed or disappeared in favor of new ones on this major version: diff --git a/charts/bitnami/cassandra/templates/NOTES.txt b/charts/bitnami/cassandra/templates/NOTES.txt index 994177d72..fdedcdd38 100644 --- a/charts/bitnami/cassandra/templates/NOTES.txt +++ b/charts/bitnami/cassandra/templates/NOTES.txt @@ -15,11 +15,11 @@ The chart has been deployed in diagnostic mode. All probes have been disabled an Get the list of pods by executing: - kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }} Access the pod you want to debug by executing - kubectl exec --namespace {{ .Release.Namespace }} -ti -- bash + kubectl exec --namespace {{ include "common.names.namespace" . }} -ti -- bash In order to replicate the container startup scripts execute this command: @@ -29,7 +29,7 @@ In order to replicate the container startup scripts execute this command: Cassandra can be accessed through the following URLs from within the cluster: - - CQL: {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.ports.cql }} + - CQL: {{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}:{{ .Values.service.ports.cql }} To get your password run: @@ -37,13 +37,13 @@ To get your password run: Check the cluster status by running: - kubectl exec -it --namespace {{ .Release.Namespace }} $(kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}') nodetool status + kubectl exec -it --namespace {{ include "common.names.namespace" . }} $(kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/name={{ include "common.names.name" . }},app.kubernetes.io/instance={{ .Release.Name }} -o jsonpath='{.items[0].metadata.name}') nodetool status To connect to your Cassandra cluster using CQL: 1. Run a Cassandra pod that you can use as a client: - kubectl run --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' \ + kubectl run --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' \ --env CASSANDRA_PASSWORD=$CASSANDRA_PASSWORD \ {{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ include "common.names.name" . }}-client=true"{{ end }} \ --image {{ include "cassandra.image" . }} -- bash @@ -63,22 +63,22 @@ To connect to your database from outside the cluster execute the following comma {{- if contains "NodePort" .Values.service.type }} - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "common.names.fullname" . }}) cqlsh -u {{ .Values.dbUser.user }} -p $CASSANDRA_PASSWORD $NODE_IP $NODE_PORT {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. - Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "common.names.fullname" . }}' + Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ include "common.names.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ include "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") cqlsh -u {{ .Values.dbUser.user }} -p $CASSANDRA_PASSWORD $SERVICE_IP {{- else if contains "ClusterIP" .Values.service.type }} - kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "common.names.fullname" . }} {{ .Values.service.ports.cql }}:{{ .Values.service.ports.cql }} & + kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ include "common.names.fullname" . }} {{ .Values.service.ports.cql }}:{{ .Values.service.ports.cql }} & cqlsh -u {{ .Values.dbUser.user }} -p $CASSANDRA_PASSWORD 127.0.0.1 {{ .Values.service.ports.cql }} {{- end }} diff --git a/charts/bitnami/cassandra/templates/_helpers.tpl b/charts/bitnami/cassandra/templates/_helpers.tpl index 2cca29ed5..f82e9223f 100644 --- a/charts/bitnami/cassandra/templates/_helpers.tpl +++ b/charts/bitnami/cassandra/templates/_helpers.tpl @@ -50,7 +50,7 @@ Return the list of Cassandra seed nodes {{- define "cassandra.seeds" -}} {{- $seeds := list }} {{- $fullname := include "common.names.fullname" . }} -{{- $releaseNamespace := .Release.Namespace }} +{{- $releaseNamespace := include "common.names.namespace" . }} {{- $clusterDomain := .Values.clusterDomain }} {{- $seedCount := .Values.cluster.seedCount | int }} {{- range $e, $i := until $seedCount }} @@ -203,7 +203,7 @@ otherwise it generates a random value. {{- if .Values.dbUser.password }} {{- .Values.dbUser.password }} {{- else if (not .Values.dbUser.forcePassword) }} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "common.names.fullname" .) "Length" 10 "Key" "cassandra-password") -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (include "common.names.fullname" .) "Length" 10 "Key" "cassandra-password") -}} {{- else }} {{ required "A Cassandra Password is required!" .Values.dbUser.password }} {{- end }} @@ -213,7 +213,7 @@ otherwise it generates a random value. {{- if .Values.tls.keystorePassword }} {{- .Values.tls.keystorePassword }} {{- else }} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (printf "%s-%s" (include "common.names.fullname" .) "tls-pass" | trunc 63 | trimSuffix "-") "Length" 10 "Key" "keystore-password") -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (printf "%s-%s" (include "common.names.fullname" .) "tls-pass" | trunc 63 | trimSuffix "-") "Length" 10 "Key" "keystore-password") -}} {{- end }} {{- end -}} @@ -221,7 +221,7 @@ otherwise it generates a random value. {{- if .Values.tls.truststorePassword }} {{- .Values.tls.truststorePassword }} {{- else }} - {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (printf "%s-%s" (include "common.names.fullname" .) "tls-pass" | trunc 63 | trimSuffix "-") "Length" 10 "Key" "truststore-password") -}} + {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (printf "%s-%s" (include "common.names.fullname" .) "tls-pass" | trunc 63 | trimSuffix "-") "Length" 10 "Key" "truststore-password") -}} {{- end }} {{- end -}} diff --git a/charts/bitnami/cassandra/templates/cassandra-secret.yaml b/charts/bitnami/cassandra/templates/cassandra-secret.yaml index 847cad0be..44908395e 100644 --- a/charts/bitnami/cassandra/templates/cassandra-secret.yaml +++ b/charts/bitnami/cassandra/templates/cassandra-secret.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -23,7 +23,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ printf "%s-tls-pass" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/cassandra/templates/headless-svc.yaml b/charts/bitnami/cassandra/templates/headless-svc.yaml index a9f77d28e..9c9b2b8c0 100644 --- a/charts/bitnami/cassandra/templates/headless-svc.yaml +++ b/charts/bitnami/cassandra/templates/headless-svc.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.service.headless.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.headless.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/cassandra/templates/metrics-configmap.yaml b/charts/bitnami/cassandra/templates/metrics-configmap.yaml index 12595a213..612513b4f 100644 --- a/charts/bitnami/cassandra/templates/metrics-configmap.yaml +++ b/charts/bitnami/cassandra/templates/metrics-configmap.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ printf "%s-metrics-conf" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/part-of: cassandra app.kubernetes.io/component: cassandra-exporter diff --git a/charts/bitnami/cassandra/templates/networkpolicy.yaml b/charts/bitnami/cassandra/templates/networkpolicy.yaml index 7182dd866..1ca8aa250 100644 --- a/charts/bitnami/cassandra/templates/networkpolicy.yaml +++ b/charts/bitnami/cassandra/templates/networkpolicy.yaml @@ -8,7 +8,7 @@ kind: NetworkPolicy apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} @@ -17,30 +17,66 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} - ingress: - # Allow inbound connections - # CQL port + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution - ports: - - port: {{ .Values.service.ports.cql }} - from: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.cql }} + - port: {{ .Values.containerPorts.jmx }} + - port: {{ .Values.containerPorts.tls }} + - port: {{ .Values.containerPorts.intra }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.cql }} + - port: {{ .Values.containerPorts.jmx }} + - port: {{ .Values.containerPorts.tls }} + - port: {{ .Values.containerPorts.intra }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + - port: {{ .Values.metrics.containerPorts.jmx }} + {{- end }} {{- if not .Values.networkPolicy.allowExternal }} + from: - podSelector: matchLabels: - {{ include "common.names.fullname" . }}-client: "true" - {{- end }} - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} - # Internal ports - - ports: - - port: intra - - port: tls - - port: jmx - from: + {{ template "common.names.fullname" . }}-client: "true" - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} - {{- if .Values.metrics.enabled }} - # Allow prometheus scrapes for metrics - - ports: - - port: {{ .Values.metrics.containerPorts.http | default "8080" }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/bitnami/cassandra/templates/pdb.yaml b/charts/bitnami/cassandra/templates/pdb.yaml index 07c37776a..a02d40212 100644 --- a/charts/bitnami/cassandra/templates/pdb.yaml +++ b/charts/bitnami/cassandra/templates/pdb.yaml @@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.policy.apiVersion" . }} kind: PodDisruptionBudget metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/cassandra/templates/service.yaml b/charts/bitnami/cassandra/templates/service.yaml index 1dbb251a6..270a7917d 100644 --- a/charts/bitnami/cassandra/templates/service.yaml +++ b/charts/bitnami/cassandra/templates/service.yaml @@ -7,7 +7,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.service.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.service.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/cassandra/templates/serviceaccount.yaml b/charts/bitnami/cassandra/templates/serviceaccount.yaml index 24e9b6984..b167a160f 100644 --- a/charts/bitnami/cassandra/templates/serviceaccount.yaml +++ b/charts/bitnami/cassandra/templates/serviceaccount.yaml @@ -8,7 +8,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "cassandra.serviceAccountName" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if or .Values.serviceAccount.annotations .Values.commonAnnotations }} {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }} diff --git a/charts/bitnami/cassandra/templates/servicemonitor.yaml b/charts/bitnami/cassandra/templates/servicemonitor.yaml index 08748490f..6271dbbc7 100644 --- a/charts/bitnami/cassandra/templates/servicemonitor.yaml +++ b/charts/bitnami/cassandra/templates/servicemonitor.yaml @@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + namespace: {{ default include "common.names.namespace" . .Values.metrics.serviceMonitor.namespace | quote }} {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.metrics.serviceMonitor.labels .Values.commonLabels ) "context" . ) }} labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }} {{- if .Values.metrics.serviceMonitor.additionalLabels }} @@ -45,5 +45,5 @@ spec: {{- end }} namespaceSelector: matchNames: - - {{ .Release.Namespace }} + - {{ include "common.names.namespace" . }} {{- end }} diff --git a/charts/bitnami/cassandra/templates/statefulset.yaml b/charts/bitnami/cassandra/templates/statefulset.yaml index f17c4279e..8b16bea4b 100644 --- a/charts/bitnami/cassandra/templates/statefulset.yaml +++ b/charts/bitnami/cassandra/templates/statefulset.yaml @@ -7,7 +7,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} kind: StatefulSet metadata: name: {{ include "common.names.fullname" . }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/cassandra/templates/tls-secret.yaml b/charts/bitnami/cassandra/templates/tls-secret.yaml index 56722c8e3..47217082f 100644 --- a/charts/bitnami/cassandra/templates/tls-secret.yaml +++ b/charts/bitnami/cassandra/templates/tls-secret.yaml @@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0 {{- $secretName := printf "%s-crt" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} {{- $ca := genCA "cassandra-ca" 365 }} {{- $fullname := include "common.names.fullname" . }} -{{- $releaseNamespace := .Release.Namespace }} +{{- $releaseNamespace := include "common.names.namespace" . }} {{- $clusterDomain := .Values.clusterDomain }} {{- $serviceName := include "common.names.fullname" . }} {{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }} @@ -17,7 +17,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ $secretName }} - namespace: {{ .Release.Namespace | quote }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} diff --git a/charts/bitnami/cassandra/values.yaml b/charts/bitnami/cassandra/values.yaml index 4409e65cb..ad0d1ceb2 100644 --- a/charts/bitnami/cassandra/values.yaml +++ b/charts/bitnami/cassandra/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/cassandra - tag: 4.1.3-debian-11-r81 + tag: 4.1.3-debian-11-r85 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -296,7 +296,7 @@ podSecurityContext: ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled Cassandra containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set Cassandra containers' Security Context runAsUser ## @param containerSecurityContext.allowPrivilegeEscalation Set Cassandra containers' Security Context allowPrivilegeEscalation ## @param containerSecurityContext.capabilities.drop Set Cassandra containers' Security Context capabilities to be dropped @@ -307,7 +307,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -553,20 +553,63 @@ service: ## @param service.headless.annotations Annotations for the headless service. ## annotations: {} -## Network policies + +## Network Policies ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false - ## @param networkPolicy.allowExternal Don't require client label for connections + enabled: true + ## @param networkPolicy.allowExternal Don't require server label for connections ## The Policy model to apply. When set to false, only pods with the correct - ## client label will have network access to the port Redis® is listening - ## on. When true, Redis® will accept connections from any source + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source ## (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Persistence parameters ## @@ -639,7 +682,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -675,7 +718,7 @@ volumePermissions: ## Init container Security Context ## Note: the chown of the data folder is done to securityContext.runAsUser ## and not the below volumePermissions.securityContext.runAsUser - ## @param volumePermissions.securityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.securityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.securityContext.runAsUser User ID for the init container ## ## When runAsUser is set to special value "auto", init container will try to chwon the @@ -685,7 +728,7 @@ volumePermissions: ## pod securityContext.enabled=false and shmVolume.chmod.enabled=false ## securityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## @section Metrics parameters @@ -709,7 +752,7 @@ metrics: image: registry: docker.io repository: bitnami/cassandra-exporter - tag: 2.3.8-debian-11-r433 + tag: 2.3.8-debian-11-r436 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/kafka/.helmignore b/charts/bitnami/kafka/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/kafka/.helmignore +++ b/charts/bitnami/kafka/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/kafka/Chart.lock b/charts/bitnami/kafka/Chart.lock index 8c35de998..a5e7c4d63 100644 --- a/charts/bitnami/kafka/Chart.lock +++ b/charts/bitnami/kafka/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: zookeeper repository: oci://registry-1.docker.io/bitnamicharts - version: 12.5.0 + version: 12.8.0 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:e4feec8f181106637521ad9f041bab689837c3793a890cbd82d0fe386eb7b4b3 -generated: "2024-01-17T19:59:13.138728344Z" +digest: sha256:3178a4d20ef8d4102df204eae515d83d6e013deb87e687c7b60510525290acde +generated: "2024-02-02T16:50:14.687087671Z" diff --git a/charts/bitnami/kafka/Chart.yaml b/charts/bitnami/kafka/Chart.yaml index 1e6db8651..dee643917 100644 --- a/charts/bitnami/kafka/Chart.yaml +++ b/charts/bitnami/kafka/Chart.yaml @@ -6,15 +6,15 @@ annotations: category: Infrastructure images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 - name: kafka-exporter - image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r136 + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r140 - name: kafka - image: docker.io/bitnami/kafka:3.6.1-debian-11-r1 + image: docker.io/bitnami/kafka:3.6.1-debian-11-r6 - name: kubectl - image: docker.io/bitnami/kubectl:1.29.0-debian-11-r2 + image: docker.io/bitnami/kubectl:1.29.1-debian-11-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.6.1 @@ -45,4 +45,4 @@ maintainers: name: kafka sources: - https://github.com/bitnami/charts/tree/main/bitnami/kafka -version: 26.8.0 +version: 26.8.5 diff --git a/charts/bitnami/kafka/README.md b/charts/bitnami/kafka/README.md index 684ed86dd..6d31cf8fe 100644 --- a/charts/bitnami/kafka/README.md +++ b/charts/bitnami/kafka/README.md @@ -237,12 +237,13 @@ The command removes all the Kubernetes components associated with the chart and | `controller.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | | `controller.podSecurityContext.seccompProfile.type` | Set Kafka pods's Security Context seccomp profile | `RuntimeDefault` | | `controller.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | -| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `controller.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | | `controller.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | | `controller.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | | `controller.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | | `controller.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | +| `controller.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `controller.hostAliases` | Kafka pods host aliases | `[]` | | `controller.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | | `controller.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | @@ -342,12 +343,13 @@ The command removes all the Kubernetes components associated with the chart and | `broker.podSecurityContext.fsGroup` | Set Kafka pod's Security Context fsGroup | `1001` | | `broker.podSecurityContext.seccompProfile.type` | Set Kafka pod's Security Context seccomp profile | `RuntimeDefault` | | `broker.containerSecurityContext.enabled` | Enable Kafka containers' Security Context | `true` | -| `broker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `broker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `broker.containerSecurityContext.runAsUser` | Set Kafka containers' Security Context runAsUser | `1001` | | `broker.containerSecurityContext.runAsNonRoot` | Set Kafka containers' Security Context runAsNonRoot | `true` | | `broker.containerSecurityContext.allowPrivilegeEscalation` | Force the child process to be run as non-privileged | `false` | | `broker.containerSecurityContext.readOnlyRootFilesystem` | Allows the pod to mount the RootFS as ReadOnly only | `true` | | `broker.containerSecurityContext.capabilities.drop` | Set Kafka containers' server Security Context capabilities to be dropped | `["ALL"]` | +| `broker.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `broker.hostAliases` | Kafka pods host aliases | `[]` | | `broker.hostNetwork` | Specify if host network should be enabled for Kafka pods | `false` | | `broker.hostIPC` | Specify if host IPC should be enabled for Kafka pods | `false` | @@ -429,7 +431,7 @@ The command removes all the Kubernetes components associated with the chart and | `externalAccess.autoDiscovery.resources.limits` | The resources limits for the auto-discovery init container | `{}` | | `externalAccess.autoDiscovery.resources.requests` | The requested resources for the auto-discovery init container | `{}` | | `externalAccess.autoDiscovery.containerSecurityContext.enabled` | Enable Kafka auto-discovery containers' Security Context | `true` | -| `externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `externalAccess.autoDiscovery.containerSecurityContext.runAsUser` | Set Kafka auto-discovery containers' Security Context runAsUser | `1001` | | `externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot` | Set Kafka auto-discovery containers' Security Context runAsNonRoot | `true` | | `externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation | `false` | @@ -487,7 +489,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters @@ -549,12 +551,13 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.kafka.podSecurityContext.fsGroup` | Set Kafka exporter pod's Security Context fsGroup | `1001` | | `metrics.kafka.podSecurityContext.seccompProfile.type` | Set Kafka exporter pod's Security Context seccomp profile | `RuntimeDefault` | | `metrics.kafka.containerSecurityContext.enabled` | Enable Kafka exporter containers' Security Context | `true` | -| `metrics.kafka.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.kafka.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.kafka.containerSecurityContext.runAsUser` | Set Kafka exporter containers' Security Context runAsUser | `1001` | | `metrics.kafka.containerSecurityContext.runAsNonRoot` | Set Kafka exporter containers' Security Context runAsNonRoot | `true` | | `metrics.kafka.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka exporter containers' Security Context allowPrivilegeEscalation | `false` | | `metrics.kafka.containerSecurityContext.readOnlyRootFilesystem` | Set Kafka exporter containers' Security Context readOnlyRootFilesystem | `true` | | `metrics.kafka.containerSecurityContext.capabilities.drop` | Set Kafka exporter containers' Security Context capabilities to be dropped | `["ALL"]` | +| `metrics.kafka.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `metrics.kafka.hostAliases` | Kafka exporter pods host aliases | `[]` | | `metrics.kafka.podLabels` | Extra labels for Kafka exporter pods | `{}` | | `metrics.kafka.podAnnotations` | Extra annotations for Kafka exporter pods | `{}` | @@ -589,7 +592,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.jmx.image.pullPolicy` | JMX exporter image pull policy | `IfNotPresent` | | `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.jmx.containerSecurityContext.enabled` | Enable Prometheus JMX exporter containers' Security Context | `true` | -| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.jmx.containerSecurityContext.runAsUser` | Set Prometheus JMX exporter containers' Security Context runAsUser | `1001` | | `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set Prometheus JMX exporter containers' Security Context runAsNonRoot | `true` | | `metrics.jmx.containerSecurityContext.allowPrivilegeEscalation` | Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation | `false` | @@ -626,6 +629,7 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | ---------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | --------------------- | | `provisioning.enabled` | Enable kafka provisioning Job | `false` | +| `provisioning.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `provisioning.numPartitions` | Default number of partitions for topics when unspecified | `1` | | `provisioning.replicationFactor` | Default replication factor for topics when unspecified | `1` | | `provisioning.topics` | Kafka topics to provision | `[]` | @@ -668,7 +672,7 @@ The command removes all the Kubernetes components associated with the chart and | `provisioning.podSecurityContext.fsGroup` | Set Kafka provisioning pod's Security Context fsGroup | `1001` | | `provisioning.podSecurityContext.seccompProfile.type` | Set Kafka provisioning pod's Security Context seccomp profile | `RuntimeDefault` | | `provisioning.containerSecurityContext.enabled` | Enable Kafka provisioning containers' Security Context | `true` | -| `provisioning.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `provisioning.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `provisioning.containerSecurityContext.runAsUser` | Set Kafka provisioning containers' Security Context runAsUser | `1001` | | `provisioning.containerSecurityContext.runAsNonRoot` | Set Kafka provisioning containers' Security Context runAsNonRoot | `true` | | `provisioning.containerSecurityContext.allowPrivilegeEscalation` | Set Kafka provisioning containers' Security Context allowPrivilegeEscalation | `false` | @@ -758,7 +762,7 @@ You can configure different authentication protocols for each listener you confi | sasl | Yes (via SASL) | No | | sasl_tls | Yes (via SASL) | Yes | -Learn more about how to configure Kafka to use the different authentication protocols in the [chart documentation](https://docs.bitnami.com/kubernetes/infrastructure/kafka/administration/enable-security/). +Configure the authentication protocols for client and inter-broker communications by setting the *auth.clientProtocol* and *auth.interBrokerProtocol* parameters to the desired ones, respectively. If you enabled SASL authentication on any listener, you can set the SASL credentials using the parameters below: @@ -959,6 +963,31 @@ externalAccess: external-dns.alpha.kubernetes.io/hostname: "{{ .targetPod }}.example.com" ``` +### Enable metrics + +The chart can optionally start two metrics exporters: + +- Kafka exporter, to expose Kafka metrics. By default, it uses port 9308. +- JMX exporter, to expose JMX metrics. By default, it uses port 5556. + +To create a separate Kafka exporter, use the parameter below: + +```text +metrics.kafka.enabled: true +``` + +To expose JMX metrics to Prometheus, use the parameter below: + +```text +metrics.jmx.enabled: true +``` + +- To enable Zookeeper chart metrics, use the parameter below: + +```text +zookeeper.metrics.enabled: true +``` + ### Sidecars If you have a need for additional containers to run within the same pod as Kafka (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. @@ -1498,4 +1527,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. +limitations under the License. \ No newline at end of file diff --git a/charts/bitnami/kafka/charts/zookeeper/.helmignore b/charts/bitnami/kafka/charts/zookeeper/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/kafka/charts/zookeeper/.helmignore +++ b/charts/bitnami/kafka/charts/zookeeper/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml index cc3510b49..5d0e73c29 100644 --- a/charts/bitnami/kafka/charts/zookeeper/Chart.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/Chart.yaml @@ -2,7 +2,7 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r93 + image: docker.io/bitnami/os-shell:11-debian-11-r94 - name: zookeeper image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 licenses: Apache-2.0 @@ -26,4 +26,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.5.0 +version: 12.8.0 diff --git a/charts/bitnami/kafka/charts/zookeeper/README.md b/charts/bitnami/kafka/charts/zookeeper/README.md index 3f50dee51..b0b067582 100644 --- a/charts/bitnami/kafka/charts/zookeeper/README.md +++ b/charts/bitnami/kafka/charts/zookeeper/README.md @@ -166,7 +166,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -174,6 +174,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.allowPrivilegeEscalation` | Set container's Security Context allowPrivilegeEscalation | `false` | | `containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` | | `containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` | +| `automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `hostAliases` | ZooKeeper pods host aliases | `[]` | | `podLabels` | Extra labels for ZooKeeper pods | `{}` | | `podAnnotations` | Annotations for ZooKeeper pods | `{}` | @@ -225,8 +226,13 @@ The command removes all the Kubernetes components associated with the chart and | `service.headless.annotations` | Annotations for the Headless Service | `{}` | | `service.headless.publishNotReadyAddresses` | If the ZooKeeper headless service should publish DNS records for not ready pods | `true` | | `service.headless.servicenameOverride` | String to partially override headless service name | `""` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Other Parameters @@ -266,7 +272,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -492,8 +498,6 @@ This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/zookeeper/administration/upgrade-helm3/). - ### To 5.21.0 A couple of parameters related to Zookeeper metrics were renamed or disappeared in favor of new ones: @@ -540,4 +544,4 @@ Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and -limitations under the License. \ No newline at end of file +limitations under the License. diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/networkpolicy.yaml b/charts/bitnami/kafka/charts/zookeeper/templates/networkpolicy.yaml index 34d36f971..e9de1da12 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/networkpolicy.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/templates/networkpolicy.yaml @@ -19,6 +19,29 @@ spec: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} policyTypes: - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow internal communications between nodes + - ports: + - port: {{ .Values.containerPorts.follower }} + - port: {{ .Values.containerPorts.election }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} ingress: # Allow inbound connections to ZooKeeper - ports: @@ -28,11 +51,27 @@ spec: {{- end }} {{- if not .Values.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - podSelector: matchLabels: {{ include "common.names.fullname" . }}-client: "true" - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} {{- end }} # Allow internal communications between nodes - ports: @@ -41,4 +80,7 @@ spec: from: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml index 0aa6ffa34..c09849a4d 100644 --- a/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/templates/statefulset.yaml @@ -46,6 +46,7 @@ spec: enableServiceLinks: {{ .Values.enableServiceLinks }} serviceAccountName: {{ template "zookeeper.serviceAccountName" . }} {{- include "zookeeper.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/kafka/charts/zookeeper/values.yaml b/charts/bitnami/kafka/charts/zookeeper/values.yaml index 9d06d661f..fa0b5ead6 100644 --- a/charts/bitnami/kafka/charts/zookeeper/values.yaml +++ b/charts/bitnami/kafka/charts/zookeeper/values.yaml @@ -339,7 +339,7 @@ podSecurityContext: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -350,7 +350,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -360,6 +360,9 @@ containerSecurityContext: drop: ["ALL"] seccompProfile: type: "RuntimeDefault" +## @param automountServiceAccountToken Mount Service Account token in pod +## +automountServiceAccountToken: false ## @param hostAliases ZooKeeper pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -599,12 +602,53 @@ service: networkPolicy: ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false + enabled: true ## @param networkPolicy.allowExternal Don't require client label for connections ## When set to false, only pods with the correct client label will have network access to the port Redis® is ## listening on. When true, zookeeper accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Other Parameters @@ -708,7 +752,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r93 + tag: 11-debian-11-r94 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -731,12 +775,12 @@ volumePermissions: ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser ## @param volumePermissions.containerSecurityContext.enabled Enabled init container Security Context - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## @section Metrics parameters diff --git a/charts/bitnami/kafka/templates/_helpers.tpl b/charts/bitnami/kafka/templates/_helpers.tpl index 1426e36c9..79c71ef0f 100644 --- a/charts/bitnami/kafka/templates/_helpers.tpl +++ b/charts/bitnami/kafka/templates/_helpers.tpl @@ -1131,6 +1131,20 @@ kafka: rbac.create K8s API. Please note this initContainer requires specific RBAC resources. You can create them by specifying "--set rbac.create=true". {{- end -}} +{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (gt (int .Values.controller.replicaCount) 0) (not .Values.controller.automountServiceAccountToken) }} +kafka: controller-automountServiceAccountToken + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to auto-detect the external IPs/ports by querying the + K8s API. Please note this initContainer requires the service account token. Please set controller.automountServiceAccountToken=true + and broker.automountServiceAccountToken=true. +{{- end -}} +{{- if and .Values.externalAccess.enabled .Values.externalAccess.autoDiscovery.enabled (gt (int .Values.broker.replicaCount) 0) (not .Values.broker.automountServiceAccountToken) }} +kafka: broker-automountServiceAccountToken + By specifying "externalAccess.enabled=true" and "externalAccess.autoDiscovery.enabled=true" + an initContainer will be used to auto-detect the external IPs/ports by querying the + K8s API. Please note this initContainer requires the service account token. Please set controller.automountServiceAccountToken=true + and broker.automountServiceAccountToken=true. +{{- end -}} {{- end -}} {{/* Validate values of Kafka - LoadBalancerIPs or LoadBalancerNames should be set when autoDiscovery is disabled */}} diff --git a/charts/bitnami/kafka/templates/broker/statefulset.yaml b/charts/bitnami/kafka/templates/broker/statefulset.yaml index 76cf2d3d6..6e58d12f0 100644 --- a/charts/bitnami/kafka/templates/broker/statefulset.yaml +++ b/charts/bitnami/kafka/templates/broker/statefulset.yaml @@ -52,6 +52,7 @@ spec: {{- end }} spec: {{- include "kafka.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.broker.automountServiceAccountToken }} {{- if .Values.broker.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.broker.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -436,7 +437,9 @@ spec: {{- if or (and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim)) (and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim)) }} volumeClaimTemplates: {{- if and .Values.broker.persistence.enabled (not .Values.broker.persistence.existingClaim) }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data {{- if .Values.broker.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.persistence.annotations "context" $) | nindent 10 }} @@ -458,7 +461,9 @@ spec: {{- end -}} {{- end }} {{- if and .Values.broker.logPersistence.enabled (not .Values.broker.logPersistence.existingClaim) }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: logs {{- if .Values.broker.logPersistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.broker.logPersistence.annotations "context" $) | nindent 10 }} diff --git a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml index 60235d650..5a713e9f9 100644 --- a/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml +++ b/charts/bitnami/kafka/templates/controller-eligible/statefulset.yaml @@ -52,6 +52,7 @@ spec: {{- end }} spec: {{- include "kafka.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }} {{- if .Values.controller.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controller.hostAliases "context" $) | nindent 8 }} {{- end }} @@ -435,7 +436,9 @@ spec: {{- if or (and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim)) (and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim)) }} volumeClaimTemplates: {{- if and .Values.controller.persistence.enabled (not .Values.controller.persistence.existingClaim) }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: data {{- if .Values.controller.persistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.persistence.annotations "context" $) | nindent 10 }} @@ -457,7 +460,9 @@ spec: {{- end -}} {{- end }} {{- if and .Values.controller.logPersistence.enabled (not .Values.controller.logPersistence.existingClaim) }} - - metadata: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: name: logs {{- if .Values.controller.logPersistence.annotations }} annotations: {{- include "common.tplvalues.render" (dict "value" .Values.controller.logPersistence.annotations "context" $) | nindent 10 }} diff --git a/charts/bitnami/kafka/templates/metrics/deployment.yaml b/charts/bitnami/kafka/templates/metrics/deployment.yaml index 7860a9711..e22b2f801 100644 --- a/charts/bitnami/kafka/templates/metrics/deployment.yaml +++ b/charts/bitnami/kafka/templates/metrics/deployment.yaml @@ -35,6 +35,7 @@ spec: {{- end }} spec: {{- include "kafka.imagePullSecrets" . | nindent 6 }} + automountServiceAccountToken: {{ .Values.metrics.kafka.automountServiceAccountToken }} {{- if .Values.metrics.kafka.hostAliases }} hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.kafka.hostAliases "context" $) | nindent 8 }} {{- end }} diff --git a/charts/bitnami/kafka/templates/provisioning/job.yaml b/charts/bitnami/kafka/templates/provisioning/job.yaml index 8eec3a30e..266fbad2c 100644 --- a/charts/bitnami/kafka/templates/provisioning/job.yaml +++ b/charts/bitnami/kafka/templates/provisioning/job.yaml @@ -28,6 +28,7 @@ spec: {{- end }} spec: serviceAccountName: {{ template "kafka.provisioning.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.provisioning.automountServiceAccountToken }} enableServiceLinks: {{ .Values.provisioning.enableServiceLinks }} {{- include "kafka.imagePullSecrets" . | nindent 6 }} {{- if .Values.provisioning.schedulerName }} diff --git a/charts/bitnami/kafka/templates/scripts-configmap.yaml b/charts/bitnami/kafka/templates/scripts-configmap.yaml index 4e9a9c9cc..bc9157e72 100644 --- a/charts/bitnami/kafka/templates/scripts-configmap.yaml +++ b/charts/bitnami/kafka/templates/scripts-configmap.yaml @@ -333,7 +333,7 @@ data: if [[ -f "/bitnami/kafka/data/meta.properties" ]]; then if grep -q "broker.id" /bitnami/kafka/data/meta.properties; then ID="$(grep "broker.id" /bitnami/kafka/data/meta.properties | awk -F '=' '{print $2}')" - {{- if or (not .Values.broker.zookeeperMigrationMode) (and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers)) }} + {{- if or (and .Values.kraft.enabled (not .Values.broker.zookeeperMigrationMode)) (and (not .Values.zookeeper.enabled) (not .Values.externalZookeeper.servers)) }} kafka_conf_set "$KAFKA_CONFIG_FILE" "node.id" "$ID" {{- else }} kafka_conf_set "$KAFKA_CONFIG_FILE" "broker.id" "$ID" diff --git a/charts/bitnami/kafka/values.yaml b/charts/bitnami/kafka/values.yaml index 210962554..298b2e0b5 100644 --- a/charts/bitnami/kafka/values.yaml +++ b/charts/bitnami/kafka/values.yaml @@ -80,7 +80,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/kafka - tag: 3.6.1-debian-11-r1 + tag: 3.6.1-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -620,7 +620,7 @@ controller: ## Kafka containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context - ## @param controller.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param controller.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser ## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot ## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged @@ -635,13 +635,16 @@ controller: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] + ## @param controller.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param controller.hostAliases Kafka pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1017,7 +1020,7 @@ broker: ## Kafka containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context - ## @param broker.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param broker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param broker.containerSecurityContext.runAsUser Set Kafka containers' Security Context runAsUser ## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot ## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged @@ -1032,13 +1035,16 @@ broker: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] + ## @param broker.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param broker.hostAliases Kafka pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -1370,7 +1376,7 @@ externalAccess: image: registry: docker.io repository: bitnami/kubectl - tag: 1.29.0-debian-11-r2 + tag: 1.29.1-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1395,7 +1401,7 @@ externalAccess: ## Kafka provisioning containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param externalAccess.autoDiscovery.containerSecurityContext.enabled Enable Kafka auto-discovery containers' Security Context - ## @param externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param externalAccess.autoDiscovery.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsUser Set Kafka auto-discovery containers' Security Context runAsUser ## @param externalAccess.autoDiscovery.containerSecurityContext.runAsNonRoot Set Kafka auto-discovery containers' Security Context runAsNonRoot ## @param externalAccess.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation Set Kafka auto-discovery containers' Security Context allowPrivilegeEscalation @@ -1411,7 +1417,7 @@ externalAccess: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -1656,7 +1662,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1678,11 +1684,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## @section Other Parameters @@ -1740,7 +1746,7 @@ metrics: image: registry: docker.io repository: bitnami/kafka-exporter - tag: 1.7.0-debian-11-r136 + tag: 1.7.0-debian-11-r140 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1870,7 +1876,7 @@ metrics: ## Kafka exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.kafka.containerSecurityContext.enabled Enable Kafka exporter containers' Security Context - ## @param metrics.kafka.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.kafka.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.kafka.containerSecurityContext.runAsUser Set Kafka exporter containers' Security Context runAsUser ## @param metrics.kafka.containerSecurityContext.runAsNonRoot Set Kafka exporter containers' Security Context runAsNonRoot ## @param metrics.kafka.containerSecurityContext.allowPrivilegeEscalation Set Kafka exporter containers' Security Context allowPrivilegeEscalation @@ -1885,13 +1891,16 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] + ## @param metrics.kafka.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param metrics.kafka.hostAliases Kafka exporter pods host aliases ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## @@ -2056,7 +2065,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r3 + tag: 0.20.0-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -2073,7 +2082,7 @@ metrics: ## Prometheus JMX exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context - ## @param metrics.jmx.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.jmx.containerSecurityContext.runAsUser Set Prometheus JMX exporter containers' Security Context runAsUser ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot ## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation @@ -2088,7 +2097,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -2227,6 +2236,9 @@ provisioning: ## @param provisioning.enabled Enable kafka provisioning Job ## enabled: false + ## @param provisioning.automountServiceAccountToken Mount Service Account token in pod + ## + automountServiceAccountToken: false ## @param provisioning.numPartitions Default number of partitions for topics when unspecified ## numPartitions: 1 @@ -2402,7 +2414,7 @@ provisioning: ## Kafka provisioning containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param provisioning.containerSecurityContext.enabled Enable Kafka provisioning containers' Security Context - ## @param provisioning.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param provisioning.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param provisioning.containerSecurityContext.runAsUser Set Kafka provisioning containers' Security Context runAsUser ## @param provisioning.containerSecurityContext.runAsNonRoot Set Kafka provisioning containers' Security Context runAsNonRoot ## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set Kafka provisioning containers' Security Context allowPrivilegeEscalation @@ -2417,7 +2429,7 @@ provisioning: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false diff --git a/charts/bitnami/mariadb/.helmignore b/charts/bitnami/mariadb/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/mariadb/.helmignore +++ b/charts/bitnami/mariadb/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/mariadb/Chart.yaml b/charts/bitnami/mariadb/Chart.yaml index db12ccaf9..759b40a76 100644 --- a/charts/bitnami/mariadb/Chart.yaml +++ b/charts/bitnami/mariadb/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.2-debian-11-r3 + image: docker.io/bitnami/mariadb:11.2.3-debian-11-r0 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r6 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 -appVersion: 11.2.2 +appVersion: 11.2.3 dependencies: - name: common repository: file://./charts/common @@ -37,4 +37,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 15.2.0 +version: 16.0.1 diff --git a/charts/bitnami/mariadb/README.md b/charts/bitnami/mariadb/README.md index 37350bf2a..a8da1af2e 100644 --- a/charts/bitnami/mariadb/README.md +++ b/charts/bitnami/mariadb/README.md @@ -116,6 +116,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.lifecycleHooks` | for the MariaDB Primary container(s) to automate configuration before or after startup | `{}` | | `primary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `primary.hostAliases` | Add deployment host aliases | `[]` | +| `primary.containerPorts.mysql` | Container port for mysql | `3306` | | `primary.configuration` | MariaDB Primary configuration to be injected as ConfigMap | `""` | | `primary.existingConfigmap` | Name of existing ConfigMap with MariaDB Primary configuration. | `""` | | `primary.updateStrategy.type` | MariaDB primary statefulset strategy type | `RollingUpdate` | @@ -141,7 +142,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | @@ -217,6 +218,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.lifecycleHooks` | for the MariaDB Secondary container(s) to automate configuration before or after startup | `{}` | | `secondary.automountServiceAccountToken` | Mount Service Account token in pod | `false` | | `secondary.hostAliases` | Add deployment host aliases | `[]` | +| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | | `secondary.configuration` | MariaDB Secondary configuration to be injected as ConfigMap | `""` | | `secondary.existingConfigmap` | Name of existing ConfigMap with MariaDB Secondary configuration. | `""` | | `secondary.updateStrategy.type` | MariaDB secondary statefulset strategy type | `RollingUpdate` | @@ -242,7 +244,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | @@ -342,8 +344,9 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.annotations` | Annotations for the Exporter pod | `{}` | | `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | +| `metrics.containerPorts.http` | Container port for http | `9104` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -381,22 +384,15 @@ The command removes all the Kubernetes components associated with the chart and ### NetworkPolicy parameters -| Name | Description | Value | -| ---------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable network policies | `false` | -| `networkPolicy.metrics.enabled` | Enable network policy for metrics (prometheus) | `false` | -| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | -| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the primary node. | `[]` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled` | Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. | `false` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). | `{}` | -| `networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules` | Custom network policy for the secondary nodes. | `[]` | -| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | -| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | The above parameters map to the env variables defined in [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb). For more information please refer to the [bitnami/mariadb](https://github.com/bitnami/containers/tree/main/bitnami/mariadb) image documentation. @@ -443,15 +439,59 @@ The allowed extensions are `.sh`, `.sql` and `.sql.gz`. These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. -[Refer to the chart documentation for more information and a usage example](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/customize-new-instance/). +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *primary* ]]; then + echo "Primary node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No primary node" + fi +``` ### Sidecars and Init Containers -If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the sidecars parameter. +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. -The Helm chart already includes sidecar containers for the Prometheus exporters. These can be activated by adding the `--set enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. [See an example of configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` -Similarly, additional containers can be added to MariaDB pods using the `initContainers` parameter. [See an example of configuring and using init containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). ## Persistence @@ -485,6 +525,10 @@ helm upgrade my-release oci://REGISTRY_NAME/REPOSITORY_NAME/mariadb --set auth.r | Note: you need to substitute the placeholder _[ROOT_PASSWORD]_ with the value obtained in the installation notes. +### To 16.0.0 + +This section enables NetworkPolicies by default to increase security of the application. It also adapts the values in the `networkPolicy` section to the current Bitnami standards. The removed sections are `networkPolicy.metrics.*`, `networkPolicy.ingressRules.*` and `networkPolicy.egressRules.*`. Check the Parameters table for the new structure. + ### To 14.0.0 This major release bumps the MariaDB version to 11.1. Follow the [upstream instructions](https://mariadb.com/kb/en/upgrading-between-minor-versions-on-linux/) for upgrading from MariaDB 11.0 to 11.1. No major issues are expected during the upgrade. @@ -522,8 +566,6 @@ Affected values: [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/administration/upgrade-helm3/). - ### To 8.0.0 - Several parameters were renamed or disappeared in favor of new ones on this major version: diff --git a/charts/bitnami/mariadb/templates/networkpolicy-egress.yaml b/charts/bitnami/mariadb/templates/networkpolicy-egress.yaml deleted file mode 100644 index 64af059fa..000000000 --- a/charts/bitnami/mariadb/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/mariadb/templates/networkpolicy.yaml b/charts/bitnami/mariadb/templates/networkpolicy.yaml new file mode 100644 index 000000000..5d5fe77ba --- /dev/null +++ b/charts/bitnami/mariadb/templates/networkpolicy.yaml @@ -0,0 +1,76 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/mariadb/templates/primary/configmap.yaml b/charts/bitnami/mariadb/templates/primary/configmap.yaml index 55ed4414e..d51d0a5cc 100644 --- a/charts/bitnami/mariadb/templates/primary/configmap.yaml +++ b/charts/bitnami/mariadb/templates/primary/configmap.yaml @@ -16,5 +16,5 @@ metadata: {{- end }} data: my.cnf: |- -{{ .Values.primary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/bitnami/mariadb/templates/primary/networkpolicy-ingress.yaml b/charts/bitnami/mariadb/templates/primary/networkpolicy-ingress.yaml deleted file mode 100644 index b3e5e6720..000000000 --- a/charts/bitnami/mariadb/templates/primary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: primary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - {{- $secondaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} - - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $secondaryPodLabels "context" $ ) | nindent 14 }} - app.kubernetes.io/component: secondary - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/mariadb/templates/primary/statefulset.yaml b/charts/bitnami/mariadb/templates/primary/statefulset.yaml index 40d78eb9f..0e8dc7ba1 100644 --- a/charts/bitnami/mariadb/templates/primary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/primary/statefulset.yaml @@ -196,7 +196,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.primary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.primary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} @@ -299,11 +299,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.primary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} diff --git a/charts/bitnami/mariadb/templates/secondary/configmap.yaml b/charts/bitnami/mariadb/templates/secondary/configmap.yaml index 8a9599144..ef73b1242 100644 --- a/charts/bitnami/mariadb/templates/secondary/configmap.yaml +++ b/charts/bitnami/mariadb/templates/secondary/configmap.yaml @@ -16,5 +16,5 @@ metadata: {{- end }} data: my.cnf: |- -{{ .Values.secondary.configuration | indent 4 }} + {{- include "common.tplvalues.render" ( dict "value" .Values.secondary.configuration "context" $ ) | nindent 4 }} {{- end -}} diff --git a/charts/bitnami/mariadb/templates/secondary/networkpolicy-ingress.yaml b/charts/bitnami/mariadb/templates/secondary/networkpolicy-ingress.yaml deleted file mode 100644 index d4545af44..000000000 --- a/charts/bitnami/mariadb/templates/secondary/networkpolicy-ingress.yaml +++ /dev/null @@ -1,51 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-ingress-secondary" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - {{- $secondaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.secondary.podLabels .Values.commonLabels ) "context" . ) }} - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $secondaryPodLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: secondary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml index 7419178cb..194cea901 100644 --- a/charts/bitnami/mariadb/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mariadb/templates/secondary/statefulset.yaml @@ -183,7 +183,7 @@ spec: {{- end }} ports: - name: mysql - containerPort: 3306 + containerPort: {{ .Values.secondary.containerPorts.mysql }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.secondary.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.secondary.customStartupProbe "context" $) | nindent 12 }} @@ -282,11 +282,11 @@ spec: if [[ -f "${MARIADB_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MARIADB_ROOT_PASSWORD_FILE") fi - MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:{{ .Values.secondary.containerPorts.mysql }} --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} diff --git a/charts/bitnami/mariadb/values.yaml b/charts/bitnami/mariadb/values.yaml index dac39b648..5c4c99ffd 100644 --- a/charts/bitnami/mariadb/values.yaml +++ b/charts/bitnami/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.2-debian-11-r3 + tag: 11.2.3-debian-11-r0 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -192,6 +192,10 @@ primary: ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param primary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param primary.configuration [string] MariaDB Primary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -202,7 +206,7 @@ primary: basedir=/opt/bitnami/mariadb datadir=/bitnami/mariadb/data plugin_dir=/opt/bitnami/mariadb/plugin - port=3306 + port={{ .Values.primary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -330,7 +334,7 @@ primary: ## MariaDB primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext - ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged @@ -340,7 +344,7 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -607,6 +611,10 @@ secondary: ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ## hostAliases: [] + ## @param secondary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param secondary.configuration [string] MariaDB Secondary configuration to be injected as ConfigMap ## ref: https://mysql.com/kb/en/mysql/configuring-mysql-with-mycnf/#example-of-configuration-file ## @@ -616,7 +624,7 @@ secondary: explicit_defaults_for_timestamp basedir=/opt/bitnami/mariadb datadir=/bitnami/mariadb/data - port=3306 + port={{ .Values.secondary.containerPorts.mysql }} socket=/opt/bitnami/mariadb/tmp/mysql.sock tmpdir=/opt/bitnami/mariadb/tmp max_allowed_packet=16M @@ -743,7 +751,7 @@ secondary: ## MariaDB secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext - ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged @@ -753,7 +761,7 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1038,7 +1046,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1074,7 +1082,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r2 + tag: 0.15.1-debian-11-r6 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1135,10 +1143,14 @@ metrics: extraVolumeMounts: primary: [] secondary: [] + ## @param metrics.containerPorts.http Container port for http + ## + containerPorts: + http: 9104 ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1156,7 +1168,7 @@ metrics: enabled: false privileged: false runAsNonRoot: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 allowPrivilegeEscalation: false capabilities: @@ -1285,100 +1297,57 @@ metrics: rules: [] ## @section NetworkPolicy parameters -## - -## Add networkpolicies +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: - ## @param networkPolicy.enabled Enable network policies + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false - ## @param networkPolicy.metrics.enabled Enable network policy for metrics (prometheus) - ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. - ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is + ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## - metrics: - enabled: false - ## e.g: - ## podSelector: - ## label: monitoring - ## - podSelector: {} - ## e.g: - ## namespaceSelector: - ## label: monitoring - ## - namespaceSelector: {} - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the primary node. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the primary node. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules Custom network policy for the primary node. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.enabled Enable ingress rule that makes primary mariadb nodes only accessible from a particular origin. - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to acces the secondary nodes. This label will be used to identified the allowed namespace(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the secondary nodes. This label will be used to identified the allowed pod(s). - ## @param networkPolicy.ingressRules.secondaryAccessOnlyFrom.customRules Custom network policy for the secondary nodes. + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ingressRules: - ## Allow access to the primary node only from the indicated: - ## - primaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## customRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} - ## Allow access to the secondary node only from the indicated: - ## - secondaryAccessOnlyFrom: - enabled: false - ## e.g: - ## namespaceSelector: - ## label: ingress - ## - namespaceSelector: {} - ## e.g: - ## podSelector: - ## label: access - ## - podSelector: {} - ## custom ingress rules - ## e.g: - ## CustomRules: - ## - from: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: [] - - ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). - ## @param networkPolicy.egressRules.customRules Custom network policy rule - ## - egressRules: - # Deny connections to external. This is not compatible with an external database. - denyConnectionsToExternal: false - ## Additional custom egress rules - ## e.g: - ## customRules: - ## - to: - ## - namespaceSelector: - ## matchLabels: - ## label: example - ## - customRules: {} diff --git a/charts/bitnami/mysql/.helmignore b/charts/bitnami/mysql/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/mysql/.helmignore +++ b/charts/bitnami/mysql/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/mysql/Chart.yaml b/charts/bitnami/mysql/Chart.yaml index f26b02be2..9e3dc0050 100644 --- a/charts/bitnami/mysql/Chart.yaml +++ b/charts/bitnami/mysql/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: Database images: | - name: mysql - image: docker.io/bitnami/mysql:8.0.36-debian-11-r0 + image: docker.io/bitnami/mysql:8.0.36-debian-11-r4 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r5 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 appVersion: 8.0.36 @@ -36,4 +36,4 @@ maintainers: name: mysql sources: - https://github.com/bitnami/charts/tree/main/bitnami/mysql -version: 9.18.0 +version: 9.19.1 diff --git a/charts/bitnami/mysql/README.md b/charts/bitnami/mysql/README.md index 3e9712bda..93b26870c 100644 --- a/charts/bitnami/mysql/README.md +++ b/charts/bitnami/mysql/README.md @@ -118,6 +118,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.hostAliases` | Deployment pod host aliases | `[]` | | `primary.configuration` | Configure MySQL Primary with a custom my.cnf file | `""` | | `primary.existingConfigmap` | Name of existing ConfigMap with MySQL Primary configuration. | `""` | +| `primary.containerPorts.mysql` | Container port for mysql | `3306` | | `primary.updateStrategy.type` | Update strategy type for the MySQL primary statefulset | `RollingUpdate` | | `primary.podAnnotations` | Additional pod annotations for MySQL primary pods | `{}` | | `primary.podAffinityPreset` | MySQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | @@ -140,7 +141,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MySQL primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | User ID for the MySQL primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set MySQL primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | @@ -220,6 +221,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.lifecycleHooks` | for the MySQL Secondary container(s) to automate configuration before or after startup | `{}` | | `secondary.configuration` | Configure MySQL Secondary with a custom my.cnf file | `""` | | `secondary.existingConfigmap` | Name of existing ConfigMap with MySQL Secondary configuration. | `""` | +| `secondary.containerPorts.mysql` | Container port for mysql | `3306` | | `secondary.updateStrategy.type` | Update strategy type for the MySQL secondary statefulset | `RollingUpdate` | | `secondary.podAnnotations` | Additional pod annotations for MySQL secondary pods | `{}` | | `secondary.podAffinityPreset` | MySQL secondary pod affinity preset. Ignored if `secondary.affinity` is set. Allowed values: `soft` or `hard` | `""` | @@ -242,7 +244,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MySQL secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MySQL secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set MySQL secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` | @@ -322,11 +324,15 @@ The command removes all the Kubernetes components associated with the chart and ### Network Policy -| Name | Description | Value | -| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------- | ------- | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | -| `networkPolicy.allowExternal` | The Policy model to apply. | `true` | -| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed to MySQL | `{}` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------- | ------ | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Volume Permissions parameters @@ -351,9 +357,10 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.image.pullPolicy` | Exporter image pull policy | `IfNotPresent` | | `metrics.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.containerSecurityContext.enabled` | MySQL metrics container securityContext | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MySQL metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set MySQL metrics container's Security Context runAsNonRoot | `true` | +| `metrics.containerPorts.http` | Container port for http | `9104` | | `metrics.service.type` | Kubernetes service type for MySQL Prometheus Exporter | `ClusterIP` | | `metrics.service.clusterIP` | Kubernetes service clusterIP for MySQL Prometheus Exporter | `""` | | `metrics.service.port` | MySQL Prometheus Exporter service port | `9104` | @@ -425,7 +432,7 @@ Bitnami will release a new chart updating its containers if a new version of the ### Use a different MySQL version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/mysql/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. ### Customize a new MySQL instance @@ -435,7 +442,19 @@ The allowed extensions are `.sh`, `.sql` and `.sql.gz`. These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `sql.gz` files. -Refer to the [chart documentation for more information and a usage example](https://docs.bitnami.com/kubernetes/infrastructure/mysql/configuration/customize-new-instance/). +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *master* ]]; then + echo "Master node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No master node" + fi +``` ### Sidecars and Init Containers @@ -557,8 +576,6 @@ helm install mysql oci://REGISTRY_NAME/REPOSITORY_NAME/mysql --set auth.rootPass [On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mysql/administration/upgrade-helm3/). - ### To 3.0.0 Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. diff --git a/charts/bitnami/mysql/templates/networkpolicy.yaml b/charts/bitnami/mysql/templates/networkpolicy.yaml index 2b076bdbf..22192a512 100644 --- a/charts/bitnami/mysql/templates/networkpolicy.yaml +++ b/charts/bitnami/mysql/templates/networkpolicy.yaml @@ -15,26 +15,64 @@ metadata: {{- end }} spec: podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - ingress: - # Allow inbound connections + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} - port: {{ .Values.primary.service.ports.mysql }} + - port: {{ .Values.secondary.service.ports.mysql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.primary.containerPorts.mysql }} + - port: {{ .Values.secondary.containerPorts.mysql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.http }} + {{- end }} {{- if not .Values.networkPolicy.allowExternal }} from: - podSelector: matchLabels: {{ template "common.names.fullname" . }}-client: "true" - {{- if .Values.networkPolicy.explicitNamespacesSelector }} - namespaceSelector: -{{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} - {{- end }} - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} {{- end }} - {{- if .Values.metrics.enabled }} - # Allow prometheus scrapes - - ports: - - port: 9104 + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/bitnami/mysql/templates/primary/statefulset.yaml b/charts/bitnami/mysql/templates/primary/statefulset.yaml index a6643d162..011856718 100644 --- a/charts/bitnami/mysql/templates/primary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/primary/statefulset.yaml @@ -151,6 +151,8 @@ spec: key: mysql-password {{- end }} {{- end }} + - name: MYSQL_PORT + value: {{ .Values.primary.containerPorts.mysql | quote}} {{- if and .Values.auth.createDatabase .Values.auth.database }} - name: MYSQL_DATABASE value: {{ .Values.auth.database | quote }} @@ -299,11 +301,11 @@ spec: if [[ -f "${MYSQL_ROOT_PASSWORD_FILE:-}" ]]; then password_aux=$(cat "$MYSQL_ROOT_PASSWORD_FILE") fi - MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} + MYSQLD_EXPORTER_PASSWORD=${password_aux} /bin/mysqld_exporter --mysqld.address=localhost:3306 --mysqld.username=root --web.listen-address=:{{ .Values.metrics.containerPorts.http }} {{- range .Values.metrics.extraArgs.primary }} {{ . }} {{- end }} {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} diff --git a/charts/bitnami/mysql/templates/secondary/statefulset.yaml b/charts/bitnami/mysql/templates/secondary/statefulset.yaml index 23162cc06..3e358b043 100644 --- a/charts/bitnami/mysql/templates/secondary/statefulset.yaml +++ b/charts/bitnami/mysql/templates/secondary/statefulset.yaml @@ -136,6 +136,8 @@ spec: value: {{ .Values.primary.service.ports.mysql | quote }} - name: MYSQL_MASTER_ROOT_USER value: "root" + - name: MYSQL_PORT + value: {{ .Values.secondary.containerPorts.mysql | quote}} - name: MYSQL_REPLICATION_USER value: {{ .Values.auth.replicationUser | quote }} {{- if .Values.auth.usePasswordFiles }} @@ -287,7 +289,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9104 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.livenessProbe.enabled }} livenessProbe: {{- omit .Values.metrics.livenessProbe "enabled" | toYaml | nindent 12 }} diff --git a/charts/bitnami/mysql/values.yaml b/charts/bitnami/mysql/values.yaml index baf16715c..f5fb356c1 100644 --- a/charts/bitnami/mysql/values.yaml +++ b/charts/bitnami/mysql/values.yaml @@ -85,7 +85,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/mysql - tag: 8.0.36-debian-11-r0 + tag: 8.0.36-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -212,7 +212,7 @@ primary: explicit_defaults_for_timestamp basedir=/opt/bitnami/mysql plugin_dir=/opt/bitnami/mysql/lib/plugin - port=3306 + port= {{ .Values.primary.containerPorts.mysql }} socket=/opt/bitnami/mysql/tmp/mysql.sock datadir=/bitnami/mysql/data tmpdir=/opt/bitnami/mysql/tmp @@ -238,6 +238,10 @@ primary: ## NOTE: When it's set the 'configuration' parameter is ignored ## existingConfigmap: "" + ## @param primary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param primary.updateStrategy.type Update strategy type for the MySQL primary statefulset ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## @@ -327,7 +331,7 @@ primary: ## MySQL primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MySQL primary container securityContext - ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MySQL primary container ## @param primary.containerSecurityContext.runAsNonRoot Set MySQL primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -336,7 +340,7 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -624,7 +628,7 @@ secondary: explicit_defaults_for_timestamp basedir=/opt/bitnami/mysql plugin_dir=/opt/bitnami/mysql/lib/plugin - port=3306 + port={{ .Values.secondary.containerPorts.mysql }} socket=/opt/bitnami/mysql/tmp/mysql.sock datadir=/bitnami/mysql/data tmpdir=/opt/bitnami/mysql/tmp @@ -650,6 +654,10 @@ secondary: ## NOTE: When it's set the 'configuration' parameter is ignored ## existingConfigmap: "" + ## @param secondary.containerPorts.mysql Container port for mysql + ## + containerPorts: + mysql: 3306 ## @param secondary.updateStrategy.type Update strategy type for the MySQL secondary statefulset ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies ## @@ -740,7 +748,7 @@ secondary: ## MySQL secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MySQL secondary container securityContext - ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MySQL secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set MySQL secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation @@ -749,7 +757,7 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true allowPrivilegeEscalation: false @@ -1045,33 +1053,61 @@ rbac: ## @section Network Policy ## -## MySQL Nework Policy configuration +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ ## networkPolicy: ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false - ## @param networkPolicy.allowExternal The Policy model to apply. - ## When set to false, only pods with the correct - ## client label will have network access to the port MySQL is listening - ## on. When true, MySQL will accept connections from any source - ## (with the correct destination port). + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is + ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). ## allowExternal: true - ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which ingress traffic could be allowed to MySQL - ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace - ## and that match other criteria, the ones that have the good label, can reach the DB. - ## But sometimes, we want the DB to be accessible to clients from other namespaces, in this case, we can use this - ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ## - ## Example: - ## explicitNamespacesSelector: - ## matchLabels: - ## role: frontend - ## matchExpressions: - ## - {key: role, operator: In, values: [frontend]} + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend ## - explicitNamespacesSelector: {} + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Volume Permissions parameters ## @@ -1093,7 +1129,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1127,7 +1163,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r2 + tag: 0.15.1-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1141,15 +1177,19 @@ metrics: ## MySQL metrics container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled MySQL metrics container securityContext - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MySQL metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set MySQL metrics container's Security Context runAsNonRoot ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true + ## @param metrics.containerPorts.http Container port for http + ## + containerPorts: + http: 9104 ## MySQL Prometheus exporter service parameters ## Mysqld Prometheus exporter liveness and readiness probes ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes diff --git a/charts/bitnami/postgresql/.helmignore b/charts/bitnami/postgresql/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/postgresql/.helmignore +++ b/charts/bitnami/postgresql/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/postgresql/Chart.yaml b/charts/bitnami/postgresql/Chart.yaml index a01febc97..93681662c 100644 --- a/charts/bitnami/postgresql/Chart.yaml +++ b/charts/bitnami/postgresql/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r95 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: postgres-exporter - image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r6 + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r9 - name: postgresql - image: docker.io/bitnami/postgresql:16.1.0-debian-11-r22 + image: docker.io/bitnami/postgresql:16.2.0-debian-11-r1 licenses: Apache-2.0 apiVersion: v2 -appVersion: 16.1.0 +appVersion: 16.2.0 dependencies: - name: common repository: file://./charts/common @@ -38,4 +38,4 @@ maintainers: name: postgresql sources: - https://github.com/bitnami/charts/tree/main/bitnami/postgresql -version: 13.4.1 +version: 14.0.4 diff --git a/charts/bitnami/postgresql/README.md b/charts/bitnami/postgresql/README.md index 31ce3053e..109767ed0 100644 --- a/charts/bitnami/postgresql/README.md +++ b/charts/bitnami/postgresql/README.md @@ -213,7 +213,7 @@ kubectl delete pvc -l release=my-release | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `primary.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -248,6 +248,13 @@ kubectl delete pvc -l release=my-release | `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | | `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | | `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `primary.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `primary.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `false` | +| `primary.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `primary.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `primary.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `primary.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `primary.service.type` | Kubernetes Service type | `ClusterIP` | | `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | | `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | @@ -318,7 +325,7 @@ kubectl delete pvc -l release=my-release | `readReplicas.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | | `readReplicas.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `readReplicas.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `readReplicas.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `readReplicas.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `readReplicas.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -353,6 +360,13 @@ kubectl delete pvc -l release=my-release | `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | | `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | | `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `readReplicas.networkPolicy.allowExternal` | Don't require server label for connections | `true` | +| `readReplicas.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `false` | +| `readReplicas.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `readReplicas.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `readReplicas.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `readReplicas.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | | `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | | `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | @@ -399,7 +413,7 @@ kubectl delete pvc -l release=my-release | `backup.cronjob.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `backup.cronjob.podSecurityContext.fsGroup` | Group ID for the CronJob | `1001` | | `backup.cronjob.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `backup.cronjob.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `backup.cronjob.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `backup.cronjob.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `backup.cronjob.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -452,7 +466,7 @@ kubectl delete pvc -l release=my-release | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsGroup` | Group ID for the init container | `0` | | `volumePermissions.containerSecurityContext.runAsNonRoot` | runAsNonRoot for the init container | `false` | @@ -485,7 +499,7 @@ kubectl delete pvc -l release=my-release | `metrics.customMetrics` | Define additional custom metrics | `{}` | | `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -574,7 +588,39 @@ At the top level, there is a service object which defines the services for both ### Use a different PostgreSQL version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. + +### LDAP + +LDAP support can be enabled in the chart by specifying the `ldap.` parameters while creating a release. The following parameters should be configured to properly enable the LDAP support in the chart. + +- **ldap.enabled**: Enable LDAP support. Defaults to `false`. +- **ldap.uri**: LDAP URL beginning in the form `ldap[s]://:`. No defaults. +- **ldap.base**: LDAP base DN. No defaults. +- **ldap.binddn**: LDAP bind DN. No defaults. +- **ldap.bindpw**: LDAP bind password. No defaults. +- **ldap.bslookup**: LDAP base lookup. No defaults. +- **ldap.nss_initgroups_ignoreusers**: LDAP ignored users. `root,nslcd`. +- **ldap.scope**: LDAP search scope. No defaults. +- **ldap.tls_reqcert**: LDAP TLS check on server certificates. No defaults. + +For example: + +```text +ldap.enabled="true" +ldap.uri="ldap://my_ldap_server" +ldap.base="dc=example\,dc=org" +ldap.binddn="cn=admin\,dc=example\,dc=org" +ldap.bindpw="admin" +ldap.bslookup="ou=group-ok\,dc=example\,dc=org" +ldap.nss_initgroups_ignoreusers="root\,nslcd" +ldap.scope="sub" +ldap.tls_reqcert="demand" +``` + +Next, login to the PostgreSQL server using the `psql` client and add the PAM authenticated LDAP users. + +> Note: Parameters including commas must be escaped as shown in the above example. ### postgresql.conf / pg_hba.conf files as configMap @@ -698,7 +744,7 @@ global.postgresql.auth.database=testdb This way, the credentials will be available in all of the subcharts. -## Persistence +### Persistence The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. @@ -707,7 +753,20 @@ See the [Parameters](#parameters) section to configure the PVC or to disable per If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. -## NetworkPolicy +### Backup and restore PostgreSQL deployments + +To back up and restore Bitnami PostgreSQL Helm chart deployments on Kubernetes, you need to back up the persistent volumes from the source deployment and attach them to a new deployment using [Velero](https://velero.io/), a Kubernetes backup/restore tool. + +These are the steps you will usually follow to back up and restore your PostgreSQL cluster data: + +- Install Velero on the source and destination clusters. +- Use Velero to back up the PersistentVolumes (PVs) used by the deployment on the source cluster. +- Use Velero to restore the backed-up PVs on the destination cluster. +- Create a new deployment on the destination cluster with the same chart, deployment name, credentials and other parameters as the original. This new deployment will use the restored PVs and hence the original data. + +Refer to our detailed [tutorial on backing up and restoring PostgreSQL deployments on Kubernetes](https://docs.bitnami.com/tutorials/migrate-data-bitnami-velero/) for more information. + +### NetworkPolicy To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. @@ -722,7 +781,7 @@ With NetworkPolicy enabled, traffic will be limited to just port 5432. For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. This label will be displayed in the output of a successful install. -## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image +### Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image - The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. - The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. @@ -742,6 +801,12 @@ Find more information about how to deal with common errors related to Bitnami's ## Upgrading +### To 14.0.0 + +This major version adapts the NetworkPolicy objects to the most recent Bitnami standards. Now there is a separate object for `primary` and for `readReplicas`, being located in their corresponding sections. It is also enabled by default in other to comply with the best security standards. + +Check the parameter section for the new value structure. + ### To 13.0.0 This major version changes the default PostgreSQL image from 15.x to 16.x. Follow the [official instructions](https://www.postgresql.org/docs/16/upgrading.html) to upgrade to 16.x. @@ -750,9 +815,191 @@ This major version changes the default PostgreSQL image from 15.x to 16.x. Follo This major version changes the default PostgreSQL image from 14.x to 15.x. Follow the [official instructions](https://www.postgresql.org/docs/15/upgrading.html) to upgrade to 15.x. -### To any previous version +### To 11.0.0 -Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). +In this version the application version was bumped to _14.x_ series. Also, this major release renames several values in this chart and adds missing features, in order to be inline with the rest of assets in the Bitnami charts repository. + +- _replication.enabled_ parameter is deprecated in favor of _architecture_ parameter that accepts two values: _standalone_ and _replication_. +- _replication.singleService_ and _replication.uniqueServices_ parameters are deprecated. When using replication, each statefulset (primary and read-only) has its own headless service & service allowing to connect to read-only replicas through the service (round-robin) or individually. +- _postgresqlPostgresPassword_, _postgresqlUsername_, _postgresqlPassword_, _postgresqlDatabase_, _replication.user_, _replication.password_, and _existingSecret_ parameters have been regrouped under the _auth_ map. The _auth_ map uses a new perspective to configure authentication, so please read carefully each sub-parameter description. +- _extraEnv_ has been deprecated in favor of _primary.extraEnvVars_ and _readReplicas.extraEnvVars_. +- _postgresqlConfiguration_, _pgHbaConfiguration_, _configurationConfigMap_, _postgresqlExtendedConf_, and _extendedConfConfigMap_ have been deprecated in favor of _primary.configuration_, _primary.pgHbaConfiguration_, _primary.existingConfigmap_, _primary.extendedConfiguration_, and _primary.existingExtendedConfigmap_. +- _postgresqlInitdbArgs_, _postgresqlInitdbWalDir_, _initdbScripts_, _initdbScriptsConfigMap_, _initdbScriptsSecret_, _initdbUser_ and _initdbPassword_ have been regrouped under the _primary.initdb_ map. +- _postgresqlMaxConnections_, _postgresqlPostgresConnectionLimit_, _postgresqlDbUserConnectionLimit_, _postgresqlTcpKeepalivesInterval_, _postgresqlTcpKeepalivesIdle_, _postgresqlTcpKeepalivesCount_, _postgresqlStatementTimeout_ and _postgresqlPghbaRemoveFilters_ parameters are deprecated. Use _XXX.extraEnvVars_ instead. +- _primaryAsStandBy_ has been deprecated in favor of _primary.standby_. +- _securityContext_ and _containerSecurityContext_ have been deprecated in favor of _primary.podSecurityContext_, _primary.containerSecurityContext_, _readReplicas.podSecurityContext_, and _readReplicas.containerSecurityContext_. +- _livenessProbe_ and _readinessProbe_ maps have been deprecated in favor of _primary.livenessProbe_, _primary.readinessProbe_, _readReplicas.livenessProbe_ and _readReplicas.readinessProbe_ maps. +- _persistence_ map has been deprecated in favor of _primary.persistence_ and _readReplicas.persistence_ maps. +- _networkPolicy_ map has been completely refactored. +- _service_ map has been deprecated in favor of _primary.service_ and _readReplicas.service_ maps. +- _metrics.service.port_ has been regrouped under the _metrics.service.ports_ map. +- _serviceAccount.enabled_ and _serviceAccount.autoMount_ have been deprecated in favor of _serviceAccount.create_ and _serviceAccount.automountServiceAccountToken_. + +#### How to upgrade to version 11.0.0 + +To upgrade to _11.0.0_ from _10.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of these actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_) and secret: + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +kubectl delete secret postgresql --namespace default +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +CURRENT_VERSION=$(kubectl exec postgresql-postgresql-0 -- bash -c 'echo $BITNAMI_IMAGE_VERSION') +helm upgrade postgresql bitnami/postgresql \ + --set auth.postgresPassword=$POSTGRESQL_PASSWORD \ + --set primary.persistence.existingClaim=$POSTGRESQL_PVC \ + --set image.tag=$CURRENT_VERSION +``` + +1. You will have to delete the existing PostgreSQL pod and the new statefulset is going to create a new one + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +> NOTE: the instructions above reuse the same PostgreSQL version you were using in your chart release. Otherwise, you will find an error such as the one below when upgrading since the new chart major version also bumps the application version. To workaround this issue you need to upgrade database, please refer to the [official PostgreSQL documentation](https://www.postgresql.org/docs/current/upgrading.html) for more information about this. + +```console +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,app.kubernetes.io/component=primary -o jsonpath="{.items[0].metadata.name}") + ... +postgresql 08:10:14.72 INFO ==> ** Starting PostgreSQL ** +2022-02-01 08:10:14.734 GMT [1] FATAL: database files are incompatible with server +2022-02-01 08:10:14.734 GMT [1] DETAIL: The data directory was initialized by PostgreSQL version 11, which is not compatible with this version 14.1. +``` + +### To 10.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Move dependency information from the _requirements.yaml_ to the _Chart.yaml_ +- After running _helm dependency update_, a _Chart.lock_ file is generated containing the same structure used in the previous _requirements.lock_ +- The different fields present in the _Chart.yaml_ file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Chart. +- The term _master_ has been replaced with _primary_ and _slave_ with _readReplicas_ throughout the chart. Role names have changed from _master_ and _slave_ to _primary_ and _read_. + +#### Considerations when upgrading to this version + +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version does not support Helm v2 anymore. +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3. + +#### Useful links + +- [Bitnami Tutorial](https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues) +- [Helm docs](https://helm.sh/docs/topics/v2_v3_migration) +- [Helm Blog](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3) + +#### How to upgrade to version 10.0.0 + +To upgrade to _10.0.0_ from _9.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app.kubernetes.io/instance=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=primary -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` + +### To 9.0.0 + +In this version the chart was adapted to follow the [Helm standard labels](https://helm.sh/docs/chart_best_practices/labels/#standard-labels). + +- Some inmutable objects were modified to adopt Helm standard labels introducing backward incompatibilities. + +#### How to upgrade to version 9.0.0 + +To upgrade to _9.0.0_ from _8.x_, it should be done reusing the PVC(s) used to hold the PostgreSQL data on your previous release. To do so, follow the instructions below (the following example assumes that the release name is _postgresql_): + +> NOTE: Please, create a backup of your database before running any of those actions. + +1. Obtain the credentials and the names of the PVCs used to hold the PostgreSQL data on your current release: + +```console +export POSTGRESQL_PASSWORD=$(kubectl get secret --namespace default postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode) +export POSTGRESQL_PVC=$(kubectl get pvc -l app=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +``` + +1. Delete the PostgreSQL statefulset (notice the option _--cascade=false_): + +```console +kubectl delete statefulsets.apps postgresql-postgresql --namespace default --cascade=false +``` + +1. Upgrade your release using the same PostgreSQL version: + +```console +helm upgrade postgresql bitnami/postgresql \ + --set postgresqlPassword=$POSTGRESQL_PASSWORD \ + --set persistence.existingClaim=$POSTGRESQL_PVC +``` + +1. Delete the existing PostgreSQL pod and the new statefulset will create a new one: + +```console +kubectl delete pod postgresql-postgresql-0 +``` + +1. Finally, you should see the lines below in PostgreSQL container logs: + +```text +$ kubectl logs $(kubectl get pods -l app.kubernetes.io/instance=postgresql,app.kubernetes.io/name=postgresql,role=master -o jsonpath="{.items[0].metadata.name}") +... +postgresql 08:05:12.59 INFO ==> Deploying PostgreSQL with persisted data... +... +``` ## License diff --git a/charts/bitnami/postgresql/templates/networkpolicy-egress.yaml b/charts/bitnami/postgresql/templates/networkpolicy-egress.yaml deleted file mode 100644 index b67817c05..000000000 --- a/charts/bitnami/postgresql/templates/networkpolicy-egress.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- /* -Copyright VMware, Inc. -SPDX-License-Identifier: APACHE-2.0 -*/}} - -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} -kind: NetworkPolicy -metadata: - name: {{ printf "%s-egress" (include "common.names.fullname" .) }} - namespace: {{ .Release.Namespace }} - labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} - {{- if .Values.commonAnnotations }} - annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} - {{- end }} -spec: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - policyTypes: - - Egress - egress: - {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} - - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - - namespaceSelector: {} - {{- end }} - {{- if .Values.networkPolicy.egressRules.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/bitnami/postgresql/templates/primary/networkpolicy.yaml b/charts/bitnami/postgresql/templates/primary/networkpolicy.yaml index 9da3fb491..8b537c3da 100644 --- a/charts/bitnami/postgresql/templates/primary/networkpolicy.yaml +++ b/charts/bitnami/postgresql/templates/primary/networkpolicy.yaml @@ -3,59 +3,77 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +{{- if .Values.primary.networkPolicy.enabled }} kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ printf "%s-ingress" (include "postgresql.v1.primary.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + name: {{ include "postgresql.v1.primary.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: primary {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- $primaryPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $primaryPodLabels "context" $ ) | nindent 6 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: primary - ingress: - {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} - - from: - {{- if .Values.networkPolicy.metrics.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.metrics.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: - - port: {{ .Values.metrics.containerPorts.metrics }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to read-replicas + - ports: + - port: {{ include "postgresql.v1.readReplica.service.port" . }} - port: {{ .Values.containerPorts.postgresql }} - {{- end }} - {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} - - from: - {{- $readPodLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + to: - podSelector: - matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $readPodLabels "context" $ ) | nindent 14 }} + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} app.kubernetes.io/component: read - ports: - - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.primary.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} - {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.primary.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.primary.fullname" . }}-client: "true" + {{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.primary.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/bitnami/postgresql/templates/read/networkpolicy.yaml b/charts/bitnami/postgresql/templates/read/networkpolicy.yaml index 79d3a5aa8..a3cb87686 100644 --- a/charts/bitnami/postgresql/templates/read/networkpolicy.yaml +++ b/charts/bitnami/postgresql/templates/read/networkpolicy.yaml @@ -3,37 +3,77 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} -apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +{{- if .Values.primary.networkPolicy.enabled }} kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} metadata: - name: {{ printf "%s-ingress" (include "postgresql.v1.readReplica.fullname" .) }} - namespace: {{ .Release.Namespace | quote }} + name: {{ include "postgresql.v1.readReplica.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} app.kubernetes.io/component: read {{- if .Values.commonAnnotations }} annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} {{- end }} spec: - {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.readReplicas.podLabels .Values.commonLabels ) "context" . ) }} + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.primary.podLabels .Values.commonLabels ) "context" . ) }} podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} app.kubernetes.io/component: read - ingress: - {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} - - from: - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} - - namespaceSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} - {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} - - podSelector: - matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} - {{- end }} - ports: + policyTypes: + - Ingress + - Egress + {{- if .Values.primary.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to primary + - ports: + - port: {{ include "postgresql.v1.service.port" . }} - port: {{ .Values.containerPorts.postgresql }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: primary + {{- if .Values.primary.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraEgress "context" $ ) | nindent 4 }} {{- end }} - {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} - {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.primary.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "postgresql.v1.primary.fullname" . }}-client: "true" + {{- if .Values.primary.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.primary.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.primary.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.networkPolicy.extraIngress "context" $ ) | nindent 4 }} {{- end }} {{- end }} diff --git a/charts/bitnami/postgresql/values.yaml b/charts/bitnami/postgresql/values.yaml index 316559c55..feb9e7d95 100644 --- a/charts/bitnami/postgresql/values.yaml +++ b/charts/bitnami/postgresql/values.yaml @@ -98,7 +98,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/postgresql - tag: 16.1.0-debian-11-r22 + tag: 16.2.0-debian-11-r1 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -465,7 +465,7 @@ primary: ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param primary.containerSecurityContext.enabled Enabled containers' Security Context - ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param primary.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set container's Security Context privileged @@ -476,7 +476,7 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -602,6 +602,61 @@ primary: ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) ## extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param primary.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param primary.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param primary.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: false + ## @param primary.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param primary.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param primary.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param primary.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## PostgreSQL Primary service configuration ## service: @@ -840,7 +895,7 @@ readReplicas: ## Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## @param readReplicas.containerSecurityContext.enabled Enabled containers' Security Context - ## @param readReplicas.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param readReplicas.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param readReplicas.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param readReplicas.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param readReplicas.containerSecurityContext.privileged Set container's Security Context privileged @@ -851,7 +906,7 @@ readReplicas: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -977,6 +1032,61 @@ readReplicas: ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) ## extraPodSpec: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param readReplicas.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param readReplicas.networkPolicy.allowExternal Don't require server label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## server label will have network access to the ports server is listening + ## on. When true, server will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param readReplicas.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: false + ## @param readReplicas.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param readReplicas.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param readReplicas.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param readReplicas.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## PostgreSQL read only service configuration ## service: @@ -1139,7 +1249,7 @@ backup: ## backup container's Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param backup.cronjob.containerSecurityContext.enabled Enabled containers' Security Context - ## @param backup.cronjob.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param backup.cronjob.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param backup.cronjob.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param backup.cronjob.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param backup.cronjob.containerSecurityContext.privileged Set container's Security Context privileged @@ -1149,7 +1259,7 @@ backup: ## @param backup.cronjob.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1330,7 +1440,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r95 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1352,14 +1462,14 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container ## @param volumePermissions.containerSecurityContext.runAsNonRoot runAsNonRoot for the init container ## @param volumePermissions.containerSecurityContext.seccompProfile.type seccompProfile.type for the init container ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 runAsGroup: 0 runAsNonRoot: false @@ -1433,7 +1543,7 @@ metrics: image: registry: docker.io repository: bitnami/postgres-exporter - tag: 0.15.0-debian-11-r6 + tag: 0.15.0-debian-11-r9 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1475,7 +1585,7 @@ metrics: ## PostgreSQL Prometheus exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -1486,7 +1596,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/redis/.helmignore b/charts/bitnami/redis/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/redis/.helmignore +++ b/charts/bitnami/redis/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/redis/Chart.yaml b/charts/bitnami/redis/Chart.yaml index 01187ac84..6de37aa52 100644 --- a/charts/bitnami/redis/Chart.yaml +++ b/charts/bitnami/redis/Chart.yaml @@ -6,13 +6,13 @@ annotations: category: Database images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: redis-exporter - image: docker.io/bitnami/redis-exporter:1.56.0-debian-11-r1 + image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2 - name: redis-sentinel - image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r3 + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6 - name: redis - image: docker.io/bitnami/redis:7.2.4-debian-11-r2 + image: docker.io/bitnami/redis:7.2.4-debian-11-r5 licenses: Apache-2.0 apiVersion: v2 appVersion: 7.2.4 @@ -37,4 +37,4 @@ maintainers: name: redis sources: - https://github.com/bitnami/charts/tree/main/bitnami/redis -version: 18.8.0 +version: 18.12.1 diff --git a/charts/bitnami/redis/README.md b/charts/bitnami/redis/README.md index 7874db508..6eb2bf85c 100644 --- a/charts/bitnami/redis/README.md +++ b/charts/bitnami/redis/README.md @@ -168,7 +168,7 @@ The command removes all the Kubernetes components associated with the chart and | `master.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `master.podSecurityContext.fsGroup` | Set Redis® master pod's Security Context fsGroup | `1001` | | `master.containerSecurityContext.enabled` | Enabled Redis® master containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `master.containerSecurityContext.runAsUser` | Set Redis® master containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsGroup` | Set Redis® master containers' Security Context runAsGroup | `0` | | `master.containerSecurityContext.runAsNonRoot` | Set Redis® master containers' Security Context runAsNonRoot | `true` | @@ -287,7 +287,7 @@ The command removes all the Kubernetes components associated with the chart and | `replica.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `replica.podSecurityContext.fsGroup` | Set Redis® replicas pod's Security Context fsGroup | `1001` | | `replica.containerSecurityContext.enabled` | Enabled Redis® replicas containers' Security Context | `true` | -| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `replica.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `replica.containerSecurityContext.runAsUser` | Set Redis® replicas containers' Security Context runAsUser | `1001` | | `replica.containerSecurityContext.runAsGroup` | Set Redis® replicas containers' Security Context runAsGroup | `0` | | `replica.containerSecurityContext.runAsNonRoot` | Set Redis® replicas containers' Security Context runAsNonRoot | `true` | @@ -430,7 +430,7 @@ The command removes all the Kubernetes components associated with the chart and | `sentinel.resources.limits` | The resources limits for the Redis® Sentinel containers | `{}` | | `sentinel.resources.requests` | The requested resources for the Redis® Sentinel containers | `{}` | | `sentinel.containerSecurityContext.enabled` | Enabled Redis® Sentinel containers' Security Context | `true` | -| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `sentinel.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `sentinel.containerSecurityContext.runAsUser` | Set Redis® Sentinel containers' Security Context runAsUser | `1001` | | `sentinel.containerSecurityContext.runAsGroup` | Set Redis® Sentinel containers' Security Context runAsGroup | `0` | | `sentinel.containerSecurityContext.runAsNonRoot` | Set Redis® Sentinel containers' Security Context runAsNonRoot | `true` | @@ -462,8 +462,9 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `serviceBindings.enabled` | Create secret for service binding (Experimental) | `false` | -| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `false` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `networkPolicy.extraEgress` | Add extra egress rules to the NetworkPolicy | `[]` | | `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | @@ -494,88 +495,92 @@ The command removes all the Kubernetes components associated with the chart and ### Metrics Parameters -| Name | Description | Value | -| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- | -------------------------------- | -| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | -| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | -| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | -| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | -| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | -| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | -| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | -| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | -| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | -| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | -| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | -| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | -| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | -| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | -| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | -| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | -| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | -| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | -| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | -| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | -| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | -| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | -| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | -| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | -| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | -| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | -| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | -| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | -| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | -| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | -| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | -| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | -| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | -| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | -| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | -| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | -| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | -| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | -| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | -| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | -| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | -| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | -| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | -| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | -| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | -| `metrics.service.port` | Redis® exporter service port | `9121` | -| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | -| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | -| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | -| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | -| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | -| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | -| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | -| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | -| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | -| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | -| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | -| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | -| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | -| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | -| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | -| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | -| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | -| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | -| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | -| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | -| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | -| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | -| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | +| Name | Description | Value | +| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | +| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis® metrics | `false` | +| `metrics.image.registry` | Redis® Exporter image registry | `REGISTRY_NAME` | +| `metrics.image.repository` | Redis® Exporter image repository | `REPOSITORY_NAME/redis-exporter` | +| `metrics.image.digest` | Redis® Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | Redis® Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Redis® Exporter image pull secrets | `[]` | +| `metrics.containerPorts.http` | Metrics HTTP container port | `9121` | +| `metrics.startupProbe.enabled` | Enable startupProbe on Redis® replicas nodes | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `5` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `5` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on Redis® replicas nodes | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `10` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `5` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on Redis® replicas nodes | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.command` | Override default metrics container init command (useful when using custom images) | `[]` | +| `metrics.redisTargetHost` | A way to specify an alternative Redis® hostname | `localhost` | +| `metrics.extraArgs` | Extra arguments for Redis® exporter, for example: | `{}` | +| `metrics.extraEnvVars` | Array with extra environment variables to add to Redis® exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enabled Redis® exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | +| `metrics.containerSecurityContext.runAsUser` | Set Redis® exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsGroup` | Set Redis® exporter containers' Security Context runAsGroup | `0` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set Redis® exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.containerSecurityContext.allowPrivilegeEscalation` | Set Redis® exporter containers' Security Context allowPrivilegeEscalation | `false` | +| `metrics.containerSecurityContext.seccompProfile.type` | Set Redis® exporter containers' Security Context seccompProfile | `RuntimeDefault` | +| `metrics.containerSecurityContext.capabilities.drop` | Set Redis® exporter containers' Security Context capabilities to drop | `["ALL"]` | +| `metrics.extraVolumes` | Optionally specify extra list of additional volumes for the Redis® metrics sidecar | `[]` | +| `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the Redis® metrics sidecar | `[]` | +| `metrics.resources.limits` | The resources limits for the Redis® exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the Redis® exporter container | `{}` | +| `metrics.podLabels` | Extra labels for Redis® exporter pods | `{}` | +| `metrics.podAnnotations` | Annotations for Redis® exporter pods | `{}` | +| `metrics.service.enabled` | Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor | `true` | +| `metrics.service.type` | Redis® exporter service type | `ClusterIP` | +| `metrics.service.ports.http` | Redis® exporter service port | `9121` | +| `metrics.service.externalTrafficPolicy` | Redis® exporter service external traffic policy | `Cluster` | +| `metrics.service.extraPorts` | Extra ports to expose (normally used with the `sidecar` value) | `[]` | +| `metrics.service.loadBalancerIP` | Redis® exporter service Load Balancer IP | `""` | +| `metrics.service.loadBalancerClass` | exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific) | `""` | +| `metrics.service.loadBalancerSourceRanges` | Redis® exporter service Load Balancer sources | `[]` | +| `metrics.service.annotations` | Additional custom annotations for Redis® exporter service | `{}` | +| `metrics.service.clusterIP` | Redis® exporter service Cluster IP | `""` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.serviceMonitor.namespace` | The namespace in which the ServiceMonitor will be created | `""` | +| `metrics.serviceMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.serviceMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.additionalLabels` | Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.serviceMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.serviceMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.serviceMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.podMonitor.enabled` | Create PodMonitor resource(s) for scraping metrics using PrometheusOperator | `false` | +| `metrics.podMonitor.namespace` | The namespace in which the PodMonitor will be created | `""` | +| `metrics.podMonitor.interval` | The interval at which metrics should be scraped | `30s` | +| `metrics.podMonitor.scrapeTimeout` | The timeout after which the scrape is ended | `""` | +| `metrics.podMonitor.relabellings` | Metrics RelabelConfigs to apply to samples before scraping. | `[]` | +| `metrics.podMonitor.metricRelabelings` | Metrics RelabelConfigs to apply to samples before ingestion. | `[]` | +| `metrics.podMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.podMonitor.additionalLabels` | Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus | `{}` | +| `metrics.podMonitor.podTargetLabels` | Labels from the Kubernetes pod to be transferred to the created metrics | `[]` | +| `metrics.podMonitor.sampleLimit` | Limit of how many samples should be scraped from every Pod | `false` | +| `metrics.podMonitor.targetLimit` | Limit of how many targets should be scraped | `false` | +| `metrics.podMonitor.additionalEndpoints` | Additional endpoints to scrape (e.g sentinel) | `[]` | +| `metrics.prometheusRule.enabled` | Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator | `false` | +| `metrics.prometheusRule.namespace` | The namespace in which the prometheusRule will be created | `""` | +| `metrics.prometheusRule.additionalLabels` | Additional labels for the prometheusRule | `{}` | +| `metrics.prometheusRule.rules` | Custom Prometheus rules | `[]` | ### Init Container Parameters @@ -589,7 +594,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | | `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | | `sysctl.enabled` | Enable init container to modify Kernel settings | `false` | | `sysctl.image.registry` | OS Shell + Utility image registry | `REGISTRY_NAME` | @@ -644,7 +649,7 @@ Bitnami will release a new chart updating its containers if a new version of the ### Use a different Redis® version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/redis/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. ### Bootstrapping with an External Cluster @@ -746,13 +751,27 @@ It's recommended to only change `master.count` if you know what you are doing. ### Using a password file -To use a password file for Redis® you need to create a secret containing the password and then deploy the chart using that secret. +To use a password file for Redis® you need to create a secret containing the password and then deploy the chart using that secret. Follow these instructions: -Refer to the chart documentation for more information on [using a password file for Redis®](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/use-password-file/). +- Create the secret with the password. It is important that the file with the password must be called `redis-password`. + +```console +kubectl create secret generic redis-password-secret --from-file=redis-password.yaml +``` + +- Deploy the Helm Chart using the secret name as parameter: + +```text +usePassword=true +usePasswordFile=true +existingSecret=redis-password-secret +sentinels.enabled=true +metrics.enabled=true +``` ### Securing traffic using TLS -TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the cluster: - `tls.enabled`: Enable TLS support. Defaults to `false` - `tls.existingSecret`: Name of the secret that contains the certificates. No defaults. @@ -760,7 +779,23 @@ TLS support can be enabled in the chart by specifying the `tls.` parameters whil - `tls.certKeyFilename`: Certificate key filename. No defaults. - `tls.certCAFilename`: CA Certificate filename. No defaults. -Refer to the chart documentation for more information on [creating the secret and a TLS deployment example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-tls/). +For example: + +First, create the secret with the certificates files: + +```console +kubectl create secret generic certificates-tls-secret --from-file=./cert.pem --from-file=./cert.key --from-file=./ca.pem +``` + +Then, use the following parameters: + +```console +tls.enabled="true" +tls.existingSecret="certificates-tls-secret" +tls.certFilename="cert.pem" +tls.certKeyFilename="cert.key" +tls.certCAFilename="ca.pem" +``` ### Metrics @@ -776,11 +811,65 @@ tls-client-cert-file tls-ca-cert-file ``` +### Deploy a custom metrics script in the sidecar + +A custom Lua script can be added to the `redis-exporter` sidecar by way of the `metrics.extraArgs.script` parameter. The pathname of the script must exist on the container, or the `redis_exporter` process (and therefore the whole pod) will refuse to start. The script can be provided to the sidecar containers via the `metrics.extraVolumes` and `metrics.extraVolumeMounts` parameters: + +```yaml +metrics: + extraVolumeMounts: + - name: '{{ printf "%s-metrics-script-file" (include "common.names.fullname" .) }}' + mountPath: '{{ printf "/mnt/%s/" (include "common.names.name" .) }}' + readOnly: true + extraVolumes: + - name: '{{ printf "%s-metrics-script-file" (include "common.names.fullname" .) }}' + configMap: + name: '{{ printf "%s-metrics-script" (include "common.names.fullname" .) }}' + extraArgs: + script: '{{ printf "/mnt/%s/my_custom_metrics.lua" (include "common.names.name" .) }}' +``` + +Then deploy the script into the correct location via `extraDeploy`: + +```yaml +extraDeploy: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: '{{ printf "%s-metrics-script" (include "common.names.fullname" .) }}' + data: + my_custom_metrics.lua: | + -- LUA SCRIPT CODE HERE, e.g., + return {'bitnami_makes_the_best_charts', '1'} +``` + ### Host Kernel Settings -Redis® may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. +Redis® may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages. To do so, you can set up a privileged `initContainer` with the `sysctlImage` config values, for example: -Refer to the chart documentation for more information on [configuring host kernel settings with an example](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/configure-kernel-settings/). +```yaml +sysctlImage: + enabled: true + mountHostSys: true + command: + - /bin/sh + - -c + - |- + install_packages procps + sysctl -w net.core.somaxconn=10000 + echo never > /host-sys/kernel/mm/transparent_hugepage/enabled +``` + +Alternatively, for Kubernetes 1.12+ you can set `securityContext.sysctls` which will configure `sysctls` for master and slave pods. Example: + +```yaml +securityContext: + sysctls: + - name: net.core.somaxconn + value: "10000" +``` + +Note that this will not disable transparent huge tables. ## Persistence @@ -800,13 +889,115 @@ helm install my-release --set master.persistence.existingClaim=PVC_NAME oci://RE ## Backup and restore -Refer to the chart documentation for more information on [backing up and restoring Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/backup-restore/). +To backup and restore Redis deployments on Kubernetes, you will need to create a snapshot of the data in the source cluster, and later restore it in a new cluster with the new parameters. Follow the instructions below: + +### Step 1: Backup the deployment + +- Connect to one of the nodes and start the Redis CLI tool. Then, run the commands below: + + ```text + $ kubectl exec -it my-release-master-0 bash + $ redis-cli + 127.0.0.1:6379> auth your_current_redis_password + OK + 127.0.0.1:6379> save + OK + ``` + +- Copy the dump file from the Redis node: + + ```console + kubectl cp my-release-master-0:/data/dump.rdb dump.rdb -c redis + ``` + +### Step 2: Restore the data on the destination cluster + +To restore the data in a new cluster, you will need to create a PVC and then upload the *dump.rdb* file to the new volume. + +Follow the following steps: + +- In the [*values.yaml*](https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml) file set the *appendonly* parameter to *no*. You can skip this step if it is already configured as *no* + + ```yaml + commonConfiguration: |- + # Enable AOF https://redis.io/topics/persistence#append-only-file + appendonly no + # Disable RDB persistence, AOF persistence already enabled. + save "" + ``` + + > *Note that the `Enable AOF` comment belongs to the original config file and what you're actually doing is disabling it. This change will only be neccessary for the temporal cluster you're creating to upload the dump.* + +- Start the new cluster to create the PVCs. Use the command below as an example: + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` + +- Now that the PVC were created, stop it and copy the *dump.rdp* file on the persisted data by using a helping pod. + + ```text + $ helm delete new-redis + + $ kubectl run --generator=run-pod/v1 -i --rm --tty volpod --overrides=' + { + "apiVersion": "v1", + "kind": "Pod", + "metadata": { + "name": "redisvolpod" + }, + "spec": { + "containers": [{ + "command": [ + "tail", + "-f", + "/dev/null" + ], + "image": "bitnami/minideb", + "name": "mycontainer", + "volumeMounts": [{ + "mountPath": "/mnt", + "name": "redisdata" + }] + }], + "restartPolicy": "Never", + "volumes": [{ + "name": "redisdata", + "persistentVolumeClaim": { + "claimName": "redis-data-new-redis-master-0" + } + }] + } + }' --image="bitnami/minideb" + + $ kubectl cp dump.rdb redisvolpod:/mnt/dump.rdb + $ kubectl delete pod volpod + ``` + +- Restart the cluster: + + > **INFO:** The *appendonly* parameter can be safely restored to your desired value. + + ```console + helm install new-redis -f values.yaml . --set cluster.enabled=true --set cluster.slaveCount=3 + ``` ## NetworkPolicy To enable network policy for Redis®, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. -Refer to the chart documenation for more information on [enabling the network policy in Redis® deployments](https://docs.bitnami.com/kubernetes/infrastructure/redis/administration/enable-network-policy/). +With NetworkPolicy enabled, only pods with the generated client label will be able to connect to Redis. This label will be displayed in the output after a successful install. + +With `networkPolicy.ingressNSMatchLabels` pods from other namespaces can connect to Redis. Set `networkPolicy.ingressNSPodMatchLabels` to match pod labels in matched namespace. For example, for a namespace labeled `redis=external` and pods in that namespace labeled `redis-client=true` the fields should be set: + +```yaml +networkPolicy: + enabled: true + ingressNSMatchLabels: + redis: external + ingressNSPodMatchLabels: + redis-client: true +``` ### Setting Pod's affinity diff --git a/charts/bitnami/redis/img/redis-cluster-topology.png b/charts/bitnami/redis/img/redis-cluster-topology.png deleted file mode 100644 index f0a02a9f8..000000000 Binary files a/charts/bitnami/redis/img/redis-cluster-topology.png and /dev/null differ diff --git a/charts/bitnami/redis/img/redis-topology.png b/charts/bitnami/redis/img/redis-topology.png deleted file mode 100644 index 3f5280feb..000000000 Binary files a/charts/bitnami/redis/img/redis-topology.png and /dev/null differ diff --git a/charts/bitnami/redis/templates/master/application.yaml b/charts/bitnami/redis/templates/master/application.yaml index 84569b930..b074aaae2 100644 --- a/charts/bitnami/redis/templates/master/application.yaml +++ b/charts/bitnami/redis/templates/master/application.yaml @@ -284,6 +284,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -312,7 +314,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/redis/templates/master/serviceaccount.yaml b/charts/bitnami/redis/templates/master/serviceaccount.yaml index 4ba3052fe..d442051de 100644 --- a/charts/bitnami/redis/templates/master/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/master/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.master.serviceAccount.create }} +{{- if and .Values.master.serviceAccount.create (or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled)) }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/redis/templates/metrics-svc.yaml b/charts/bitnami/redis/templates/metrics-svc.yaml index 5e24b6d35..84334318f 100644 --- a/charts/bitnami/redis/templates/metrics-svc.yaml +++ b/charts/bitnami/redis/templates/metrics-svc.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.metrics.enabled }} +{{- if and .Values.metrics.enabled .Values.metrics.service.enabled }} apiVersion: v1 kind: Service metadata: @@ -34,7 +34,7 @@ spec: {{- end }} ports: - name: http-metrics - port: {{ .Values.metrics.service.port }} + port: {{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }} protocol: TCP targetPort: metrics {{- if .Values.metrics.service.extraPorts }} diff --git a/charts/bitnami/redis/templates/networkpolicy.yaml b/charts/bitnami/redis/templates/networkpolicy.yaml index 84f5ada5d..3a274cdb9 100644 --- a/charts/bitnami/redis/templates/networkpolicy.yaml +++ b/charts/bitnami/redis/templates/networkpolicy.yaml @@ -18,8 +18,11 @@ spec: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} policyTypes: - Ingress - {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }} - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} egress: {{- if eq .Values.architecture "replication" }} # Allow dns resolution @@ -76,7 +79,7 @@ spec: {{- if .Values.metrics.enabled }} # Allow prometheus scrapes for metrics - ports: - - port: 9121 + - port: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.networkPolicy.metrics.allowExternal }} from: {{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }} diff --git a/charts/bitnami/redis/templates/podmonitor.yaml b/charts/bitnami/redis/templates/podmonitor.yaml index 55bcd51ad..1d0d0c967 100644 --- a/charts/bitnami/redis/templates/podmonitor.yaml +++ b/charts/bitnami/redis/templates/podmonitor.yaml @@ -18,7 +18,7 @@ metadata: {{- end }} spec: podMetricsEndpoints: - - port: http-metrics + - port: metrics {{- if .Values.metrics.podMonitor.interval }} interval: {{ .Values.metrics.podMonitor.interval }} {{- end }} @@ -34,6 +34,24 @@ spec: {{- if .Values.metrics.podMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }} {{- end }} + {{- range .Values.metrics.podMonitor.additionalEndpoints }} + - port: {{ .port }} + {{- if .interval }} + interval: {{ .interval }} + {{- end }} + {{- if .path }} + path: {{ .path }} + {{- end }} + {{- if .params }} + params: + {{- range $key, $value := .params }} + {{ $key }}: + {{- range $value }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.metrics.serviceMonitor.podTargetLabels }} podTargetLabels: {{- toYaml .Values.metrics.podMonitor.podTargetLabels | nindent 4 }} {{- end }} @@ -48,5 +66,4 @@ spec: - {{ include "common.names.namespace" . | quote }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} - app.kubernetes.io/component: metrics {{- end }} diff --git a/charts/bitnami/redis/templates/replicas/application.yaml b/charts/bitnami/redis/templates/replicas/application.yaml index aeb193ae1..dde2726a3 100644 --- a/charts/bitnami/redis/templates/replicas/application.yaml +++ b/charts/bitnami/redis/templates/replicas/application.yaml @@ -302,6 +302,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -330,7 +332,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/redis/templates/replicas/serviceaccount.yaml b/charts/bitnami/redis/templates/replicas/serviceaccount.yaml index ec5d66641..d7f47f43d 100644 --- a/charts/bitnami/redis/templates/replicas/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/replicas/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if .Values.replica.serviceAccount.create }} +{{- if and .Values.replica.serviceAccount.create (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/redis/templates/sentinel/statefulset.yaml b/charts/bitnami/redis/templates/sentinel/statefulset.yaml index 73950ac35..8557aee6f 100644 --- a/charts/bitnami/redis/templates/sentinel/statefulset.yaml +++ b/charts/bitnami/redis/templates/sentinel/statefulset.yaml @@ -503,6 +503,8 @@ spec: env: - name: REDIS_ALIAS value: {{ template "common.names.fullname" . }} + - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS + value: {{ printf ":%v" .Values.metrics.containerPorts.http }} {{- if .Values.auth.enabled }} - name: REDIS_USER value: default @@ -531,7 +533,7 @@ spec: {{- end }} ports: - name: metrics - containerPort: 9121 + containerPort: {{ .Values.metrics.containerPorts.http }} {{- if not .Values.diagnosticMode.enabled }} {{- if .Values.metrics.customStartupProbe }} startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} diff --git a/charts/bitnami/redis/templates/serviceaccount.yaml b/charts/bitnami/redis/templates/serviceaccount.yaml index 95432dd37..ac343a8fb 100644 --- a/charts/bitnami/redis/templates/serviceaccount.yaml +++ b/charts/bitnami/redis/templates/serviceaccount.yaml @@ -3,7 +3,7 @@ Copyright VMware, Inc. SPDX-License-Identifier: APACHE-2.0 */}} -{{- if and .Values.serviceAccount.create (and (not .Values.master.serviceAccount.create) (not .Values.replica.serviceAccount.create)) }} +{{- if and .Values.serviceAccount.create .Values.sentinel.enabled }} apiVersion: v1 kind: ServiceAccount automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} diff --git a/charts/bitnami/redis/templates/servicemonitor.yaml b/charts/bitnami/redis/templates/servicemonitor.yaml index 8641ea12a..757c87001 100644 --- a/charts/bitnami/redis/templates/servicemonitor.yaml +++ b/charts/bitnami/redis/templates/servicemonitor.yaml @@ -34,13 +34,31 @@ spec: {{- if .Values.metrics.serviceMonitor.metricRelabelings }} metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }} {{- end }} + {{- range .Values.metrics.serviceMonitor.additionalEndpoints }} + - port: {{ .port }} + {{- if .interval }} + interval: {{ .interval }} + {{- end }} + {{- if .path }} + path: {{ .path }} + {{- end }} + {{- if .params }} + params: + {{- range $key, $value := .params }} + {{ $key }}: + {{- range $value }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} {{- if .Values.metrics.serviceMonitor.podTargetLabels }} podTargetLabels: {{- toYaml .Values.metrics.serviceMonitor.podTargetLabels | nindent 4 }} {{- end }} - {{ with .Values.metrics.serviceMonitor.sampleLimit }} + {{- with .Values.metrics.serviceMonitor.sampleLimit }} sampleLimit: {{ . }} {{- end }} - {{ with .Values.metrics.serviceMonitor.targetLimit }} + {{- with .Values.metrics.serviceMonitor.targetLimit }} targetLimit: {{ . }} {{- end }} namespaceSelector: diff --git a/charts/bitnami/redis/values.yaml b/charts/bitnami/redis/values.yaml index 5af444cb4..cb2ded98f 100644 --- a/charts/bitnami/redis/values.yaml +++ b/charts/bitnami/redis/values.yaml @@ -94,7 +94,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/redis - tag: 7.2.4-debian-11-r2 + tag: 7.2.4-debian-11-r5 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -290,7 +290,7 @@ master: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param master.containerSecurityContext.enabled Enabled Redis® master containers' Security Context - ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set Redis® master containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsGroup Set Redis® master containers' Security Context runAsGroup ## @param master.containerSecurityContext.runAsNonRoot Set Redis® master containers' Security Context runAsNonRoot @@ -300,7 +300,7 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -752,7 +752,7 @@ replica: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param replica.containerSecurityContext.enabled Enabled Redis® replicas containers' Security Context - ## @param replica.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param replica.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param replica.containerSecurityContext.runAsUser Set Redis® replicas containers' Security Context runAsUser ## @param replica.containerSecurityContext.runAsGroup Set Redis® replicas containers' Security Context runAsGroup ## @param replica.containerSecurityContext.runAsNonRoot Set Redis® replicas containers' Security Context runAsNonRoot @@ -762,7 +762,7 @@ replica: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1093,7 +1093,7 @@ sentinel: image: registry: docker.io repository: bitnami/redis-sentinel - tag: 7.2.4-debian-11-r3 + tag: 7.2.4-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -1297,7 +1297,7 @@ sentinel: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param sentinel.containerSecurityContext.enabled Enabled Redis® Sentinel containers' Security Context - ## @param sentinel.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param sentinel.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param sentinel.containerSecurityContext.runAsUser Set Redis® Sentinel containers' Security Context runAsUser ## @param sentinel.containerSecurityContext.runAsGroup Set Redis® Sentinel containers' Security Context runAsGroup ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis® Sentinel containers' Security Context runAsNonRoot @@ -1307,7 +1307,7 @@ sentinel: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1412,13 +1412,16 @@ serviceBindings: networkPolicy: ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources ## - enabled: false + enabled: true ## @param networkPolicy.allowExternal Don't require client label for connections ## When set to false, only pods with the correct client label will have network access to the ports ## Redis® is listening on. When true, Redis® will accept connections from any source ## (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy ## e.g: ## extraIngress: @@ -1469,7 +1472,7 @@ networkPolicy: ## ingressNSMatchLabels: {} ingressNSPodMatchLabels: {} - + ## PodSecurityPolicy configuration ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ ## @@ -1578,7 +1581,7 @@ metrics: image: registry: docker.io repository: bitnami/redis-exporter - tag: 1.56.0-debian-11-r1 + tag: 1.57.0-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1589,6 +1592,11 @@ metrics: ## - myRegistryKeySecretName ## pullSecrets: [] + + ## @param metrics.containerPorts.http Metrics HTTP container port + ## + containerPorts: + http: 9121 ## Configure extra options for Redis® containers' liveness, readiness & startup probes ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ ## @param metrics.startupProbe.enabled Enable startupProbe on Redis® replicas nodes @@ -1665,7 +1673,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param metrics.containerSecurityContext.enabled Enabled Redis® exporter containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set Redis® exporter containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsGroup Set Redis® exporter containers' Security Context runAsGroup ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis® exporter containers' Security Context runAsNonRoot @@ -1675,7 +1683,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsGroup: 0 runAsNonRoot: true @@ -1712,12 +1720,16 @@ metrics: ## Redis® exporter service parameters ## service: + ## @param metrics.service.enabled Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor + ## + enabled: true ## @param metrics.service.type Redis® exporter service type ## type: ClusterIP - ## @param metrics.service.port Redis® exporter service port + ## @param metrics.service.ports.http Redis® exporter service port ## - port: 9121 + ports: + http: 9121 ## @param metrics.service.externalTrafficPolicy Redis® exporter service external traffic policy ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ## @@ -1784,6 +1796,16 @@ metrics: ## @param metrics.serviceMonitor.targetLimit Limit of how many targets should be scraped ## targetLimit: false + ## @param metrics.serviceMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) + ## + additionalEndpoints: [] + # uncomment in order to scrape sentinel metrics + # - port: http-metrics + # interval: 30s + # path: /scrape + # params: + # target: + # - localhost:26379 ## Prometheus Pod Monitor ## ref: https://github.com/coreos/prometheus-operator ## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor @@ -1822,6 +1844,16 @@ metrics: ## @param metrics.podMonitor.targetLimit Limit of how many targets should be scraped ## targetLimit: false + ## @param metrics.podMonitor.additionalEndpoints Additional endpoints to scrape (e.g sentinel) + ## + additionalEndpoints: [] + # uncomment in order to scrape sentinel metrics + # - port: metrics + # interval: 30s + # path: /scrape + # params: + # target: + # - localhost:26379 ## Custom PrometheusRule to be defined ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions @@ -1896,7 +1928,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -1917,14 +1949,14 @@ volumePermissions: requests: {} ## Init container Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the ## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2` ## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed) ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## init-sysctl container parameters @@ -1946,7 +1978,7 @@ sysctl: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. diff --git a/charts/bitnami/spark/.helmignore b/charts/bitnami/spark/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/spark/.helmignore +++ b/charts/bitnami/spark/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/spark/Chart.yaml b/charts/bitnami/spark/Chart.yaml index 08bc6dcba..1b996e835 100644 --- a/charts/bitnami/spark/Chart.yaml +++ b/charts/bitnami/spark/Chart.yaml @@ -6,7 +6,7 @@ annotations: category: Infrastructure images: | - name: spark - image: docker.io/bitnami/spark:3.5.0-debian-11-r18 + image: docker.io/bitnami/spark:3.5.0-debian-11-r22 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.5.0 @@ -30,4 +30,4 @@ maintainers: name: spark sources: - https://github.com/bitnami/charts/tree/main/bitnami/spark -version: 8.3.0 +version: 8.5.2 diff --git a/charts/bitnami/spark/README.md b/charts/bitnami/spark/README.md index 6fb4c7a2a..295c57143 100644 --- a/charts/bitnami/spark/README.md +++ b/charts/bitnami/spark/README.md @@ -117,9 +117,9 @@ The command removes all the Kubernetes components associated with the chart and | `master.podSecurityContext.fsGroup` | Set master pod's Security Context Group ID | `1001` | | `master.podSecurityContext.runAsUser` | Set master pod's Security Context User ID | `1001` | | `master.podSecurityContext.runAsGroup` | Set master pod's Security Context Group ID | `0` | -| `master.podSecurityContext.seLinuxOptions` | Set master pod's Security Context SELinux options | `{}` | +| `master.podSecurityContext.seLinuxOptions` | Set master pod's Security Context SELinux options | `nil` | | `master.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `master.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `master.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `master.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `master.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -171,6 +171,13 @@ The command removes all the Kubernetes components associated with the chart and | `master.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `master.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `master.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `master.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `master.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `master.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `master.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `master.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `master.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `master.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `master.sidecars` | Add additional sidecar containers to the master pod(s) | `[]` | | `master.initContainers` | Add initContainers to the master pods. | `[]` | @@ -200,9 +207,9 @@ The command removes all the Kubernetes components associated with the chart and | `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` | | `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `worker.podSecurityContext.fsGroup` | Group ID for the container | `1001` | -| `worker.podSecurityContext.seLinuxOptions` | SELinux options for the container | `{}` | +| `worker.podSecurityContext.seLinuxOptions` | SELinux options for the container | `nil` | | `worker.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `worker.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `worker.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -255,6 +262,13 @@ The command removes all the Kubernetes components associated with the chart and | `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `worker.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `worker.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | +| `worker.networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `worker.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `worker.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `worker.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `worker.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `worker.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | | `worker.sidecars` | Add additional sidecar containers to the worker pod(s) | `[]` | | `worker.initContainers` | Add initContainers to the worker pods. | `[]` | | `worker.autoscaling.enabled` | Enable replica autoscaling depending on CPU | `false` | @@ -434,13 +448,31 @@ In order to enable secure transport between workers and master, deploy the Helm It is necessary to create two secrets for the passwords and certificates. The names of the two secrets should be configured using the `security.passwordsSecretName` and `security.ssl.existingSecret` chart parameters. -The keys for the certificate secret must be named `spark-keystore.jks` and `spark-truststore.jks`, and the content must be text in JKS format. Use [this script to generate certificates](https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh) for test purposes if required. +#### Create certificates and the certificate secret + +To generate the certificates secret, first generate the two certificates and rename them to `spark-keystore.jks` and `spark-truststore.jks`. Use [this script to generate certificates](https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh) for test purposes if required. + +Once the certificates are created, create a secret for them with the file names as keys. The keys must be named `spark-keystore.jks` and `spark-truststore.jks`, and the content must be text in JKS format. + +#### Create the password secret The secret for passwords should have three keys: `rpc-authentication-secret`, `ssl-keystore-password` and `ssl-truststore-password`. -Refer to the [chart documentation for more details on configuring security and an example](https://docs.bitnami.com/kubernetes/infrastructure/spark/administration/configure-security/). +#### Configure the chart -> It is currently not possible to submit an application to a standalone cluster if RPC authentication is configured. [Learn more about this issue](https://issues.apache.org/jira/browse/SPARK-25078). +Once the secrets are created, configure the chart and set the various security-related parameters, including the `security.certificatesSecretName` and `security.passwordsSecretName` parameters referencing the secrets created previously. Here is an example configuration for chart deployment: + +```text +security.certificatesSecretName=my-secret +security.passwordsSecretName=my-passwords-secret +security.rpc.authenticationEnabled=true +security.rpc.encryptionEnabled=true +security.storageEncrytionEnabled=true +security.ssl.enabled=true +security.ssl.needClientAuth=true +``` + +> NOTE: It is currently not possible to submit an application to a standalone cluster if RPC authentication is configured. [Learn more about this issue](https://issues.apache.org/jira/browse/SPARK-25078). ### Set Pod affinity @@ -476,8 +508,6 @@ This version standardizes the way of defining Ingress rules. When configuring a [On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/spark/administration/upgrade-helm3/). - ### To 3.0.0 - This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs/topics/library_charts/#helm) as a dependency. More documentation about this new utility could be found [here](https://github.com/bitnami/charts/tree/main/bitnami/common#bitnami-common-library-chart). Please, make sure that you have updated the chart dependencies before executing any upgrade. diff --git a/charts/bitnami/spark/templates/networkpolicy-master.yaml b/charts/bitnami/spark/templates/networkpolicy-master.yaml new file mode 100644 index 000000000..12e3167f8 --- /dev/null +++ b/charts/bitnami/spark/templates/networkpolicy-master.yaml @@ -0,0 +1,91 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.master.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-master" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: master + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: master + policyTypes: + - Ingress + - Egress + {{- if .Values.master.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other worker pods + - ports: + - port: {{ .Values.worker.containerPorts.cluster }} + - port: {{ ternary .Values.worker.containerPorts.https .Values.worker.containerPorts.http .Values.security.ssl.enabled }} + to: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: worker + # Allow outbound connections to other master pods + - ports: + - port: {{ .Values.service.ports.cluster }} + - port: {{ ternary .Values.service.ports.https .Values.service.ports.http .Values.security.ssl.enabled }} + - port: {{ .Values.master.containerPorts.cluster }} + - port: {{ ternary .Values.master.containerPorts.https .Values.master.containerPorts.http .Values.security.ssl.enabled }} + to: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.podLabels .Values.commonLabels ) "context" . ) }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: master + {{- if .Values.master.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.service.ports.cluster }} + - port: {{ ternary .Values.service.ports.https .Values.service.ports.http .Values.security.ssl.enabled }} + - port: {{ .Values.master.containerPorts.cluster }} + - port: {{ ternary .Values.master.containerPorts.https .Values.master.containerPorts.http .Values.security.ssl.enabled }} + {{- if not .Values.master.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-master: "true" + {{- if .Values.master.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.master.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.master.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.master.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.master.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/spark/templates/networkpolicy-worker.yaml b/charts/bitnami/spark/templates/networkpolicy-worker.yaml new file mode 100644 index 000000000..4479b9595 --- /dev/null +++ b/charts/bitnami/spark/templates/networkpolicy-worker.yaml @@ -0,0 +1,89 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.worker.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ printf "%s-worker" (include "common.names.fullname" .) }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + app.kubernetes.io/component: worker + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + app.kubernetes.io/component: worker + policyTypes: + - Ingress + - Egress + {{- if .Values.worker.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow outbound connections to other worker pods + - ports: + - port: {{ .Values.worker.containerPorts.cluster }} + - port: {{ ternary .Values.worker.containerPorts.https .Values.worker.containerPorts.http .Values.security.ssl.enabled }} + to: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.worker.podLabels .Values.commonLabels ) "context" . ) }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: worker + # Allow outbound connections to other master pods + - ports: + - port: {{ .Values.service.ports.cluster }} + - port: {{ ternary .Values.service.ports.https .Values.service.ports.http .Values.security.ssl.enabled }} + - port: {{ .Values.master.containerPorts.cluster }} + - port: {{ ternary .Values.master.containerPorts.https .Values.master.containerPorts.http .Values.security.ssl.enabled }} + to: + {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.podLabels .Values.commonLabels ) "context" . ) }} + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + app.kubernetes.io/component: master + {{- if .Values.master.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.master.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.worker.containerPorts.cluster }} + - port: {{ ternary .Values.worker.containerPorts.https .Values.worker.containerPorts.http .Values.security.ssl.enabled }} + {{- if not .Values.worker.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-worker: "true" + {{- if .Values.worker.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.worker.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.worker.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.worker.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/spark/values.yaml b/charts/bitnami/spark/values.yaml index e37cd80c2..c5aed21f0 100644 --- a/charts/bitnami/spark/values.yaml +++ b/charts/bitnami/spark/values.yaml @@ -95,7 +95,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/spark - tag: 3.5.0-debian-11-r18 + tag: 3.5.0-debian-11-r22 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -179,7 +179,7 @@ master: ## @param master.podSecurityContext.fsGroup Set master pod's Security Context Group ID ## @param master.podSecurityContext.runAsUser Set master pod's Security Context User ID ## @param master.podSecurityContext.runAsGroup Set master pod's Security Context Group ID - ## @param master.podSecurityContext.seLinuxOptions Set master pod's Security Context SELinux options + ## @param master.podSecurityContext.seLinuxOptions [object,nullable] Set master pod's Security Context SELinux options ## podSecurityContext: enabled: true @@ -189,11 +189,11 @@ master: fsGroup: 1001 runAsUser: 1001 runAsGroup: 0 - seLinuxOptions: {} + seLinuxOptions: null ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param master.containerSecurityContext.enabled Enabled containers' Security Context - ## @param master.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param master.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param master.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param master.containerSecurityContext.privileged Set container's Security Context privileged @@ -204,7 +204,7 @@ master: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -382,6 +382,61 @@ master: ## @param master.customStartupProbe Custom startupProbe that overrides the default one ## customStartupProbe: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param master.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param master.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports the application is listening + ## on. When true, the app will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param master.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param master.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param master.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param master.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param master.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @param master.sidecars Add additional sidecar containers to the master pod(s) ## e.g: ## sidecars: @@ -478,7 +533,7 @@ worker: ## @param worker.podSecurityContext.sysctls Set kernel settings using the sysctl interface ## @param worker.podSecurityContext.supplementalGroups Set filesystem extra groups ## @param worker.podSecurityContext.fsGroup Group ID for the container - ## @param worker.podSecurityContext.seLinuxOptions SELinux options for the container + ## @param worker.podSecurityContext.seLinuxOptions [object,nullable] SELinux options for the container ## podSecurityContext: enabled: true @@ -486,11 +541,11 @@ worker: sysctls: [] supplementalGroups: [] fsGroup: 1001 - seLinuxOptions: {} + seLinuxOptions: null ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param worker.containerSecurityContext.enabled Enabled containers' Security Context - ## @param worker.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param worker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param worker.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param worker.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param worker.containerSecurityContext.privileged Set container's Security Context privileged @@ -501,7 +556,7 @@ worker: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -683,6 +738,61 @@ worker: ## @param worker.customStartupProbe Custom startupProbe that overrides the default one ## customStartupProbe: {} + ## Network Policies + ## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ + ## + networkPolicy: + ## @param worker.networkPolicy.enabled Specifies whether a NetworkPolicy should be created + ## + enabled: true + ## @param worker.networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to the ports the application is listening + ## on. When true, the app will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param worker.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param worker.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param worker.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param worker.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param worker.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @param worker.sidecars Add additional sidecar containers to the worker pod(s) ## e.g: ## sidecars: diff --git a/charts/bitnami/tomcat/.helmignore b/charts/bitnami/tomcat/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/tomcat/.helmignore +++ b/charts/bitnami/tomcat/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/tomcat/Chart.yaml b/charts/bitnami/tomcat/Chart.yaml index a78ece135..acbe67666 100644 --- a/charts/bitnami/tomcat/Chart.yaml +++ b/charts/bitnami/tomcat/Chart.yaml @@ -6,11 +6,11 @@ annotations: category: ApplicationServer images: | - name: jmx-exporter - image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r3 + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: tomcat - image: docker.io/bitnami/tomcat:10.1.18-debian-11-r0 + image: docker.io/bitnami/tomcat:10.1.18-debian-11-r4 licenses: Apache-2.0 apiVersion: v2 appVersion: 10.1.18 @@ -38,4 +38,4 @@ maintainers: name: tomcat sources: - https://github.com/bitnami/charts/tree/main/bitnami/tomcat -version: 10.13.0 +version: 10.13.5 diff --git a/charts/bitnami/tomcat/README.md b/charts/bitnami/tomcat/README.md index 437ab3a37..b7bd7d36d 100644 --- a/charts/bitnami/tomcat/README.md +++ b/charts/bitnami/tomcat/README.md @@ -114,7 +114,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Tomcat pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -237,7 +237,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.jmx.image.pullSecrets` | Specify docker-registry secret names as an array | `[]` | | `metrics.jmx.config` | Configuration file for JMX exporter | `""` | | `metrics.jmx.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.jmx.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.jmx.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.jmx.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.jmx.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -297,7 +297,7 @@ Bitnami will release a new chart updating its containers if a new version of the ### Use a different Tomcat version -To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/tomcat/configuration/change-image-version/). +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. ### Add extra environment variables @@ -313,9 +313,43 @@ Alternatively, define a ConfigMap or a Secret with the environment variables. To ### Use Sidecars and Init Containers -If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. Similarly, extra init containers can be added using the `initContainers` parameter. +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. -Refer to the chart documentation for more information on, and examples of, configuring and using [sidecars and init containers](https://docs.bitnami.com/kubernetes/infrastructure/tomcat/configuration/configure-sidecar-init-containers/). +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). ### Set Pod affinity @@ -377,8 +411,6 @@ helm upgrade tomcat oci://REGISTRY_NAME/REPOSITORY_NAME/tomcat --set tomcatPassw [On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/tomcat/administration/upgrade-helm3/). - ### To 5.0.0 This release updates the Bitnami Tomcat container to `9.0.26-debian-9-r0`, which is based on Bash instead of Node.js. diff --git a/charts/bitnami/tomcat/templates/_pod.tpl b/charts/bitnami/tomcat/templates/_pod.tpl index aba36ad8b..374a4c7ee 100644 --- a/charts/bitnami/tomcat/templates/_pod.tpl +++ b/charts/bitnami/tomcat/templates/_pod.tpl @@ -84,6 +84,8 @@ containers: key: tomcat-password - name: TOMCAT_ALLOW_REMOTE_MANAGEMENT value: {{ .Values.tomcatAllowRemoteManagement | quote }} + - name: TOMCAT_HTTP_PORT_NUMBER + value: {{ .Values.containerPorts.http | quote }} {{- if or .Values.catalinaOpts .Values.metrics.jmx.enabled }} - name: CATALINA_OPTS value: {{ include "tomcat.catalinaOpts" . | quote }} diff --git a/charts/bitnami/tomcat/values.yaml b/charts/bitnami/tomcat/values.yaml index 581d224f4..53676316b 100644 --- a/charts/bitnami/tomcat/values.yaml +++ b/charts/bitnami/tomcat/values.yaml @@ -61,7 +61,7 @@ extraDeploy: [] image: registry: docker.io repository: bitnami/tomcat - tag: 10.1.18-debian-11-r0 + tag: 10.1.18-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -169,7 +169,7 @@ podSecurityContext: ## Tomcat containers' SecurityContext ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod ## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -180,7 +180,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -628,7 +628,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -688,7 +688,7 @@ metrics: image: registry: docker.io repository: bitnami/jmx-exporter - tag: 0.20.0-debian-11-r3 + tag: 0.20.0-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -715,7 +715,7 @@ metrics: ## Prometheus JMX exporter containers' Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.jmx.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged @@ -725,7 +725,7 @@ metrics: ## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/wordpress/.helmignore b/charts/bitnami/wordpress/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/wordpress/.helmignore +++ b/charts/bitnami/wordpress/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/wordpress/Chart.lock b/charts/bitnami/wordpress/Chart.lock index 5e6b95297..75f0c573c 100644 --- a/charts/bitnami/wordpress/Chart.lock +++ b/charts/bitnami/wordpress/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: memcached repository: oci://registry-1.docker.io/bitnamicharts - version: 6.9.0 + version: 6.10.1 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 15.2.0 + version: 15.2.2 - name: common repository: oci://registry-1.docker.io/bitnamicharts version: 2.14.1 -digest: sha256:1dd88de417e6f8cc74a7d360b942207c5bd9045a1e8d7758913c1e7b8ef142a4 -generated: "2024-01-23T15:28:06.176976429Z" +digest: sha256:2bc29e2de3ffe663852dd8ee59359ab30f27cdd4001f24bef71200eb637a5ebe +generated: "2024-02-07T10:55:26.025905331Z" diff --git a/charts/bitnami/wordpress/Chart.yaml b/charts/bitnami/wordpress/Chart.yaml index 672475c45..5609c933d 100644 --- a/charts/bitnami/wordpress/Chart.yaml +++ b/charts/bitnami/wordpress/Chart.yaml @@ -6,14 +6,14 @@ annotations: category: CMS images: | - name: apache-exporter - image: docker.io/bitnami/apache-exporter:1.0.5-debian-11-r3 + image: docker.io/bitnami/apache-exporter:1.0.6-debian-11-r2 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r95 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: wordpress - image: docker.io/bitnami/wordpress:6.4.2-debian-11-r18 + image: docker.io/bitnami/wordpress:6.4.3-debian-11-r4 licenses: Apache-2.0 apiVersion: v2 -appVersion: 6.4.2 +appVersion: 6.4.3 dependencies: - condition: memcached.enabled name: memcached @@ -47,4 +47,4 @@ maintainers: name: wordpress sources: - https://github.com/bitnami/charts/tree/main/bitnami/wordpress -version: 19.2.1 +version: 19.2.6 diff --git a/charts/bitnami/wordpress/README.md b/charts/bitnami/wordpress/README.md index 267716dc5..4c7a14dbf 100644 --- a/charts/bitnami/wordpress/README.md +++ b/charts/bitnami/wordpress/README.md @@ -175,7 +175,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set WordPress pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -261,7 +261,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resources.limits` | The resources limits for the init container | `{}` | | `volumePermissions.resources.requests` | The requested resources for the init container | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Other Parameters @@ -316,7 +316,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.resources.limits` | The resources limits for the Prometheus exporter container | `{}` | | `metrics.resources.requests` | The requested resources for the Prometheus exporter container | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -444,7 +444,9 @@ externalDatabase.database=mydatabase externalDatabase.port=3306 ``` -Refer to the [documentation on using an external database with WordPress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/use-external-database/) and the [tutorial on integrating WordPress with a managed cloud database](https://docs.bitnami.com/tutorials/secure-wordpress-kubernetes-managed-database-ssl-upgrades/) for more information. +If the database already contains data from a previous WordPress installation, set the `wordpressSkipInstall` parameter to `true`. This parameter forces the container to skip the WordPress installation wizard. Otherwise, the container will assume it is a fresh installation and execute the installation wizard, potentially modifying or resetting the data in the existing database. + +[Refer to the container documentation for more information](https://github.com/bitnami/containers/tree/main/bitnami/wordpress#connect-wordpress-container-to-an-existing-database). ### Memcached @@ -463,13 +465,55 @@ externalCache.port=11211 ### Ingress -This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application. +This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress-controller](https://github.com/bitnami/charts/tree/main/bitnami/nginx-ingress-controller) or [contour](https://github.com/bitnami/charts/tree/main/bitnami/contour) you can utilize the ingress controller to serve your application.To enable Ingress integration, set `ingress.enabled` to `true`. -To enable Ingress integration, set `ingress.enabled` to `true`. The `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. It is also possible to have more than one host, with a separate TLS configuration for each host. [Learn more about configuring and using Ingress](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-ingress/). +The most common scenario is to have one host name mapped to the deployment. In this case, the `ingress.hostname` property can be used to set the host name. The `ingress.tls` parameter can be used to add the TLS configuration for this host. + +However, it is also possible to have more than one host. To facilitate this, the `ingress.extraHosts` parameter (if available) can be set with the host names specified as an array. The `ingress.extraTLS` parameter (if available) can also be used to add the TLS configuration for extra hosts. + +> NOTE: For each host specified in the `ingress.extraHosts` parameter, it is necessary to set a name, path, and any annotations that the Ingress controller should know about. Not all annotations are supported by all Ingress controllers, but [this annotation reference document](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) lists the annotations supported by many popular Ingress controllers. + +Adding the TLS parameter (where available) will cause the chart to generate HTTPS URLs, and the application will be available on port 443. The actual TLS secrets do not have to be generated by this chart. However, if TLS is enabled, the Ingress record will not work until the TLS secret exists. + +[Learn more about Ingress controllers](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/). ### TLS secrets -The chart also facilitates the creation of TLS secrets for use with the Ingress controller, with different options for certificate management. [Learn more about TLS secrets](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/enable-tls-ingress/). +This chart facilitates the creation of TLS secrets for use with the Ingress controller (although this is not mandatory). There are several common use cases: + +- Generate certificate secrets based on chart parameters. +- Enable externally generated certificates. +- Manage application certificates via an external service (like [cert-manager](https://github.com/jetstack/cert-manager/)). +- Create self-signed certificates within the chart (if supported). + +In the first two cases, a certificate and a key are needed. Files are expected in `.pem` format. + +Here is an example of a certificate file: + +> NOTE: There may be more than one certificate if there is a certificate chain. + +```text +-----BEGIN CERTIFICATE----- +MIID6TCCAtGgAwIBAgIJAIaCwivkeB5EMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +... +jScrvkiBO65F46KioCL9h5tDvomdU1aqpI/CBzhvZn1c0ZTf87tGQR8NK7v7 +-----END CERTIFICATE----- +``` + +Here is an example of a certificate key: + +```text +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAvLYcyu8f3skuRyUgeeNpeDvYBCDcgq+LsWap6zbX5f8oLqp4 +... +wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= +-----END RSA PRIVATE KEY----- +``` + +- If using Helm to manage the certificates based on the parameters, copy these values into the `certificate` and `key` values for a given `*.ingress.secrets` entry. +- If managing TLS secrets separately, it is necessary to create a TLS secret with name `INGRESS_HOSTNAME-tls` (where INGRESS_HOSTNAME is a placeholder to be replaced with the hostname you set using the `*.ingress.hostname` parameter). +- If your cluster has a [cert-manager](https://github.com/jetstack/cert-manager) add-on to automate the management and issuance of TLS certificates, add to `*.ingress.annotations` the [corresponding ones](https://cert-manager.io/docs/usage/ingress/#supported-annotations) for cert-manager. +- If using self-signed certificates created by Helm, set both `*.ingress.tls` and `*.ingress.selfSigned` to `true`. ### `.htaccess` files @@ -477,7 +521,19 @@ For performance and security reasons, it is a good practice to configure Apache By default, the container image includes all the default `.htaccess` files in WordPress (together with the default plugins). To enable this feature, install the chart with the value `allowOverrideNone=yes`. -[Learn more about working with `.htaccess` files](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/understand-htaccess/). +However, some plugins may include `.htaccess` directives that will not be loaded when `AllowOverride` is set to `None`. To make them work, create a custom `wordpress-htaccess.conf` file with all the required directives. After creating it, create a Kubernetes ConfigMap with it (for example, named `custom-htaccess`) and install the chart with the correct parameters as shown below: + +```text + allowOverrideNone=true + customHTAccessCM=custom-htaccess +``` + +Some plugins permit editing the `.htaccess` file and it may be necessary to persist it in order to keep those edits. To make these plugins work, set the `htaccessPersistenceEnabled` parameter as shown below: + +```text + allowOverrideNone=false + htaccessPersistenceEnabled=true +``` ## Persistence @@ -500,7 +556,43 @@ Alternatively, you can use a ConfigMap or a Secret with the environment variable ### Sidecars -If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter. [Learn more about configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/apps/wordpress/configuration/configure-sidecar-init-containers/). +If additional containers are needed in the same pod as WordPress (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. + +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). ### Pod affinity @@ -578,8 +670,6 @@ Compatibility is not guaranteed due to the amount of involved changes, however n [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/apps/wordpress/administration/upgrade-helm3/). - #### Additional upgrade notes - MariaDB dependency version was bumped to a new major version that introduces several incompatibilities. Therefore, backwards compatibility is not guaranteed unless an external database is used. Check [MariaDB Upgrading Notes](https://github.com/bitnami/charts/tree/main/bitnami/mariadb#to-800) for more information. diff --git a/charts/bitnami/wordpress/charts/mariadb/.helmignore b/charts/bitnami/wordpress/charts/mariadb/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/wordpress/charts/mariadb/.helmignore +++ b/charts/bitnami/wordpress/charts/mariadb/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml index 3a51ab5e1..fa6b4c057 100644 --- a/charts/bitnami/wordpress/charts/mariadb/Chart.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Database images: | - name: mariadb - image: docker.io/bitnami/mariadb:11.2.2-debian-11-r3 + image: docker.io/bitnami/mariadb:11.2.2-debian-11-r6 - name: mysqld-exporter - image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r2 + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r5 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 appVersion: 11.2.2 @@ -33,4 +33,4 @@ maintainers: name: mariadb sources: - https://github.com/bitnami/charts/tree/main/bitnami/mariadb -version: 15.2.0 +version: 15.2.2 diff --git a/charts/bitnami/wordpress/charts/mariadb/README.md b/charts/bitnami/wordpress/charts/mariadb/README.md index 37350bf2a..eec0a2bb1 100644 --- a/charts/bitnami/wordpress/charts/mariadb/README.md +++ b/charts/bitnami/wordpress/charts/mariadb/README.md @@ -141,7 +141,7 @@ The command removes all the Kubernetes components associated with the chart and | `primary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `primary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `primary.containerSecurityContext.enabled` | MariaDB primary container securityContext | `true` | -| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `primary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `primary.containerSecurityContext.runAsUser` | User ID for the MariaDB primary container | `1001` | | `primary.containerSecurityContext.runAsNonRoot` | Set primary container's Security Context runAsNonRoot | `true` | | `primary.containerSecurityContext.privileged` | Set primary container's Security Context privileged | `false` | @@ -242,7 +242,7 @@ The command removes all the Kubernetes components associated with the chart and | `secondary.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `secondary.podSecurityContext.fsGroup` | Group ID for the mounted volumes' filesystem | `1001` | | `secondary.containerSecurityContext.enabled` | MariaDB secondary container securityContext | `true` | -| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `secondary.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `secondary.containerSecurityContext.runAsUser` | User ID for the MariaDB secondary container | `1001` | | `secondary.containerSecurityContext.runAsNonRoot` | Set secondary container's Security Context runAsNonRoot | `true` | | `secondary.containerSecurityContext.privileged` | Set secondary container's Security Context privileged | `false` | @@ -343,7 +343,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.extraArgs` | Extra args to be passed to mysqld_exporter | `{}` | | `metrics.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the MariaDB metrics container(s) | `{}` | | `metrics.containerSecurityContext.enabled` | Enable security context for MariaDB metrics container | `false` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | User ID for the MariaDB metrics container | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set metrics container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set metrics container's Security Context privileged | `false` | @@ -443,15 +443,59 @@ The allowed extensions are `.sh`, `.sql` and `.sql.gz`. These scripts are treated differently depending on their extension. While `.sh` scripts are executed on all the nodes, `.sql` and `.sql.gz` scripts are only executed on the primary nodes. This is because `.sh` scripts support conditional tests to identify the type of node they are running on, while such tests are not supported in `.sql` or `.sql.gz` files. -[Refer to the chart documentation for more information and a usage example](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/customize-new-instance/). +When using a `.sh` script, you may wish to perform a "one-time" action like creating a database. This can be achieved by adding a condition in the script to ensure that it is executed only on one node, as shown in the example below: + +```yaml +initdbScripts: + my_init_script.sh: | + #!/bin/sh + if [[ $(hostname) == *primary* ]]; then + echo "Primary node" + mysql -P 3306 -uroot -prandompassword -e "create database new_database"; + else + echo "No primary node" + fi +``` ### Sidecars and Init Containers -If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the sidecars parameter. +If additional containers are needed in the same pod as MariaDB (such as additional metrics or logging exporters), they can be defined using the `sidecars` parameter. -The Helm chart already includes sidecar containers for the Prometheus exporters. These can be activated by adding the `--set enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. [See an example of configuring and using sidecar containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` -Similarly, additional containers can be added to MariaDB pods using the `initContainers` parameter. [See an example of configuring and using init containers](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/configuration/configure-sidecar-init-containers/). +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). ## Persistence @@ -522,8 +566,6 @@ Affected values: [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/mariadb/administration/upgrade-helm3/). - ### To 8.0.0 - Several parameters were renamed or disappeared in favor of new ones on this major version: diff --git a/charts/bitnami/wordpress/charts/mariadb/values.yaml b/charts/bitnami/wordpress/charts/mariadb/values.yaml index dac39b648..9803c8d99 100644 --- a/charts/bitnami/wordpress/charts/mariadb/values.yaml +++ b/charts/bitnami/wordpress/charts/mariadb/values.yaml @@ -90,7 +90,7 @@ serviceBindings: image: registry: docker.io repository: bitnami/mariadb - tag: 11.2.2-debian-11-r3 + tag: 11.2.2-debian-11-r6 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -330,7 +330,7 @@ primary: ## MariaDB primary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param primary.containerSecurityContext.enabled MariaDB primary container securityContext - ## @param primary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param primary.containerSecurityContext.runAsUser User ID for the MariaDB primary container ## @param primary.containerSecurityContext.runAsNonRoot Set primary container's Security Context runAsNonRoot ## @param primary.containerSecurityContext.privileged Set primary container's Security Context privileged @@ -340,7 +340,7 @@ primary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -743,7 +743,7 @@ secondary: ## MariaDB secondary container security context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param secondary.containerSecurityContext.enabled MariaDB secondary container securityContext - ## @param secondary.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param secondary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param secondary.containerSecurityContext.runAsUser User ID for the MariaDB secondary container ## @param secondary.containerSecurityContext.runAsNonRoot Set secondary container's Security Context runAsNonRoot ## @param secondary.containerSecurityContext.privileged Set secondary container's Security Context privileged @@ -753,7 +753,7 @@ secondary: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -1038,7 +1038,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1074,7 +1074,7 @@ metrics: image: registry: docker.io repository: bitnami/mysqld-exporter - tag: 0.15.1-debian-11-r2 + tag: 0.15.1-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace) @@ -1138,7 +1138,7 @@ metrics: ## MariaDB metrics container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enable security context for MariaDB metrics container - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser User ID for the MariaDB metrics container ## @param metrics.containerSecurityContext.runAsNonRoot Set metrics container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set metrics container's Security Context privileged @@ -1156,7 +1156,7 @@ metrics: enabled: false privileged: false runAsNonRoot: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 allowPrivilegeEscalation: false capabilities: diff --git a/charts/bitnami/wordpress/charts/memcached/.helmignore b/charts/bitnami/wordpress/charts/memcached/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/wordpress/charts/memcached/.helmignore +++ b/charts/bitnami/wordpress/charts/memcached/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/wordpress/charts/memcached/Chart.yaml b/charts/bitnami/wordpress/charts/memcached/Chart.yaml index 83cb7db78..cc0f3eea2 100644 --- a/charts/bitnami/wordpress/charts/memcached/Chart.yaml +++ b/charts/bitnami/wordpress/charts/memcached/Chart.yaml @@ -2,11 +2,11 @@ annotations: category: Infrastructure images: | - name: memcached-exporter - image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r1 + image: docker.io/bitnami/memcached-exporter:0.14.2-debian-11-r5 - name: memcached - image: docker.io/bitnami/memcached:1.6.23-debian-11-r0 + image: docker.io/bitnami/memcached:1.6.23-debian-11-r3 - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 licenses: Apache-2.0 apiVersion: v2 appVersion: 1.6.23 @@ -30,4 +30,4 @@ maintainers: name: memcached sources: - https://github.com/bitnami/charts/tree/main/bitnami/memcached -version: 6.9.0 +version: 6.10.1 diff --git a/charts/bitnami/wordpress/charts/memcached/README.md b/charts/bitnami/wordpress/charts/memcached/README.md index dfa05e94c..ed3c59890 100644 --- a/charts/bitnami/wordpress/charts/memcached/README.md +++ b/charts/bitnami/wordpress/charts/memcached/README.md @@ -134,7 +134,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set Memcached pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -176,19 +176,26 @@ The command removes all the Kubernetes components associated with the chart and ### Traffic Exposure parameters -| Name | Description | Value | -| ---------------------------------- | --------------------------------------------------------------------------------------- | ----------- | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.ports.memcached` | Memcached service port | `11211` | -| `service.nodePorts.memcached` | Node port for Memcached | `""` | -| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` | -| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | -| `service.clusterIP` | Memcached service Cluster IP | `""` | -| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | -| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | -| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | -| `service.annotations` | Additional custom annotations for Memcached service | `{}` | -| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | +| Name | Description | Value | +| --------------------------------------- | --------------------------------------------------------------------------------------- | ----------- | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.ports.memcached` | Memcached service port | `11211` | +| `service.nodePorts.memcached` | Node port for Memcached | `""` | +| `service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `""` | +| `service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `service.clusterIP` | Memcached service Cluster IP | `""` | +| `service.loadBalancerIP` | Memcached service Load Balancer IP | `""` | +| `service.loadBalancerSourceRanges` | Memcached service Load Balancer sources | `[]` | +| `service.externalTrafficPolicy` | Memcached service external traffic policy | `Cluster` | +| `service.annotations` | Additional custom annotations for Memcached service | `{}` | +| `service.extraPorts` | Extra ports to expose in the Memcached service (normally used with the `sidecar` value) | `[]` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources | `true` | +| `networkPolicy.allowExternal` | The Policy model to apply | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Other Parameters @@ -223,7 +230,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | | `metrics.enabled` | Start a side-car prometheus exporter | `false` | | `metrics.image.registry` | Memcached exporter image registry | `REGISTRY_NAME` | @@ -235,7 +242,7 @@ The command removes all the Kubernetes components associated with the chart and | `metrics.resources.limits` | Init container volume-permissions resource limits | `{}` | | `metrics.resources.requests` | Init container volume-permissions resource requests | `{}` | | `metrics.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `metrics.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `metrics.containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `metrics.containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `metrics.containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -313,9 +320,43 @@ Bitnami will release a new chart updating its containers if a new version of the ### Use Sidecars and Init Containers -If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. Similarly, extra init containers can be added using the `initContainers` parameter. +If additional containers are needed in the same pod (such as additional metrics or logging exporters), they can be defined using the `sidecars` config parameter. -Refer to the chart documentation for more information on, and examples of, configuring and using [sidecars and init containers](https://docs.bitnami.com/kubernetes/infrastructure/memcached/configuration/configure-sidecar-init-containers/). +```yaml +sidecars: +- name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +If these sidecars export extra ports, extra port definitions can be added using the `service.extraPorts` parameter (where available), as shown in the example below: + +```yaml +service: + extraPorts: + - name: extraPort + port: 11311 + targetPort: 11311 +``` + +> NOTE: This Helm chart already includes sidecar containers for the Prometheus exporters (where applicable). These can be activated by adding the `--enable-metrics=true` parameter at deployment time. The `sidecars` parameter should therefore only be used for any extra sidecar containers. + +If additional init containers are needed in the same pod, they can be defined using the `initContainers` parameter. Here is an example: + +```yaml +initContainers: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +Learn more about [sidecar containers](https://kubernetes.io/docs/concepts/workloads/pods/) and [init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/). ### Set Pod affinity @@ -361,8 +402,6 @@ This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs [On November 13, 2020, Helm v2 support formally ended](https://github.com/helm/charts#status-of-the-project). This major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/memcached/administration/upgrade-helm3/). - ### To 4.0.0 Backwards compatibility is not guaranteed unless you modify the labels used on the chart's deployments. diff --git a/charts/bitnami/wordpress/charts/memcached/templates/networkpolicy.yaml b/charts/bitnami/wordpress/charts/memcached/templates/networkpolicy.yaml new file mode 100644 index 000000000..879c63f47 --- /dev/null +++ b/charts/bitnami/wordpress/charts/memcached/templates/networkpolicy.yaml @@ -0,0 +1,74 @@ +{{- /* +Copyright VMware, Inc. +SPDX-License-Identifier: APACHE-2.0 +*/}} + +{{- if .Values.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: {{ template "common.capabilities.networkPolicy.apiVersion" . }} +metadata: + name: {{ template "common.names.fullname" . }} + namespace: {{ include "common.names.namespace" . | quote }} + labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }} + policyTypes: + - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow connection to other cluster pods + - ports: + - port: {{ .Values.containerPorts.memcached }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} + ingress: + - ports: + - port: {{ .Values.containerPorts.memcached }} + {{- if .Values.metrics.enabled }} + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "common.names.fullname" . }}-client: "true" + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml index d0819fd1d..291984565 100644 --- a/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml +++ b/charts/bitnami/wordpress/charts/memcached/templates/statefulset.yaml @@ -17,7 +17,9 @@ spec: {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.podLabels .Values.commonLabels ) "context" . ) }} selector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} + {{- if not (and .Values.autoscaling.enabled (eq .Values.architecture "high-availability")) }} replicas: {{ .Values.replicaCount }} + {{- end }} {{- if .Values.podManagementPolicy }} podManagementPolicy: {{ .Values.podManagementPolicy | quote }} {{- end }} diff --git a/charts/bitnami/wordpress/charts/memcached/values.yaml b/charts/bitnami/wordpress/charts/memcached/values.yaml index cdf0bda6b..dfc151b1e 100644 --- a/charts/bitnami/wordpress/charts/memcached/values.yaml +++ b/charts/bitnami/wordpress/charts/memcached/values.yaml @@ -73,7 +73,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/memcached - tag: 1.6.23-debian-11-r0 + tag: 1.6.23-debian-11-r3 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -229,7 +229,7 @@ podSecurityContext: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -240,7 +240,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -458,6 +458,61 @@ service: ## extraPorts: [] +## Network Policy configuration +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +## +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources + ## + enabled: true + ## @param networkPolicy.allowExternal The Policy model to apply + ## When set to false, only pods with the correct client label will have network access to the ports Keycloak is + ## listening on. When true, Keycloak will accept connections from any source (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} + ## @section Other Parameters ## Service account for Memcached to use. @@ -538,7 +593,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -560,11 +615,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## Prometheus Exporter / Metrics @@ -585,7 +640,7 @@ metrics: image: registry: docker.io repository: bitnami/memcached-exporter - tag: 0.14.2-debian-11-r1 + tag: 0.14.2-debian-11-r5 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -611,7 +666,7 @@ metrics: ## Configure Metrics Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -622,7 +677,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/wordpress/values.yaml b/charts/bitnami/wordpress/values.yaml index a8fe72984..e0b6cdef5 100644 --- a/charts/bitnami/wordpress/values.yaml +++ b/charts/bitnami/wordpress/values.yaml @@ -76,7 +76,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/wordpress - tag: 6.4.2-debian-11-r18 + tag: 6.4.3-debian-11-r4 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -418,7 +418,7 @@ podSecurityContext: ## Configure Container Security Context (only main container) ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -429,7 +429,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -779,7 +779,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r95 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -801,11 +801,11 @@ volumePermissions: ## Init container' Security Context ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## @section Other Parameters @@ -875,7 +875,7 @@ metrics: image: registry: docker.io repository: bitnami/apache-exporter - tag: 1.0.5-debian-11-r3 + tag: 1.0.6-debian-11-r2 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -954,7 +954,7 @@ metrics: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param metrics.containerSecurityContext.enabled Enabled containers' Security Context - ## @param metrics.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param metrics.containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param metrics.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param metrics.containerSecurityContext.privileged Set container's Security Context privileged @@ -965,7 +965,7 @@ metrics: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false diff --git a/charts/bitnami/zookeeper/.helmignore b/charts/bitnami/zookeeper/.helmignore index f0c131944..fb56657ab 100644 --- a/charts/bitnami/zookeeper/.helmignore +++ b/charts/bitnami/zookeeper/.helmignore @@ -19,3 +19,5 @@ .project .idea/ *.tmproj +# img folder +img/ diff --git a/charts/bitnami/zookeeper/Chart.yaml b/charts/bitnami/zookeeper/Chart.yaml index 12ba6f632..fb6f7f60f 100644 --- a/charts/bitnami/zookeeper/Chart.yaml +++ b/charts/bitnami/zookeeper/Chart.yaml @@ -6,9 +6,9 @@ annotations: category: Infrastructure images: | - name: os-shell - image: docker.io/bitnami/os-shell:11-debian-11-r94 + image: docker.io/bitnami/os-shell:11-debian-11-r96 - name: zookeeper - image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r5 + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r8 licenses: Apache-2.0 apiVersion: v2 appVersion: 3.9.1 @@ -30,4 +30,4 @@ maintainers: name: zookeeper sources: - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper -version: 12.6.0 +version: 12.8.1 diff --git a/charts/bitnami/zookeeper/README.md b/charts/bitnami/zookeeper/README.md index 30ae88d15..7879d6824 100644 --- a/charts/bitnami/zookeeper/README.md +++ b/charts/bitnami/zookeeper/README.md @@ -166,7 +166,7 @@ The command removes all the Kubernetes components associated with the chart and | `podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` | | `podSecurityContext.fsGroup` | Set ZooKeeper pod's Security Context fsGroup | `1001` | | `containerSecurityContext.enabled` | Enabled containers' Security Context | `true` | -| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `containerSecurityContext.runAsUser` | Set containers' Security Context runAsUser | `1001` | | `containerSecurityContext.runAsNonRoot` | Set container's Security Context runAsNonRoot | `true` | | `containerSecurityContext.privileged` | Set container's Security Context privileged | `false` | @@ -226,8 +226,13 @@ The command removes all the Kubernetes components associated with the chart and | `service.headless.annotations` | Annotations for the Headless Service | `{}` | | `service.headless.publishNotReadyAddresses` | If the ZooKeeper headless service should publish DNS records for not ready pods | `true` | | `service.headless.servicenameOverride` | String to partially override headless service name | `""` | -| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `false` | +| `networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | +| `networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` | +| `networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` | +| `networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` | +| `networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` | ### Other Parameters @@ -267,7 +272,7 @@ The command removes all the Kubernetes components associated with the chart and | `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | | `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container Security Context | `true` | -| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `{}` | +| `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` | | `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | ### Metrics parameters @@ -493,8 +498,6 @@ This version introduces `bitnami/common`, a [library chart](https://helm.sh/docs [On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. -[Learn more about this change and related upgrade considerations](https://docs.bitnami.com/kubernetes/infrastructure/zookeeper/administration/upgrade-helm3/). - ### To 5.21.0 A couple of parameters related to Zookeeper metrics were renamed or disappeared in favor of new ones: diff --git a/charts/bitnami/zookeeper/templates/networkpolicy.yaml b/charts/bitnami/zookeeper/templates/networkpolicy.yaml index 34d36f971..e9de1da12 100644 --- a/charts/bitnami/zookeeper/templates/networkpolicy.yaml +++ b/charts/bitnami/zookeeper/templates/networkpolicy.yaml @@ -19,6 +19,29 @@ spec: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }} policyTypes: - Ingress + - Egress + {{- if .Values.networkPolicy.allowExternalEgress }} + egress: + - {} + {{- else }} + egress: + # Allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # Allow internal communications between nodes + - ports: + - port: {{ .Values.containerPorts.follower }} + - port: {{ .Values.containerPorts.election }} + to: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraEgress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rts.networkPolicy.extraEgress "context" $ ) | nindent 4 }} + {{- end }} + {{- end }} ingress: # Allow inbound connections to ZooKeeper - ports: @@ -28,11 +51,27 @@ spec: {{- end }} {{- if not .Values.networkPolicy.allowExternal }} from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }} - podSelector: matchLabels: {{ include "common.names.fullname" . }}-client: "true" - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.ingressNSMatchLabels }} + - namespaceSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- if .Values.networkPolicy.ingressNSPodMatchLabels }} + podSelector: + matchLabels: + {{- range $key, $value := .Values.networkPolicy.ingressNSPodMatchLabels }} + {{ $key | quote }}: {{ $value | quote }} + {{- end }} + {{- end }} + {{- end }} {{- end }} # Allow internal communications between nodes - ports: @@ -41,4 +80,7 @@ spec: from: - podSelector: matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 14 }} + {{- if .Values.networkPolicy.extraIngress }} + {{- include "common.tplvalues.render" ( dict "value" .Values.networkPolicy.extraIngress "context" $ ) | nindent 4 }} + {{- end }} {{- end }} diff --git a/charts/bitnami/zookeeper/values.yaml b/charts/bitnami/zookeeper/values.yaml index dd9142de3..8cbbc0c7d 100644 --- a/charts/bitnami/zookeeper/values.yaml +++ b/charts/bitnami/zookeeper/values.yaml @@ -79,7 +79,7 @@ diagnosticMode: image: registry: docker.io repository: bitnami/zookeeper - tag: 3.9.1-debian-11-r5 + tag: 3.9.1-debian-11-r8 digest: "" ## Specify a imagePullPolicy ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' @@ -339,7 +339,7 @@ podSecurityContext: ## Configure Container Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container ## @param containerSecurityContext.enabled Enabled containers' Security Context -## @param containerSecurityContext.seLinuxOptions Set SELinux options in container +## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser ## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot ## @param containerSecurityContext.privileged Set container's Security Context privileged @@ -350,7 +350,7 @@ podSecurityContext: ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 1001 runAsNonRoot: true privileged: false @@ -602,12 +602,53 @@ service: networkPolicy: ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created ## - enabled: false + enabled: true ## @param networkPolicy.allowExternal Don't require client label for connections ## When set to false, only pods with the correct client label will have network access to the port Redis® is ## listening on. When true, zookeeper accept connections from any source (with the correct destination port). ## allowExternal: true + ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. + ## + allowExternalEgress: true + ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolice + ## e.g: + ## extraIngress: + ## - ports: + ## - port: 1234 + ## from: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + extraIngress: [] + ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy + ## e.g: + ## extraEgress: + ## - ports: + ## - port: 1234 + ## to: + ## - podSelector: + ## - matchLabels: + ## - role: frontend + ## - podSelector: + ## - matchExpressions: + ## - key: role + ## operator: In + ## values: + ## - frontend + ## + extraEgress: [] + ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces + ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces + ## + ingressNSMatchLabels: {} + ingressNSPodMatchLabels: {} ## @section Other Parameters @@ -711,7 +752,7 @@ volumePermissions: image: registry: docker.io repository: bitnami/os-shell - tag: 11-debian-11-r94 + tag: 11-debian-11-r96 digest: "" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. @@ -734,12 +775,12 @@ volumePermissions: ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser ## and not the below volumePermissions.containerSecurityContext.runAsUser ## @param volumePermissions.containerSecurityContext.enabled Enabled init container Security Context - ## @param volumePermissions.containerSecurityContext.seLinuxOptions Set SELinux options in container + ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container ## containerSecurityContext: enabled: true - seLinuxOptions: {} + seLinuxOptions: null runAsUser: 0 ## @section Metrics parameters diff --git a/charts/cert-manager/cert-manager/Chart.yaml b/charts/cert-manager/cert-manager/Chart.yaml index a058286e8..9e635a610 100644 --- a/charts/cert-manager/cert-manager/Chart.yaml +++ b/charts/cert-manager/cert-manager/Chart.yaml @@ -10,7 +10,7 @@ annotations: catalog.cattle.io/namespace: cert-manager catalog.cattle.io/release-name: cert-manager apiVersion: v1 -appVersion: v1.13.3 +appVersion: v1.14.2 description: A Helm chart for cert-manager home: https://github.com/cert-manager/cert-manager icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png @@ -27,4 +27,4 @@ maintainers: name: cert-manager sources: - https://github.com/cert-manager/cert-manager -version: v1.13.3 +version: v1.14.2 diff --git a/charts/cert-manager/cert-manager/README.md b/charts/cert-manager/cert-manager/README.md index bdff2abe8..8f4096b06 100644 --- a/charts/cert-manager/cert-manager/README.md +++ b/charts/cert-manager/cert-manager/README.md @@ -8,7 +8,7 @@ to renew certificates at an appropriate time before expiry. ## Prerequisites -- Kubernetes 1.20+ +- Kubernetes 1.22+ ## Installing the Chart @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml ``` To install the chart with the release name `my-release`: @@ -29,7 +29,7 @@ To install the chart with the release name `my-release`: $ helm repo add jetstack https://charts.jetstack.io ## Install the cert-manager helm chart -$ helm install my-release --namespace cert-manager --version v1.13.3 jetstack/cert-manager +$ helm install my-release --namespace cert-manager --version v1.14.2 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,182 +65,1724 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.2/cert-manager.crds.yaml ``` ## Configuration + -The following table lists the configurable parameters of the cert-manager chart and their default values. +### Global -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | -| `global.commonLabels` | Labels to apply to all resources | `{}` | -| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | -| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | -| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | -| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | -| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | -| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | | -| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | | -| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | -| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | -| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | -| `image.tag` | Image tag | `v1.13.3` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicaCount` | Number of cert-manager replicas | `1` | -| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | -| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `.extraArgs` | `` | -| `extraArgs` | Optional flags for cert-manager | `[]` | -| `extraEnv` | Optional environment variables for cert-manager | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `serviceAccount.annotations` | Annotations to add to the service account | | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | -| `volumes` | Optional volumes for cert-manager | `[]` | -| `volumeMounts` | Optional volume mounts for cert-manager | `[]` | -| `resources` | CPU/memory resource requests/limits | `{}` | -| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `affinity` | Node affinity for pod assignment | `{}` | -| `tolerations` | Node tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` | -| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` | -| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` | -| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` | -| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` | -| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` | -| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | -| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | -| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | -| `prometheus.enabled` | Enable Prometheus monitoring | `true` | -| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | -| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | -| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | -| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | -| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | -| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | -| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | -| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | -| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` | -| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | -| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | -| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | -| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | -| `podLabels` | Labels to add to the cert-manager pod | `{}` | -| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | -| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | -| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | -| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | -| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | -| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` | -| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` | -| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` | -| `config` | ControllerConfiguration YAML used to configure flags for the controller. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | -| `enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | -| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` | -| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | -| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` | -| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` | -| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | -| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | -| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | -| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | -| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | -| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | -| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | -| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | -| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | | -| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | -| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | -| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` | -| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | -| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | -| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | -| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | -| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` | -| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | -| `webhook.image.tag` | Webhook image tag | `v1.13.3` | -| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | -| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | -| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) | -| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | -| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` | -| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | | -| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | | -| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` | -| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` | -| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` | -| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` | -| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` | -| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` | -| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` | -| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` | -| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` | -| `webhook.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | -| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | -| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | -| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` | -| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | -| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | -| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | -| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | -| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` | -| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | -| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | -| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | -| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | -| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` | -| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | -| `cainjector.image.tag` | cainjector image tag | `v1.13.3` | -| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | -| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | -| `cainjector.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | -| `acmesolver.image.tag` | acmesolver image tag | `v1.13.3` | -| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | -| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | -| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) | -| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` | -| `startupapicheck.backoffLimit` | Job backoffLimit | `4` | -| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` | -| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` | -| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` | -| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` | -| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` | -| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` | -| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | -| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | -| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | -| `startupapicheck.image.tag` | startupapicheck image tag | `v1.13.3` | -| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | -| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | -| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | -| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | -| `startupapicheck.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` | +#### **global.imagePullSecrets** ~ `array` +> Default value: +> ```yaml +> [] +> ``` +Reference to one or more secrets to be used when pulling images +ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +For example: + +```yaml +imagePullSecrets: + - name: "image-pull-secret" +``` +#### **global.commonLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Labels to apply to all resources +Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress +eg. secretTemplate in CertificateSpec + ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec +#### **global.revisionHistoryLimit** ~ `number` + +The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + +#### **global.priorityClassName** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Optional priority class to be used for the cert-manager pods +#### **global.rbac.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Create required ClusterRoles and ClusterRoleBindings for cert-manager +#### **global.rbac.aggregateClusterRoles** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +#### **global.podSecurityPolicy.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Create PodSecurityPolicy for cert-manager + +NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 +#### **global.podSecurityPolicy.useAppArmor** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Configure the PodSecurityPolicy to use AppArmor +#### **global.logLevel** ~ `number` +> Default value: +> ```yaml +> 2 +> ``` + +Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. +#### **global.leaderElection.namespace** ~ `string` +> Default value: +> ```yaml +> kube-system +> ``` + +Override the namespace used for the leader election lease +#### **global.leaderElection.leaseDuration** ~ `string` + +The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. + +#### **global.leaderElection.renewDeadline** ~ `string` + +The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. + +#### **global.leaderElection.retryPeriod** ~ `string` + +The duration the clients should wait between attempting acquisition and renewal of a leadership. + +#### **installCRDs** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs +### Controller + +#### **replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` + +Number of replicas of the cert-manager controller to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. +#### **strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Deployment update strategy for the cert-manager controller deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` +#### **podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. +#### **podDisruptionBudget.minAvailable** ~ `number` + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + +#### **podDisruptionBudget.maxUnavailable** ~ `number` + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + +#### **featureGates** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Comma separated list of feature gates that should be enabled on the controller pod. +#### **maxConcurrentChallenges** ~ `number` +> Default value: +> ```yaml +> 60 +> ``` + +The maximum number of challenges that can be scheduled as 'processing' at once +#### **image.registry** ~ `string` + +The container registry to pull the manager image from + +#### **image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-controller +> ``` + +The container image for the cert-manager controller + +#### **image.tag** ~ `string` + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +#### **image.digest** ~ `string` + +Setting a digest will override any tag + +#### **image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` + +Kubernetes imagePullPolicy on Deployment. +#### **clusterResourceNamespace** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. +#### **namespace** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart) +#### **serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Specifies whether a service account should be created +#### **serviceAccount.name** ~ `string` + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + +#### **serviceAccount.annotations** ~ `object` + +Optional additional annotations to add to the controller's ServiceAccount + +#### **serviceAccount.labels** ~ `object` + +Optional additional labels to add to the controller's ServiceAccount + +#### **serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Automount API credentials for a Service Account. +#### **automountServiceAccountToken** ~ `bool` + +Automounting API credentials for a particular pod + +#### **enableCertificateOwnerRef** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted +#### **config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Used to configure options for the controller pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +config: + apiVersion: controller.config.cert-manager.io/v1alpha1 + kind: ControllerConfiguration + logging: + verbosity: 2 + format: text + leaderElectionConfig: + namespace: kube-system + kubernetesAPIQPS: 9000 + kubernetesAPIBurst: 9000 + numberOfConcurrentWorkers: 200 + featureGates: + AdditionalCertificateOutputFormats: true + DisallowInsecureCSRUsageDefinition: true + ExperimentalCertificateSigningRequestControllers: true + ExperimentalGatewayAPISupport: true + LiteralCertificateSubject: true + SecretsFilteredCaching: true + ServerSideApply: true + StableCertificateRequestName: true + UseCertificateRequestBasicConstraints: true + ValidateCAA: true + metricsTLSConfig: + dynamic: + secretNamespace: "cert-manager" + secretName: "cert-manager-metrics-ca" + dnsNames: + - cert-manager-metrics + - cert-manager-metrics.cert-manager + - cert-manager-metrics.cert-manager.svc +``` +#### **dns01RecursiveNameservers** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Comma separated string with host and port of the recursive nameservers cert-manager should query +#### **dns01RecursiveNameserversOnly** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers +#### **extraArgs** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help + +Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver + +For example: + +```yaml +extraArgs: + - --controllers=*,-certificaterequests-approver +``` +#### **extraEnv** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional environment variables to pass to cert-manager controller binary. +#### **resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volumes to add to the cert-manager controller pod. +#### **volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volume mounts to add to the cert-manager controller container. +#### **deploymentAnnotations** ~ `object` + +Optional additional annotations to add to the controller Deployment + +#### **podAnnotations** ~ `object` + +Optional additional annotations to add to the controller Pods + +#### **podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Optional additional labels to add to the controller Pods +#### **serviceAnnotations** ~ `object` + +Optional annotations to add to the controller Service + +#### **serviceLabels** ~ `object` + +Optional additional labels to add to the controller Service + +#### **podDnsPolicy** ~ `string` + +Pod DNS policy +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + +#### **podDnsConfig** ~ `object` + +Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + +#### **nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +#### **ingressShim.defaultIssuerName** ~ `string` + +Optional default issuer to use for ingress resources + +#### **ingressShim.defaultIssuerKind** ~ `string` + +Optional default issuer kind to use for ingress resources + +#### **ingressShim.defaultIssuerGroup** ~ `string` + +Optional default issuer group to use for ingress resources + +#### **http_proxy** ~ `string` + +Configures the HTTP_PROXY environment variable for where a HTTP proxy is required + +#### **https_proxy** ~ `string` + +Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required + +#### **no_proxy** ~ `string` + +Configures the NO_PROXY environment variable for where a HTTP proxy is required, but certain domains should be excluded + +#### **affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` +#### **tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` +#### **topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` +#### **livenessProbe** ~ `object` +> Default value: +> ```yaml +> enabled: true +> failureThreshold: 8 +> initialDelaySeconds: 10 +> periodSeconds: 10 +> successThreshold: 1 +> timeoutSeconds: 15 +> ``` + +LivenessProbe settings for the controller container of the controller Pod. + +Enabled by default, because we want to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. See: https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + +#### **enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +### Prometheus + +#### **prometheus.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Enable Prometheus monitoring for the cert-manager controller to use with the. Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or +`prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment +resources. Additionally, a service is created which can be used together with your own ServiceMonitor (managed outside of this Helm chart). Otherwise, a ServiceMonitor/ PodMonitor is created. +#### **prometheus.servicemonitor.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Create a ServiceMonitor to add cert-manager to Prometheus +#### **prometheus.servicemonitor.prometheusInstance** ~ `string` +> Default value: +> ```yaml +> default +> ``` + +Specifies the `prometheus` label on the created ServiceMonitor, this is used when different Prometheus instances have label selectors matching different ServiceMonitors. +#### **prometheus.servicemonitor.targetPort** ~ `number` +> Default value: +> ```yaml +> 9402 +> ``` + +The target port to set on the ServiceMonitor, should match the port that cert-manager controller is listening on for metrics +#### **prometheus.servicemonitor.path** ~ `string` +> Default value: +> ```yaml +> /metrics +> ``` + +The path to scrape for metrics +#### **prometheus.servicemonitor.interval** ~ `string` +> Default value: +> ```yaml +> 60s +> ``` + +The interval to scrape metrics +#### **prometheus.servicemonitor.scrapeTimeout** ~ `string` +> Default value: +> ```yaml +> 30s +> ``` + +The timeout before a metrics scrape fails +#### **prometheus.servicemonitor.labels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Additional labels to add to the ServiceMonitor +#### **prometheus.servicemonitor.annotations** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Additional annotations to add to the ServiceMonitor +#### **prometheus.servicemonitor.honorLabels** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Keep labels from scraped data, overriding server-side labels. +#### **prometheus.servicemonitor.endpointAdditionalProperties** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + +#### **prometheus.podmonitor.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Create a PodMonitor to add cert-manager to Prometheus +#### **prometheus.podmonitor.prometheusInstance** ~ `string` +> Default value: +> ```yaml +> default +> ``` + +Specifies the `prometheus` label on the created PodMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor. +#### **prometheus.podmonitor.path** ~ `string` +> Default value: +> ```yaml +> /metrics +> ``` + +The path to scrape for metrics +#### **prometheus.podmonitor.interval** ~ `string` +> Default value: +> ```yaml +> 60s +> ``` + +The interval to scrape metrics +#### **prometheus.podmonitor.scrapeTimeout** ~ `string` +> Default value: +> ```yaml +> 30s +> ``` + +The timeout before a metrics scrape fails +#### **prometheus.podmonitor.labels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Additional labels to add to the PodMonitor +#### **prometheus.podmonitor.annotations** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Additional annotations to add to the PodMonitor +#### **prometheus.podmonitor.honorLabels** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Keep labels from scraped data, overriding server-side labels. +#### **prometheus.podmonitor.endpointAdditionalProperties** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + +### Webhook + +#### **webhook.replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` + +Number of replicas of the cert-manager webhook to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. +#### **webhook.timeoutSeconds** ~ `number` +> Default value: +> ```yaml +> 30 +> ``` + +Seconds the API server should wait for the webhook to respond before treating the call as a failure. +Value must be between 1 and 30 seconds. See: +https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ + +We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. +#### **webhook.config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Used to configure options for the webhook pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: webhook.config.cert-manager.io/v1alpha1 +kind: WebhookConfiguration +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 +``` +#### **webhook.strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` +#### **webhook.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context to be set on the webhook component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **webhook.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the webhook component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **webhook.podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. +#### **webhook.podDisruptionBudget.minAvailable** ~ `number` + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + +#### **webhook.podDisruptionBudget.maxUnavailable** ~ `number` + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + +#### **webhook.deploymentAnnotations** ~ `object` + +Optional additional annotations to add to the webhook Deployment + +#### **webhook.podAnnotations** ~ `object` + +Optional additional annotations to add to the webhook Pods + +#### **webhook.serviceAnnotations** ~ `object` + +Optional additional annotations to add to the webhook Service + +#### **webhook.mutatingWebhookConfigurationAnnotations** ~ `object` + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + +#### **webhook.validatingWebhookConfigurationAnnotations** ~ `object` + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + +#### **webhook.validatingWebhookConfiguration.namespaceSelector** ~ `object` +> Default value: +> ```yaml +> matchExpressions: +> - key: cert-manager.io/disable-validation +> operator: NotIn +> values: +> - "true" +> ``` + +Configure spec.namespaceSelector for validating webhooks. + +#### **webhook.mutatingWebhookConfiguration.namespaceSelector** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Configure spec.namespaceSelector for mutating webhooks. + +#### **webhook.extraArgs** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help +#### **webhook.featureGates** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Comma separated list of feature gates that should be enabled on the webhook pod. +#### **webhook.resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Resources to provide to the cert-manager webhook pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **webhook.livenessProbe** ~ `object` +> Default value: +> ```yaml +> failureThreshold: 3 +> initialDelaySeconds: 60 +> periodSeconds: 10 +> successThreshold: 1 +> timeoutSeconds: 1 +> ``` + +Liveness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + +#### **webhook.readinessProbe** ~ `object` +> Default value: +> ```yaml +> failureThreshold: 3 +> initialDelaySeconds: 5 +> periodSeconds: 5 +> successThreshold: 1 +> timeoutSeconds: 1 +> ``` + +Readiness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + +#### **webhook.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +#### **webhook.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` +#### **webhook.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` +#### **webhook.topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` +#### **webhook.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Optional additional labels to add to the Webhook Pods +#### **webhook.serviceLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Optional additional labels to add to the Webhook Service +#### **webhook.image.registry** ~ `string` + +The container registry to pull the webhook image from + +#### **webhook.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-webhook +> ``` + +The container image for the cert-manager webhook + +#### **webhook.image.tag** ~ `string` + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +#### **webhook.image.digest** ~ `string` + +Setting a digest will override any tag + +#### **webhook.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` + +Kubernetes imagePullPolicy on Deployment. +#### **webhook.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Specifies whether a service account should be created +#### **webhook.serviceAccount.name** ~ `string` + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + +#### **webhook.serviceAccount.annotations** ~ `object` + +Optional additional annotations to add to the controller's ServiceAccount + +#### **webhook.serviceAccount.labels** ~ `object` + +Optional additional labels to add to the webhook's ServiceAccount + +#### **webhook.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Automount API credentials for a Service Account. +#### **webhook.automountServiceAccountToken** ~ `bool` + +Automounting API credentials for a particular pod + +#### **webhook.securePort** ~ `number` +> Default value: +> ```yaml +> 10250 +> ``` + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 +#### **webhook.hostNetwork** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. +#### **webhook.serviceType** ~ `string` +> Default value: +> ```yaml +> ClusterIP +> ``` + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. +#### **webhook.loadBalancerIP** ~ `string` + +Specify the load balancer IP for the created service + +#### **webhook.url** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. +#### **webhook.networkPolicy.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Create network policies for the webhooks +#### **webhook.networkPolicy.ingress** ~ `array` +> Default value: +> ```yaml +> - from: +> - ipBlock: +> cidr: 0.0.0.0/0 +> ``` + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + +#### **webhook.networkPolicy.egress** ~ `array` +> Default value: +> ```yaml +> - ports: +> - port: 80 +> protocol: TCP +> - port: 443 +> protocol: TCP +> - port: 53 +> protocol: TCP +> - port: 53 +> protocol: UDP +> - port: 6443 +> protocol: TCP +> to: +> - ipBlock: +> cidr: 0.0.0.0/0 +> ``` + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + +#### **webhook.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volumes to add to the cert-manager controller pod. +#### **webhook.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volume mounts to add to the cert-manager controller container. +#### **webhook.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +### CA Injector + +#### **cainjector.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Create the CA Injector deployment +#### **cainjector.replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` + +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. +#### **cainjector.config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: cainjector.config.cert-manager.io/v1alpha1 +kind: CAInjectorConfiguration +logging: + verbosity: 2 + format: text +leaderElectionConfig: + namespace: kube-system +``` +#### **cainjector.strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` +#### **cainjector.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context to be set on the cainjector component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **cainjector.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the cainjector component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **cainjector.podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. +#### **cainjector.podDisruptionBudget.minAvailable** ~ `number` + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + +#### **cainjector.podDisruptionBudget.maxUnavailable** ~ `number` + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + +#### **cainjector.deploymentAnnotations** ~ `object` + +Optional additional annotations to add to the cainjector Deployment + +#### **cainjector.podAnnotations** ~ `object` + +Optional additional annotations to add to the cainjector Pods + +#### **cainjector.extraArgs** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help +#### **cainjector.featureGates** ~ `string` +> Default value: +> ```yaml +> "" +> ``` + +Comma separated list of feature gates that should be enabled on the cainjector pod. +#### **cainjector.resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Resources to provide to the cert-manager cainjector pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **cainjector.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +#### **cainjector.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` +#### **cainjector.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` +#### **cainjector.topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` +#### **cainjector.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Optional additional labels to add to the CA Injector Pods +#### **cainjector.image.registry** ~ `string` + +The container registry to pull the cainjector image from + +#### **cainjector.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-cainjector +> ``` + +The container image for the cert-manager cainjector + +#### **cainjector.image.tag** ~ `string` + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +#### **cainjector.image.digest** ~ `string` + +Setting a digest will override any tag + +#### **cainjector.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` + +Kubernetes imagePullPolicy on Deployment. +#### **cainjector.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Specifies whether a service account should be created +#### **cainjector.serviceAccount.name** ~ `string` + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + +#### **cainjector.serviceAccount.annotations** ~ `object` + +Optional additional annotations to add to the controller's ServiceAccount + +#### **cainjector.serviceAccount.labels** ~ `object` + +Optional additional labels to add to the cainjector's ServiceAccount + +#### **cainjector.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Automount API credentials for a Service Account. +#### **cainjector.automountServiceAccountToken** ~ `bool` + +Automounting API credentials for a particular pod + +#### **cainjector.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volumes to add to the cert-manager controller pod. +#### **cainjector.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volume mounts to add to the cert-manager controller container. +#### **cainjector.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +### ACME Solver + +#### **acmesolver.image.registry** ~ `string` + +The container registry to pull the acmesolver image from + +#### **acmesolver.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-acmesolver +> ``` + +The container image for the cert-manager acmesolver + +#### **acmesolver.image.tag** ~ `string` + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +#### **acmesolver.image.digest** ~ `string` + +Setting a digest will override any tag + +#### **acmesolver.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` + +Kubernetes imagePullPolicy on Deployment. +### Startup API Check + + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. +#### **startupapicheck.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Enables the startup api check +#### **startupapicheck.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context to be set on the startupapicheck component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **startupapicheck.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +#### **startupapicheck.timeout** ~ `string` +> Default value: +> ```yaml +> 1m +> ``` + +Timeout for 'kubectl check api' command +#### **startupapicheck.backoffLimit** ~ `number` +> Default value: +> ```yaml +> 4 +> ``` + +Job backoffLimit +#### **startupapicheck.jobAnnotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "1" +> ``` + +Optional additional annotations to add to the startupapicheck Job + +#### **startupapicheck.podAnnotations** ~ `object` + +Optional additional annotations to add to the startupapicheck Pods + +#### **startupapicheck.extraArgs** ~ `array` +> Default value: +> ```yaml +> - -v +> ``` + +Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help + +We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. + +#### **startupapicheck.resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **startupapicheck.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +#### **startupapicheck.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` +#### **startupapicheck.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` +#### **startupapicheck.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Optional additional labels to add to the startupapicheck Pods +#### **startupapicheck.image.registry** ~ `string` + +The container registry to pull the startupapicheck image from + +#### **startupapicheck.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-startupapicheck +> ``` + +The container image for the cert-manager startupapicheck + +#### **startupapicheck.image.tag** ~ `string` + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +#### **startupapicheck.image.digest** ~ `string` + +Setting a digest will override any tag + +#### **startupapicheck.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` + +Kubernetes imagePullPolicy on Deployment. +#### **startupapicheck.rbac.annotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "-5" +> ``` + +annotations for the startup API Check job RBAC and PSP resources + +#### **startupapicheck.automountServiceAccountToken** ~ `bool` + +Automounting API credentials for a particular pod + +#### **startupapicheck.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Specifies whether a service account should be created +#### **startupapicheck.serviceAccount.name** ~ `string` + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + +#### **startupapicheck.serviceAccount.annotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "-5" +> ``` + +Optional additional annotations to add to the Job's ServiceAccount + +#### **startupapicheck.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` + +Automount API credentials for a Service Account. + +#### **startupapicheck.serviceAccount.labels** ~ `object` + +Optional additional labels to add to the startupapicheck's ServiceAccount + +#### **startupapicheck.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volumes to add to the cert-manager controller pod. +#### **startupapicheck.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` + +Additional volume mounts to add to the cert-manager controller container. +#### **startupapicheck.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + ### Default Security Contexts The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies. diff --git a/charts/cert-manager/cert-manager/templates/_helpers.tpl b/charts/cert-manager/cert-manager/templates/_helpers.tpl index 90db4af26..067fe6a05 100644 --- a/charts/cert-manager/cert-manager/templates/_helpers.tpl +++ b/charts/cert-manager/cert-manager/templates/_helpers.tpl @@ -172,3 +172,17 @@ https://github.com/helm/helm/issues/5358 {{- define "cert-manager.namespace" -}} {{ .Values.namespace | default .Release.Namespace }} {{- end -}} + +{{/* +Util function for generating the image URL based on the provided options. +IMPORTANT: This function is standarized across all charts in the cert-manager GH organization. +Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ... +See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs. +*/}} +{{- define "image" -}} +{{- $defaultTag := index . 1 -}} +{{- with index . 0 -}} +{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}} +{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}} +{{- end }} +{{- end }} diff --git a/charts/cert-manager/cert-manager/templates/cainjector-config.yaml b/charts/cert-manager/cert-manager/templates/cainjector-config.yaml new file mode 100644 index 000000000..82399cc1a --- /dev/null +++ b/charts/cert-manager/cert-manager/templates/cainjector-config.yaml @@ -0,0 +1,18 @@ +{{- if .Values.cainjector.config -}} +{{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}} +{{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cainjector.fullname" . }} + namespace: {{ include "cert-manager.namespace" . }} + labels: + app: {{ include "cainjector.name" . }} + app.kubernetes.io/name: {{ include "cainjector.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "cainjector" + {{- include "labels" . | nindent 4 }} +data: + config.yaml: | + {{- .Values.cainjector.config | toYaml | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/cert-manager/cert-manager/templates/cainjector-deployment.yaml b/charts/cert-manager/cert-manager/templates/cainjector-deployment.yaml index f14168924..a2f7243e8 100644 --- a/charts/cert-manager/cert-manager/templates/cainjector-deployment.yaml +++ b/charts/cert-manager/cert-manager/templates/cainjector-deployment.yaml @@ -16,6 +16,10 @@ metadata: {{- end }} spec: replicas: {{ .Values.cainjector.replicaCount }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ include "cainjector.name" . }} @@ -55,12 +59,11 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-cainjector - {{- with .Values.cainjector.image }} - image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" - {{- end }} + image: "{{ template "image" (tuple .Values.cainjector.image $.Chart.AppVersion) }}" imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }} args: - {{- if .Values.global.logLevel }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }} - --v={{ .Values.global.logLevel }} {{- end }} {{- with .Values.global.leaderElection }} @@ -75,6 +78,9 @@ spec: - --leader-election-retry-period={{ .retryPeriod }} {{- end }} {{- end }} + {{- with .Values.cainjector.featureGates}} + - --feature-gates={{ . }} + {{- end}} {{- with .Values.cainjector.extraArgs }} {{- toYaml . | nindent 10 }} {{- end }} diff --git a/charts/cert-manager/cert-manager/templates/controller-config.yaml b/charts/cert-manager/cert-manager/templates/controller-config.yaml index a1b337572..25f62ef1d 100644 --- a/charts/cert-manager/cert-manager/templates/controller-config.yaml +++ b/charts/cert-manager/cert-manager/templates/controller-config.yaml @@ -1,12 +1,6 @@ {{- if .Values.config -}} - {{- if not .Values.config.apiVersion -}} - {{- fail "config.apiVersion must be set" -}} - {{- end -}} - - {{- if not .Values.config.kind -}} - {{- fail "config.kind must be set" -}} - {{- end -}} -{{- end -}} +{{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}} +{{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}} apiVersion: v1 kind: ConfigMap metadata: @@ -19,7 +13,6 @@ metadata: app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} data: - {{- if .Values.config }} config.yaml: | - {{ .Values.config | toYaml | nindent 4 }} - {{- end }} + {{- .Values.config | toYaml | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/cert-manager/cert-manager/templates/crds.yaml b/charts/cert-manager/cert-manager/templates/crds.yaml index 6cce90551..baec4012f 100644 --- a/charts/cert-manager/cert-manager/templates/crds.yaml +++ b/charts/cert-manager/cert-manager/templates/crds.yaml @@ -365,9 +365,83 @@ spec: name: description: 'Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' type: string + profile: + description: "Profile specifies the key and certificate encryption algorithms and the HMAC algorithm used to create the PKCS12 keystore. Default value is `LegacyRC2` for backward compatibility. \n If provided, allowed values are: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms (eg. because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret." + type: string + enum: + - LegacyRC2 + - LegacyDES + - Modern2023 literalSubject: description: "Requested X.509 certificate subject, represented using the LDAP \"String Representation of a Distinguished Name\" [1]. Important: the LDAP string format also specifies the order of the attributes in the subject, this is important when issuing certs for LDAP authentication. Example: `CN=foo,DC=corp,DC=example,DC=com` More info [1]: https://datatracker.ietf.org/doc/html/rfc4514 More info: https://github.com/cert-manager/cert-manager/issues/3203 More info: https://github.com/cert-manager/cert-manager/issues/4424 \n Cannot be set if the `subject` or `commonName` field is set. This is an Alpha Feature and is only enabled with the `--feature-gates=LiteralCertificateSubject=true` option set on both the controller and webhook components." type: string + nameConstraints: + description: "x.509 certificate NameConstraint extension which MUST NOT be used in a non-CA certificate. More Info: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10 \n This is an Alpha Feature and is only enabled with the `--feature-gates=NameConstraints=true` option set on both the controller and webhook components." + type: object + properties: + critical: + description: if true then the name constraints are marked critical. + type: boolean + excluded: + description: Excluded contains the constraints which must be disallowed. Any name matching a restriction in the excluded field is invalid regardless of information appearing in the permitted + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + permitted: + description: Permitted contains the constraints in which the names must be located. + type: object + properties: + dnsDomains: + description: DNSDomains is a list of DNS domains that are permitted or excluded. + type: array + items: + type: string + emailAddresses: + description: EmailAddresses is a list of Email Addresses that are permitted or excluded. + type: array + items: + type: string + ipRanges: + description: IPRanges is a list of IP Ranges that are permitted or excluded. This should be a valid CIDR notation. + type: array + items: + type: string + uriDomains: + description: URIDomains is a list of URI domains that are permitted or excluded. + type: array + items: + type: string + otherNames: + description: '`otherNames` is an escape hatch for SAN that allows any type. We currently restrict the support to string like otherNames, cf RFC 5280 p 37 Any UTF8 String valued otherName can be passed with by setting the keys oid: x.x.x.x and UTF8Value: somevalue for `otherName`. Most commonly this would be UPN set with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any OID passed is valid for the UTF8String type as we do not explicitly validate this.' + type: array + items: + type: object + properties: + oid: + description: OID is the object identifier for the otherName SAN. The object identifier must be expressed as a dotted string, for example, "1.2.840.113556.1.4.221". + type: string + utf8Value: + description: utf8Value is the string value of the otherName SAN. The utf8Value accepts any valid UTF8 string to set as value for the otherName SAN. + type: string privateKey: description: Private key options. These include the key algorithm and size, the used encoding and the rotation policy. type: object @@ -737,10 +811,10 @@ spec: - subscriptionID properties: clientID: - description: if both this and ClientSecret are left unset MSI will be used + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' type: object required: - name @@ -763,14 +837,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string resourceGroupName: description: resource group the DNS zone is located in @@ -779,7 +853,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -985,13 +1059,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -1205,7 +1279,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -1235,6 +1309,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1288,7 +1374,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -1318,6 +1404,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1378,7 +1476,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -1408,6 +1506,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1461,7 +1571,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -1491,6 +1601,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -1852,10 +1974,10 @@ spec: - subscriptionID properties: clientID: - description: if both this and ClientSecret are left unset MSI will be used + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' type: object required: - name @@ -1878,14 +2000,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string resourceGroupName: description: resource group the DNS zone is located in @@ -1894,7 +2016,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -2100,13 +2222,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -2320,7 +2442,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -2350,6 +2472,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2403,7 +2537,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -2433,6 +2567,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2493,7 +2639,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -2523,6 +2669,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2576,7 +2734,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -2606,6 +2764,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -2723,6 +2893,11 @@ spec: type: array items: type: string + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: + type: string ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". type: array @@ -3170,10 +3345,10 @@ spec: - subscriptionID properties: clientID: - description: if both this and ClientSecret are left unset MSI will be used + description: 'Auth: Azure Service Principal: The ClientID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientSecret and TenantID must also be set.' type: string clientSecretSecretRef: - description: if both this and ClientID are left unset MSI will be used + description: 'Auth: Azure Service Principal: A reference to a Secret containing the password associated with the Service Principal. If set, ClientID and TenantID must also be set.' type: object required: - name @@ -3196,14 +3371,14 @@ spec: description: name of the DNS zone that should be used type: string managedIdentity: - description: managed identity configuration, can not be used at the same time as clientID, clientSecretSecretRef or tenantID + description: 'Auth: Azure Workload Identity or Azure Managed Service Identity: Settings to enable Azure Workload Identity or Azure Managed Service Identity If set, ClientID, ClientSecret and TenantID must not be set.' type: object properties: clientID: description: client ID of the managed identity, can not be used at the same time as resourceID type: string resourceID: - description: resource ID of the managed identity, can not be used at the same time as clientID + description: resource ID of the managed identity, can not be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string resourceGroupName: description: resource group the DNS zone is located in @@ -3212,7 +3387,7 @@ spec: description: ID of the Azure subscription type: string tenantID: - description: when specifying ClientID and ClientSecret then this field is also needed + description: 'Auth: Azure Service Principal: The TenantID of the Azure Service Principal used to authenticate with Azure DNS. If set, ClientID and ClientSecret must also be set.' type: string cloudDNS: description: Use the Google Cloud DNS API to manage DNS01 challenge records. @@ -3418,13 +3593,13 @@ spec: maxLength: 253 minLength: 1 namespace: - description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" + description: "Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. \n Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. \n ParentRefs from a Route to a Service in the same namespace are \"producer\" routes, which apply default routing rules to inbound connections from any namespace to the Service. \n ParentRefs from a Route to a Service in a different namespace are \"consumer\" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. \n Support: Core" type: string maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ port: - description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " + description: "Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. \n When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. \n When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. \n Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. \n For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. \n Support: Extended \n " type: integer format: int32 maximum: 65535 @@ -3638,7 +3813,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -3668,6 +3843,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -3721,7 +3908,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -3751,6 +3938,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -3811,7 +4010,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -3841,6 +4040,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -3894,7 +4105,7 @@ spec: - topologyKey properties: labelSelector: - description: A label query over a set of resources, in this case pods. + description: A label query over a set of resources, in this case pods. If it's null, this PodAffinityTerm matches with no Pods. type: object properties: matchExpressions: @@ -3924,6 +4135,18 @@ spec: additionalProperties: type: string x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key in (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MatchLabelKeys and LabelSelector. Also, MatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic + mismatchLabelKeys: + description: MismatchLabelKeys is a set of pod label keys to select which pods will be taken into consideration. The keys are used to lookup values from the incoming pod labels, those key-value labels are merged with `LabelSelector` as `key notin (value)` to select the group of existing pods which pods will be taken into consideration for the incoming pod's pod (anti) affinity. Keys that don't exist in the incoming pod labels will be ignored. The default value is empty. The same key is forbidden to exist in both MismatchLabelKeys and LabelSelector. Also, MismatchLabelKeys cannot be set when LabelSelector isn't set. This is an alpha field and requires enabling MatchLabelKeysInPodAffinity feature gate. + type: array + items: + type: string + x-kubernetes-list-type: atomic namespaceSelector: description: A label query over the set of namespaces that the term applies to. The term is applied to the union of the namespaces selected by this field and the ones listed in the namespaces field. null selector and null or empty namespaces list means "this pod's namespace". An empty selector ({}) matches all namespaces. type: object @@ -4041,6 +4264,11 @@ spec: type: array items: type: string + issuingCertificateURLs: + description: IssuingCertificateURLs is a list of URLs which this issuer should embed into certificates it creates. See https://www.rfc-editor.org/rfc/rfc5280#section-4.2.2.1 for more details. As an example, such a URL might be "http://ca.domain.com/ca.crt". + type: array + items: + type: string ocspServers: description: The OCSP server list is an X.509 v3 extension that defines a list of URLs of OCSP responders. The OCSP responders can be queried for the revocation status of an issued certificate. If not set, the certificate will be issued with no OCSP servers set. For example, an OCSP server URL could be "http://ocsp.int-x3.letsencrypt.org". type: array diff --git a/charts/cert-manager/cert-manager/templates/deployment.yaml b/charts/cert-manager/cert-manager/templates/deployment.yaml index e0f347ad9..c984de03d 100644 --- a/charts/cert-manager/cert-manager/templates/deployment.yaml +++ b/charts/cert-manager/cert-manager/templates/deployment.yaml @@ -15,6 +15,10 @@ metadata: {{- end }} spec: replicas: {{ .Values.replicaCount }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "cert-manager.name" . }} @@ -73,12 +77,11 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-controller - {{- with .Values.image }} - image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" - {{- end }} + image: "{{ template "image" (tuple .Values.image $.Chart.AppVersion) }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - {{- if .Values.global.logLevel }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }} - --v={{ .Values.global.logLevel }} {{- end }} {{- if .Values.config }} diff --git a/charts/cert-manager/cert-manager/templates/podmonitor.yaml b/charts/cert-manager/cert-manager/templates/podmonitor.yaml new file mode 100644 index 000000000..1adc0609c --- /dev/null +++ b/charts/cert-manager/cert-manager/templates/podmonitor.yaml @@ -0,0 +1,50 @@ +{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }} +{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }} +{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ template "cert-manager.fullname" . }} +{{- if .Values.prometheus.podmonitor.namespace }} + namespace: {{ .Values.prometheus.podmonitor.namespace }} +{{- else }} + namespace: {{ include "cert-manager.namespace" . }} +{{- end }} + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} + prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }} + {{- with .Values.prometheus.podmonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if .Values.prometheus.podmonitor.annotations }} + annotations: + {{- with .Values.prometheus.podmonitor.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +spec: + jobLabel: {{ template "cert-manager.fullname" . }} + selector: + matchLabels: + app.kubernetes.io/name: {{ template "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" +{{- if .Values.prometheus.podmonitor.namespace }} + namespaceSelector: + matchNames: + - {{ include "cert-manager.namespace" . }} +{{- end }} + podMetricsEndpoints: + - port: http-metrics + path: {{ .Values.prometheus.podmonitor.path }} + interval: {{ .Values.prometheus.podmonitor.interval }} + scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }} + honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }} + {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/cert-manager/cert-manager/templates/service.yaml b/charts/cert-manager/cert-manager/templates/service.yaml index ec34d5878..3d5df905e 100644 --- a/charts/cert-manager/cert-manager/templates/service.yaml +++ b/charts/cert-manager/cert-manager/templates/service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.prometheus.enabled }} +{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }} apiVersion: v1 kind: Service metadata: diff --git a/charts/cert-manager/cert-manager/templates/servicemonitor.yaml b/charts/cert-manager/cert-manager/templates/servicemonitor.yaml index bfb2292ff..b63886077 100644 --- a/charts/cert-manager/cert-manager/templates/servicemonitor.yaml +++ b/charts/cert-manager/cert-manager/templates/servicemonitor.yaml @@ -1,4 +1,6 @@ -{{- if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} +{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }} +{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }} +{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }} apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: diff --git a/charts/cert-manager/cert-manager/templates/startupapicheck-job.yaml b/charts/cert-manager/cert-manager/templates/startupapicheck-job.yaml index 52aadecc2..311b4c48e 100644 --- a/charts/cert-manager/cert-manager/templates/startupapicheck-job.yaml +++ b/charts/cert-manager/cert-manager/templates/startupapicheck-job.yaml @@ -47,9 +47,7 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-startupapicheck - {{- with .Values.startupapicheck.image }} - image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" - {{- end }} + image: "{{ template "image" (tuple .Values.startupapicheck.image $.Chart.AppVersion) }}" imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }} args: - check diff --git a/charts/cert-manager/cert-manager/templates/webhook-config.yaml b/charts/cert-manager/cert-manager/templates/webhook-config.yaml index f3f72f02e..8f3ce20c3 100644 --- a/charts/cert-manager/cert-manager/templates/webhook-config.yaml +++ b/charts/cert-manager/cert-manager/templates/webhook-config.yaml @@ -1,12 +1,6 @@ {{- if .Values.webhook.config -}} - {{- if not .Values.webhook.config.apiVersion -}} - {{- fail "webhook.config.apiVersion must be set" -}} - {{- end -}} - - {{- if not .Values.webhook.config.kind -}} - {{- fail "webhook.config.kind must be set" -}} - {{- end -}} -{{- end -}} +{{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}} +{{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}} apiVersion: v1 kind: ConfigMap metadata: @@ -19,7 +13,6 @@ metadata: app.kubernetes.io/component: "webhook" {{- include "labels" . | nindent 4 }} data: - {{- if .Values.webhook.config }} config.yaml: | - {{ .Values.webhook.config | toYaml | nindent 4 }} - {{- end }} + {{- .Values.webhook.config | toYaml | nindent 4 }} +{{- end -}} \ No newline at end of file diff --git a/charts/cert-manager/cert-manager/templates/webhook-deployment.yaml b/charts/cert-manager/cert-manager/templates/webhook-deployment.yaml index 99830f953..e55cd4361 100644 --- a/charts/cert-manager/cert-manager/templates/webhook-deployment.yaml +++ b/charts/cert-manager/cert-manager/templates/webhook-deployment.yaml @@ -15,6 +15,10 @@ metadata: {{- end }} spec: replicas: {{ .Values.webhook.replicaCount }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }} + revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ include "webhook.name" . }} @@ -60,12 +64,11 @@ spec: {{- end }} containers: - name: {{ .Chart.Name }}-webhook - {{- with .Values.webhook.image }} - image: "{{- if .registry -}}{{ .registry }}/{{- end -}}{{ .repository }}{{- if (.digest) -}} @{{ .digest }}{{- else -}}:{{ default $.Chart.AppVersion .tag }} {{- end -}}" - {{- end }} + image: "{{ template "image" (tuple .Values.webhook.image $.Chart.AppVersion) }}" imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} args: - {{- if .Values.global.logLevel }} + {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}} + {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }} - --v={{ .Values.global.logLevel }} {{- end }} {{- if .Values.webhook.config }} diff --git a/charts/cert-manager/cert-manager/templates/webhook-mutating-webhook.yaml b/charts/cert-manager/cert-manager/templates/webhook-mutating-webhook.yaml index f3db011ef..9ea29777d 100644 --- a/charts/cert-manager/cert-manager/templates/webhook-mutating-webhook.yaml +++ b/charts/cert-manager/cert-manager/templates/webhook-mutating-webhook.yaml @@ -15,17 +15,19 @@ metadata: {{- end }} webhooks: - name: webhook.cert-manager.io + {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 6 }} + {{- end }} rules: - apiGroups: - "cert-manager.io" - - "acme.cert-manager.io" apiVersions: - "v1" operations: - CREATE - - UPDATE resources: - - "*/*" + - "certificaterequests" admissionReviewVersions: ["v1"] # This webhook only accepts v1 cert-manager resources. # Equivalent matchPolicy ensures that non-v1 resource requests are sent to @@ -43,4 +45,4 @@ webhooks: name: {{ template "webhook.fullname" . }} namespace: {{ include "cert-manager.namespace" . }} path: /mutate - {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/cert-manager/cert-manager/templates/webhook-validating-webhook.yaml b/charts/cert-manager/cert-manager/templates/webhook-validating-webhook.yaml index ce33cc797..76235fdee 100644 --- a/charts/cert-manager/cert-manager/templates/webhook-validating-webhook.yaml +++ b/charts/cert-manager/cert-manager/templates/webhook-validating-webhook.yaml @@ -15,12 +15,10 @@ metadata: {{- end }} webhooks: - name: webhook.cert-manager.io + {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }} namespaceSelector: - matchExpressions: - - key: "cert-manager.io/disable-validation" - operator: "NotIn" - values: - - "true" + {{- toYaml . | nindent 6 }} + {{- end }} rules: - apiGroups: - "cert-manager.io" diff --git a/charts/cert-manager/cert-manager/values.yaml b/charts/cert-manager/cert-manager/values.yaml index 2d47d7141..885ae024b 100644 --- a/charts/cert-manager/cert-manager/values.yaml +++ b/charts/cert-manager/cert-manager/values.yaml @@ -1,11 +1,16 @@ +# +docs:section=Global + # Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: # Reference to one or more secrets to be used when pulling images # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # + # For example: + # imagePullSecrets: + # - name: "image-pull-secret" imagePullSecrets: [] - # - name: "image-pull-secret" # Labels to apply to all resources # Please note that this does not add labels to the resources created dynamically by the controllers. @@ -15,17 +20,26 @@ global: # eg. secretTemplate in CertificateSpec # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec commonLabels: {} - # team_name: dev + + # The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # +docs:property + # revisionHistoryLimit: 1 # Optional priority class to be used for the cert-manager pods priorityClassName: "" + rbac: + # Create required ClusterRoles and ClusterRoleBindings for cert-manager create: true # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: true podSecurityPolicy: + # Create PodSecurityPolicy for cert-manager + # + # NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 enabled: false + # Configure the PodSecurityPolicy to use AppArmor useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. @@ -39,34 +53,67 @@ global: # leadership renewal until attempting to acquire leadership of a led but # unrenewed leader slot. This is effectively the maximum duration that a # leader can be stopped before it is replaced by another candidate. + # +docs:property # leaseDuration: 60s # The interval between attempts by the acting master to renew a leadership # slot before it stops leading. This must be less than or equal to the # lease duration. + # +docs:property # renewDeadline: 40s # The duration the clients should wait between attempting acquisition and # renewal of a leadership. + # +docs:property # retryPeriod: 15s +# Install the cert-manager CRDs, it is recommended to not use Helm to manage +# the CRDs installCRDs: false +# +docs:section=Controller + +# Number of replicas of the cert-manager controller to run. +# +# The default is 1, but in production you should set this to 2 or 3 to provide high +# availability. +# +# If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. +# +# Note: cert-manager uses leader election to ensure that there can +# only be a single instance active at a time. replicaCount: 1 +# Deployment update strategy for the cert-manager controller deployment. +# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +# +# For example: +# strategy: +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. enabled: false - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property # maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the @@ -77,17 +124,24 @@ featureGates: "" maxConcurrentChallenges: 60 image: - repository: quay.io/jetstack/cert-manager-controller - # You can manage a registry with + # The container registry to pull the manager image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-controller + + # The container image for the cert-manager controller + # +docs:property + repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer @@ -103,17 +157,25 @@ namespace: "" serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} - # Automount API credentials for a Service Account. + # Optional additional labels to add to the controller's ServiceAccount + # +docs:property # labels: {} + + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod +# +docs:property # automountServiceAccountToken: true # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted @@ -123,24 +185,39 @@ enableCertificateOwnerRef: false # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. -config: -# apiVersion: controller.config.cert-manager.io/v1alpha1 -# kind: ControllerConfiguration -# logging: -# verbosity: 2 -# format: text -# leaderElectionConfig: -# namespace: kube-system -# kubernetesAPIQPS: 9000 -# kubernetesAPIBurst: 9000 -# numberOfConcurrentWorkers: 200 -# featureGates: -# additionalCertificateOutputFormats: true -# experimentalCertificateSigningRequestControllers: true -# experimentalGatewayAPISupport: true -# serverSideApply: true -# literalCertificateSubject: true -# useCertificateRequestBasicConstraints: true +# +# For example: +# config: +# apiVersion: controller.config.cert-manager.io/v1alpha1 +# kind: ControllerConfiguration +# logging: +# verbosity: 2 +# format: text +# leaderElectionConfig: +# namespace: kube-system +# kubernetesAPIQPS: 9000 +# kubernetesAPIBurst: 9000 +# numberOfConcurrentWorkers: 200 +# featureGates: +# AdditionalCertificateOutputFormats: true +# DisallowInsecureCSRUsageDefinition: true +# ExperimentalCertificateSigningRequestControllers: true +# ExperimentalGatewayAPISupport: true +# LiteralCertificateSubject: true +# SecretsFilteredCaching: true +# ServerSideApply: true +# StableCertificateRequestName: true +# UseCertificateRequestBasicConstraints: true +# ValidateCAA: true +# metricsTLSConfig: +# dynamic: +# secretNamespace: "cert-manager" +# secretName: "cert-manager-metrics-ca" +# dnsNames: +# - cert-manager-metrics +# - cert-manager-metrics.cert-manager +# - cert-manager-metrics.cert-manager.svc +config: {} # Setting Nameservers for DNS01 Self Check # See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check @@ -154,21 +231,32 @@ dns01RecursiveNameserversOnly: false # Additional command line flags to pass to cert-manager controller binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +# +# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver +# +# For example: +# extraArgs: +# - --controllers=*,-certificaterequests-approver extraArgs: [] - # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver - # - --controllers=*,-certificaterequests-approver +# Additional environment variables to pass to cert-manager controller binary. extraEnv: [] # - name: SOME_VAR # value: 'some value' +# Resources to provide to the cert-manager controller pod +# +# For example: +# requests: +# cpu: 10m +# memory: 32Mi +# +# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi # Pod Security Context # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# +docs:property securityContext: runAsNonRoot: true seccompProfile: @@ -176,31 +264,37 @@ securityContext: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - + readOnlyRootFilesystem: true +# Additional volumes to add to the cert-manager controller pod. volumes: [] +# Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # Optional additional annotations to add to the controller Deployment +# +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the controller Pods +# +docs:property # podAnnotations: {} +# Optional additional labels to add to the controller Pods podLabels: {} # Optional annotations to add to the controller Service +# +docs:property # serviceAnnotations: {} # Optional additional labels to add to the controller Service +# +docs:property # serviceLabels: {} # Optional DNS settings, useful if you have a public and private DNS zone for @@ -208,41 +302,65 @@ podLabels: {} # cert-manager can access an ingress or DNS TXT records at all times. # NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for # the cluster to work. + +# Pod DNS policy +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +# +docs:property # podDnsPolicy: "None" + +# Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy +# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +# +docs:property # podDnsConfig: # nameservers: # - "1.1.1.1" # - "8.8.8.8" +# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with +# matching labels. +# See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +# +# This default ensures that Pods are only scheduled to Linux nodes. +# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. +# +docs:property nodeSelector: kubernetes.io/os: linux +# +docs:ignore ingressShim: {} + + # Optional default issuer to use for ingress resources + # +docs:property=ingressShim.defaultIssuerName # defaultIssuerName: "" + + # Optional default issuer kind to use for ingress resources + # +docs:property=ingressShim.defaultIssuerKind # defaultIssuerKind: "" + + # Optional default issuer group to use for ingress resources + # +docs:property=ingressShim.defaultIssuerGroup # defaultIssuerGroup: "" -prometheus: - enabled: true - servicemonitor: - enabled: false - prometheusInstance: default - targetPort: 9402 - path: /metrics - interval: 60s - scrapeTimeout: 30s - labels: {} - annotations: {} - honorLabels: false - endpointAdditionalProperties: {} - # Use these variables to configure the HTTP_PROXY environment variables + +# Configures the HTTP_PROXY environment variable for where a HTTP proxy is required +# +docs:property # http_proxy: "http://proxy:8080" + +# Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required +# +docs:property # https_proxy: "https://proxy:8080" + +# Configures the NO_PROXY environment variable for where a HTTP proxy is required, +# but certain domains should be excluded +# +docs:property # no_proxy: 127.0.0.1,localhost -# A Kubernetes Affinty, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core -# for example: + +# A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core +# +# For example: # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: @@ -255,7 +373,8 @@ prometheus: affinity: {} # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core -# for example: +# +# For example: # tolerations: # - key: foo.bar.com/role # operator: Equal @@ -264,7 +383,8 @@ affinity: {} tolerations: [] # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core -# for example: +# +# For example: # topologySpreadConstraints: # - maxSkew: 2 # topologyKey: topology.kubernetes.io/zone @@ -277,14 +397,14 @@ topologySpreadConstraints: [] # LivenessProbe settings for the controller container of the controller Pod. # -# Disabled by default, because the controller has a leader election mechanism -# which should cause it to exit if it is unable to renew its leader election -# record. +# Enabled by default, because we want to enable the clock-skew liveness probe that +# restarts the controller in case of a skew between the system clock and the monotonic clock. # LivenessProbe durations and thresholds are based on those used for the Kubernetes # controller-manager. See: # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 +# +docs:property livenessProbe: - enabled: false + enabled: true initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 15 @@ -296,74 +416,241 @@ livenessProbe: # links. enableServiceLinks: false +# +docs:section=Prometheus + +prometheus: + # Enable Prometheus monitoring for the cert-manager controller to use with the + # Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or + # `prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment + # resources. Additionally, a service is created which can be used together + # with your own ServiceMonitor (managed outside of this Helm chart). + # Otherwise, a ServiceMonitor/ PodMonitor is created. + enabled: true + servicemonitor: + # Create a ServiceMonitor to add cert-manager to Prometheus + enabled: false + + # Specifies the `prometheus` label on the created ServiceMonitor, this is + # used when different Prometheus instances have label selectors matching + # different ServiceMonitors. + prometheusInstance: default + + # The target port to set on the ServiceMonitor, should match the port that + # cert-manager controller is listening on for metrics + targetPort: 9402 + + # The path to scrape for metrics + path: /metrics + + # The interval to scrape metrics + interval: 60s + + # The timeout before a metrics scrape fails + scrapeTimeout: 30s + + # Additional labels to add to the ServiceMonitor + labels: {} + + # Additional annotations to add to the ServiceMonitor + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property + endpointAdditionalProperties: {} + + # Note: Enabling both PodMonitor and ServiceMonitor is mutually exclusive, enabling both will result in a error. + podmonitor: + # Create a PodMonitor to add cert-manager to Prometheus + enabled: false + + # Specifies the `prometheus` label on the created PodMonitor, this is + # used when different Prometheus instances have label selectors matching + # different PodMonitor. + prometheusInstance: default + + # The path to scrape for metrics + path: /metrics + + # The interval to scrape metrics + interval: 60s + + # The timeout before a metrics scrape fails + scrapeTimeout: 30s + + # Additional labels to add to the PodMonitor + labels: {} + + # Additional annotations to add to the PodMonitor + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property + endpointAdditionalProperties: {} + +# +docs:section=Webhook + webhook: + # Number of replicas of the cert-manager webhook to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. replicaCount: 1 - timeoutSeconds: 10 + + # Seconds the API server should wait for the webhook to respond before treating the call as a failure. + # Value must be between 1 and 30 seconds. See: + # https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ + # + # We set the default to the maximum value of 30 seconds. Here's why: + # Users sometimes report that the connection between the K8S API server and + # the cert-manager webhook server times out. + # If *this* timeout is reached, the error message will be "context deadline exceeded", + # which doesn't help the user diagnose what phase of the HTTPS connection timed out. + # For example, it could be during DNS resolution, TCP connection, TLS + # negotiation, HTTP negotiation, or slow HTTP response from the webhook + # server. + # So by setting this timeout to its maximum value the underlying timeout error + # message has more chance of being returned to the end user. + timeoutSeconds: 30 # Used to configure options for the webhook pod. # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. - config: - # apiVersion: webhook.config.cert-manager.io/v1alpha1 - # kind: WebhookConfiguration - - # The port that the webhook should listen on for requests. - # In GKE private clusters, by default kubernetes apiservers are allowed to - # talk to the cluster nodes only on 443 and 10250. so configuring - # securePort: 10250, will work out of the box without needing to add firewall - # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. - # This should be uncommented and set as a default by the chart once we graduate - # the apiVersion of WebhookConfiguration past v1alpha1. - # securePort: 10250 + # + # For example: + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + # # The port that the webhook should listen on for requests. + # # In GKE private clusters, by default kubernetes apiservers are allowed to + # # talk to the cluster nodes only on 443 and 10250. so configuring + # # securePort: 10250, will work out of the box without needing to add firewall + # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. + # # This should be uncommented and set as a default by the chart once we graduate + # # the apiVersion of WebhookConfiguration past v1alpha1. + # securePort: 10250 + config: {} + # Deployment update strategy for the cert-manager webhook deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - # minAvailable: 1 - # maxUnavailable: 1 - # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + readOnlyRootFilesystem: true + + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 # Optional additional annotations to add to the webhook Deployment + # +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the webhook Pods + # +docs:property # podAnnotations: {} # Optional additional annotations to add to the webhook Service + # +docs:property # serviceAnnotations: {} # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # +docs:property # mutatingWebhookConfigurationAnnotations: {} # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # +docs:property # validatingWebhookConfigurationAnnotations: {} + validatingWebhookConfiguration: + # Configure spec.namespaceSelector for validating webhooks. + # +docs:property + namespaceSelector: + matchExpressions: + - key: "cert-manager.io/disable-validation" + operator: "NotIn" + values: + - "true" + + mutatingWebhookConfiguration: + # Configure spec.namespaceSelector for mutating webhooks. + # +docs:property + namespaceSelector: {} + # matchLabels: + # key: value + # matchExpressions: + # - key: kubernetes.io/metadata.name + # operator: NotIn + # values: + # - kube-system + + # Additional command line flags to pass to cert-manager webhook binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help extraArgs: [] @@ -374,20 +661,31 @@ webhook: # webhook pod. featureGates: "" + # Resources to provide to the cert-manager webhook pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## + # Liveness probe values + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + # + # +docs:property livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + + # Readiness probe values + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + # + # +docs:property readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 @@ -395,13 +693,51 @@ webhook: successThreshold: 1 timeoutSeconds: 1 + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the Webhook Pods @@ -411,34 +747,48 @@ webhook: serviceLabels: {} image: - repository: quay.io/jetstack/cert-manager-webhook - # You can manage a registry with + # The container registry to pull the webhook image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-webhook + + # The container image for the cert-manager webhook + # +docs:property + repository: quay.io/jetstack/cert-manager-webhook # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} + # Optional additional labels to add to the webhook's ServiceAccount + # +docs:property # labels: {} + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true # The port that the webhook should listen on for requests. @@ -463,7 +813,10 @@ webhook: # webhook to outside of the cluster. In some cases, the control plane cannot # reach internal services. serviceType: ClusterIP - # loadBalancerIP: + + # Specify the load balancer IP for the created service + # +docs:property + # loadBalancerIP: "10.10.10.10" # Overrides the mutating webhook and validating webhook so they reach the webhook # service using the `url` field instead of a service. @@ -472,11 +825,20 @@ webhook: # Enables default network policies for webhooks. networkPolicy: + # Create network policies for the webhooks enabled: false + + # Ingress rule for the webhook network policy, by default will allow all + # inbound traffic + # +docs:property ingress: - from: - ipBlock: cidr: 0.0.0.0/0 + + # Egress rule for the webhook network policy, by default will allow all + # outbound traffic traffic to ports 80 and 443, as well as DNS ports + # +docs:property egress: - ports: - port: 80 @@ -495,7 +857,10 @@ webhook: - ipBlock: cidr: 0.0.0.0/0 + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -503,47 +868,94 @@ webhook: # links. enableServiceLinks: false +# +docs:section=CA Injector + cainjector: + # Create the CA Injector deployment enabled: true + + # Number of replicas of the cert-manager cainjector to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + # + # Note: cert-manager uses leader election to ensure that there can + # only be a single instance active at a time. replicaCount: 1 + # Used to configure options for the cainjector pod. + # This allows setting options that'd usually be provided via flags. + # An APIVersion and Kind must be specified in your values.yaml file. + # Flags will override options that are set here. + # + # For example: + # apiVersion: cainjector.config.cert-manager.io/v1alpha1 + # kind: CAInjectorConfiguration + # logging: + # verbosity: 2 + # format: text + # leaderElectionConfig: + # namespace: kube-system + config: {} + + # Deployment update strategy for the cert-manager cainjector deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - # minAvailable: 1 - # maxUnavailable: 1 - # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + readOnlyRootFilesystem: true + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 # Optional additional annotations to add to the cainjector Deployment + # +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the cainjector Pods + # +docs:property # podAnnotations: {} # Additional command line flags to pass to cert-manager cainjector binary. @@ -552,55 +964,120 @@ cainjector: # Enable profiling for cainjector # - --enable-profiling=true - resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + # Comma separated list of feature gates that should be enabled on the + # cainjector pod. + featureGates: "" + # Resources to provide to the cert-manager cainjector pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + resources: {} + + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the CA Injector Pods podLabels: {} image: - repository: quay.io/jetstack/cert-manager-cainjector - # You can manage a registry with + # The container registry to pull the cainjector image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-cainjector + + # The container image for the cert-manager cainjector + # +docs:property + repository: quay.io/jetstack/cert-manager-cainjector # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} - # Automount API credentials for a Service Account. + # Optional additional labels to add to the cainjector's ServiceAccount + # +docs:property # labels: {} + + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -608,32 +1085,46 @@ cainjector: # links. enableServiceLinks: false +# +docs:section=ACME Solver + acmesolver: image: - repository: quay.io/jetstack/cert-manager-acmesolver - # You can manage a registry with + # The container registry to pull the acmesolver image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-acmesolver + + # The container image for the cert-manager acmesolver + # +docs:property + repository: quay.io/jetstack/cert-manager-acmesolver # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + +# +docs:section=Startup API Check # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. -# The check is implemented using a Kubernetes Job- if you are injecting mesh +# The check is implemented using a Kubernetes Job - if you are injecting mesh # sidecar proxies into cert-manager pods, you probably want to ensure that they # are not injected into this Job's pod. Otherwise the installation may time out # due to the Job never being completed because the sidecar proxy does not exit. # See https://github.com/cert-manager/cert-manager/pull/4414 for context. + startupapicheck: + # Enables the startup api check enabled: true # Pod Security Context to be set on the startupapicheck component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: @@ -641,13 +1132,13 @@ startupapicheck: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true + readOnlyRootFilesystem: true # Timeout for 'kubectl check api' command timeout: 1m @@ -656,56 +1147,105 @@ startupapicheck: backoffLimit: 4 # Optional additional annotations to add to the startupapicheck Job + # +docs:property jobAnnotations: helm.sh/hook: post-install helm.sh/hook-weight: "1" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Optional additional annotations to add to the startupapicheck Pods + # +docs:property # podAnnotations: {} # Additional command line flags to pass to startupapicheck binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help - extraArgs: [] + # + # We enable verbose logging by default so that if startupapicheck fails, users + # can know what exactly caused the failure. Verbose logs include details of + # the webhook URL, IP address and TCP connect errors for example. + # +docs:property + extraArgs: + - -v + # Resources to provide to the cert-manager controller pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] # Optional additional labels to add to the startupapicheck Pods podLabels: {} image: - repository: quay.io/jetstack/cert-manager-ctl - # You can manage a registry with + # The container registry to pull the startupapicheck image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-ctl + + # The container image for the cert-manager startupapicheck + # +docs:property + repository: quay.io/jetstack/cert-manager-startupapicheck # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent rbac: # annotations for the startup API Check job RBAC and PSP resources + # +docs:property annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true serviceAccount: @@ -714,21 +1254,28 @@ startupapicheck: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" # Optional additional annotations to add to the Job's ServiceAccount + # +docs:property annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automount API credentials for a Service Account. + # +docs:property automountServiceAccountToken: true # Optional additional labels to add to the startupapicheck's ServiceAccount + # +docs:property # labels: {} + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be diff --git a/charts/clastix/kamaji/Chart.yaml b/charts/clastix/kamaji/Chart.yaml index c37e5b891..df1341fe9 100644 --- a/charts/clastix/kamaji/Chart.yaml +++ b/charts/clastix/kamaji/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21.0-0' catalog.cattle.io/release-name: kamaji apiVersion: v2 -appVersion: v0.4.0 +appVersion: v0.4.1 description: Kamaji is a Kubernetes Control Plane Manager. home: https://github.com/clastix/kamaji icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png @@ -20,4 +20,4 @@ name: kamaji sources: - https://github.com/clastix/kamaji type: application -version: 0.14.0 +version: 0.14.1 diff --git a/charts/clastix/kamaji/README.md b/charts/clastix/kamaji/README.md index 8a79a014b..70e77a0b7 100644 --- a/charts/clastix/kamaji/README.md +++ b/charts/clastix/kamaji/README.md @@ -1,6 +1,6 @@ # kamaji -![Version: 0.14.0](https://img.shields.io/badge/Version-0.14.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.0](https://img.shields.io/badge/AppVersion-v0.4.0-informational?style=flat-square) +![Version: 0.14.1](https://img.shields.io/badge/Version-0.14.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.4.1](https://img.shields.io/badge/AppVersion-v0.4.1-informational?style=flat-square) Kamaji is a Kubernetes Control Plane Manager. diff --git a/charts/cockroach-labs/cockroachdb/Chart.yaml b/charts/cockroach-labs/cockroachdb/Chart.yaml index 3e456b8ff..16e4963ba 100644 --- a/charts/cockroach-labs/cockroachdb/Chart.yaml +++ b/charts/cockroach-labs/cockroachdb/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.8-0' catalog.cattle.io/release-name: cockroachdb apiVersion: v1 -appVersion: 23.1.14 +appVersion: 23.2.0 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. home: https://www.cockroachlabs.com icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png @@ -14,4 +14,4 @@ maintainers: name: cockroachdb sources: - https://github.com/cockroachdb/cockroach -version: 11.2.4 +version: 12.0.0 diff --git a/charts/cockroach-labs/cockroachdb/README.md b/charts/cockroach-labs/cockroachdb/README.md index 513b98b98..8b494f876 100644 --- a/charts/cockroach-labs/cockroachdb/README.md +++ b/charts/cockroach-labs/cockroachdb/README.md @@ -229,10 +229,10 @@ kubectl get pods \ ``` ``` -my-release-cockroachdb-0 cockroachdb/cockroach:v23.1.14 -my-release-cockroachdb-1 cockroachdb/cockroach:v23.1.14 -my-release-cockroachdb-2 cockroachdb/cockroach:v23.1.14 -my-release-cockroachdb-3 cockroachdb/cockroach:v23.1.14 +my-release-cockroachdb-0 cockroachdb/cockroach:v23.2.0 +my-release-cockroachdb-1 cockroachdb/cockroach:v23.2.0 +my-release-cockroachdb-2 cockroachdb/cockroach:v23.2.0 +my-release-cockroachdb-3 cockroachdb/cockroach:v23.2.0 ``` Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade: @@ -316,7 +316,7 @@ For details see the [`values.yaml`](values.yaml) file. | `conf.store.size` | CockroachDB storage size | `""` | | `conf.store.attrs` | CockroachDB storage attributes | `""` | | `image.repository` | Container image name | `cockroachdb/cockroach` | -| `image.tag` | Container image tag | `v23.1.14` | +| `image.tag` | Container image tag | `v23.2.0` | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` | | `statefulset.replicas` | StatefulSet replicas number | `3` | diff --git a/charts/cockroach-labs/cockroachdb/templates/certificate.client.yaml b/charts/cockroach-labs/cockroachdb/templates/certificate.client.yaml index d8bf96808..dd0272f3e 100644 --- a/charts/cockroach-labs/cockroachdb/templates/certificate.client.yaml +++ b/charts/cockroach-labs/cockroachdb/templates/certificate.client.yaml @@ -28,7 +28,13 @@ spec: - Cockroach secretName: {{ .Values.tls.certs.clientRootSecret }} issuerRef: + {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }} name: {{ template "cockroachdb.fullname" . }}-ca-issuer kind: Issuer group: cert-manager.io + {{- else }} + name: {{ .Values.tls.certs.certManagerIssuer.name }} + kind: {{ .Values.tls.certs.certManagerIssuer.kind }} + group: {{ .Values.tls.certs.certManagerIssuer.group }} + {{- end }} {{- end }} diff --git a/charts/cockroach-labs/cockroachdb/templates/certificate.node.yaml b/charts/cockroach-labs/cockroachdb/templates/certificate.node.yaml index 3392008a8..05e909d0b 100644 --- a/charts/cockroach-labs/cockroachdb/templates/certificate.node.yaml +++ b/charts/cockroach-labs/cockroachdb/templates/certificate.node.yaml @@ -38,7 +38,13 @@ spec: - {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }} secretName: {{ .Values.tls.certs.nodeSecret }} issuerRef: + {{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }} name: {{ template "cockroachdb.fullname" . }}-ca-issuer kind: Issuer group: cert-manager.io + {{- else }} + name: {{ .Values.tls.certs.certManagerIssuer.name }} + kind: {{ .Values.tls.certs.certManagerIssuer.kind }} + group: {{ .Values.tls.certs.certManagerIssuer.group }} + {{- end }} {{- end }} diff --git a/charts/cockroach-labs/cockroachdb/values.yaml b/charts/cockroach-labs/cockroachdb/values.yaml index ea1d0ed8a..90291a9b3 100644 --- a/charts/cockroach-labs/cockroachdb/values.yaml +++ b/charts/cockroach-labs/cockroachdb/values.yaml @@ -7,7 +7,7 @@ fullnameOverride: "" image: repository: cockroachdb/cockroach - tag: v23.1.14 + tag: v23.2.0 pullPolicy: IfNotPresent credentials: {} # registry: docker.io diff --git a/charts/crate/crate-operator/Chart.lock b/charts/crate/crate-operator/Chart.lock index 5a47f219e..802d30819 100644 --- a/charts/crate/crate-operator/Chart.lock +++ b/charts/crate/crate-operator/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: crate-operator-crds repository: file://../crate-operator-crds - version: 2.33.0 -digest: sha256:0507220f505b512b4b89c7ddbc8370c161c39683c70def1bea8640b8f532bd17 -generated: "2023-11-14T13:35:09.491416868Z" + version: 2.34.1 +digest: sha256:0f7e12bb95a87abed37e5678525884718f7972e69b67bea83a249db4d2cdbf46 +generated: "2024-02-06T09:17:36.915752993Z" diff --git a/charts/crate/crate-operator/Chart.yaml b/charts/crate/crate-operator/Chart.yaml index cf4500950..04aacb0ca 100644 --- a/charts/crate/crate-operator/Chart.yaml +++ b/charts/crate/crate-operator/Chart.yaml @@ -3,16 +3,16 @@ annotations: catalog.cattle.io/display-name: CrateDB Operator catalog.cattle.io/release-name: crate-operator apiVersion: v2 -appVersion: 2.33.0 +appVersion: 2.34.1 dependencies: - condition: crate-operator-crds.enabled name: crate-operator-crds repository: file://./charts/crate-operator-crds - version: 2.33.0 + version: 2.34.1 description: Crate Operator - Helm chart for installing and upgrading Crate Operator. icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg maintainers: - name: Crate.io name: crate-operator type: application -version: 2.33.0 +version: 2.34.1 diff --git a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml index f54ecc8f7..010a95175 100644 --- a/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml +++ b/charts/crate/crate-operator/charts/crate-operator-crds/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: 2.33.0 +appVersion: 2.34.1 description: Crate Operator CRDs - Helm chart for installing and upgrading Custom Resource Definitions (CRDs) for the Crate Operator. maintainers: - name: Crate.io name: crate-operator-crds type: application -version: 2.33.0 +version: 2.34.1 diff --git a/charts/crate/crate-operator/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml b/charts/crate/crate-operator/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml index bab1d2792..575073b9c 100644 --- a/charts/crate/crate-operator/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml +++ b/charts/crate/crate-operator/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml @@ -415,6 +415,28 @@ spec: - name - version type: object + grandCentral: + properties: + backendImage: + description: The image of the grand central backend. + type: string + backendEnabled: + description: Flag indicating whether grand central backend is + deployed for this cluster. + type: boolean + jwkUrl: + description: The endpoint to retrieve the list of JWK public keys + used for verifying JWT tokens. + type: string + apiUrl: + description: The CrateDB Cloud API URL. + type: string + required: + - backendImage + - jwkUrl + - apiUrl + - backendEnabled + type: object nodes: properties: data: diff --git a/charts/crate/crate-operator/templates/rbac.yaml b/charts/crate/crate-operator/templates/rbac.yaml index 79e8617ce..695834939 100644 --- a/charts/crate/crate-operator/templates/rbac.yaml +++ b/charts/crate/crate-operator/templates/rbac.yaml @@ -31,11 +31,13 @@ rules: - apps - batch - policy + - networking.k8s.io resources: - configmaps - cronjobs - jobs - deployments + - ingresses - namespaces - persistentvolumeclaims - persistentvolumes diff --git a/charts/crowdstrike/falcon-sensor/Chart.yaml b/charts/crowdstrike/falcon-sensor/Chart.yaml index 284a33a8d..f1b2ee3d0 100644 --- a/charts/crowdstrike/falcon-sensor/Chart.yaml +++ b/charts/crowdstrike/falcon-sensor/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>1.22.0-0' catalog.cattle.io/release-name: falcon-sensor apiVersion: v2 -appVersion: 1.24.1 +appVersion: 1.25.2 description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes clusters. home: https://crowdstrike.com icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg @@ -24,4 +24,4 @@ name: falcon-sensor sources: - https://github.com/CrowdStrike/falcon-helm type: application -version: 1.24.1 +version: 1.25.2 diff --git a/charts/crowdstrike/falcon-sensor/templates/clusterrolebinding.yaml b/charts/crowdstrike/falcon-sensor/templates/clusterrolebinding.yaml index aa995d309..77ff998f5 100644 --- a/charts/crowdstrike/falcon-sensor/templates/clusterrolebinding.yaml +++ b/charts/crowdstrike/falcon-sensor/templates/clusterrolebinding.yaml @@ -12,11 +12,6 @@ metadata: crowdstrike.com/provider: crowdstrike helm.sh/chart: {{ include "falcon-sensor.chart" . }} subjects: -{{- if .Values.container.enabled }} -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -{{- end }} - kind: ServiceAccount name: {{ .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} diff --git a/charts/crowdstrike/falcon-sensor/templates/tests/test-cluster-permissions.yaml b/charts/crowdstrike/falcon-sensor/templates/tests/test-cluster-permissions.yaml index c4251387b..34896aa3a 100644 --- a/charts/crowdstrike/falcon-sensor/templates/tests/test-cluster-permissions.yaml +++ b/charts/crowdstrike/falcon-sensor/templates/tests/test-cluster-permissions.yaml @@ -25,11 +25,6 @@ metadata: labels: {{- include "falcon-sensor.labels" . | nindent 4 }} subjects: -{{- if .Values.container.enabled }} -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated -{{- end }} - kind: ServiceAccount name: {{ .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} diff --git a/charts/datadog/datadog/CHANGELOG.md b/charts/datadog/datadog/CHANGELOG.md index 3adfbaffb..b3d4fa869 100644 --- a/charts/datadog/datadog/CHANGELOG.md +++ b/charts/datadog/datadog/CHANGELOG.md @@ -1,5 +1,21 @@ # Datadog changelog +## 3.53.3 + +* Update `fips.image.tag` to `1.1.1` + +## 3.53.2 + +* Exclude agent pod from labels injection from the admission controller + +## 3.53.1 + +* Update `fips.image.tag` to `1.1.0` + +## 3.53.0 + +* Add `otlp.logs.enabled` option to datadog agent to set the `DD_OTLP_CONFIG_LOGS_ENABLED` env variable. + ## 3.52.0 * Allow configuring CWS security profile features and enable drift events by default diff --git a/charts/datadog/datadog/Chart.yaml b/charts/datadog/datadog/Chart.yaml index a769d1deb..c0dda0d7b 100644 --- a/charts/datadog/datadog/Chart.yaml +++ b/charts/datadog/datadog/Chart.yaml @@ -19,4 +19,4 @@ name: datadog sources: - https://app.datadoghq.com/account/settings#agent/kubernetes - https://github.com/DataDog/datadog-agent -version: 3.52.0 +version: 3.53.3 diff --git a/charts/datadog/datadog/README.md b/charts/datadog/datadog/README.md index c2076ce60..450c918b1 100644 --- a/charts/datadog/datadog/README.md +++ b/charts/datadog/datadog/README.md @@ -1,6 +1,6 @@ # Datadog -![Version: 3.52.0](https://img.shields.io/badge/Version-3.52.0-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) +![Version: 3.53.3](https://img.shields.io/badge/Version-3.53.3-informational?style=flat-square) ![AppVersion: 7](https://img.shields.io/badge/AppVersion-7-informational?style=flat-square) [Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/). @@ -743,6 +743,7 @@ helm install \ | datadog.orchestratorExplorer.customResources | list | `[]` | Defines custom resources for the orchestrator explorer to collect | | datadog.orchestratorExplorer.enabled | bool | `true` | Set this to false to disable the orchestrator explorer | | datadog.osReleasePath | string | `"/etc/os-release"` | Specify the path to your os-release file | +| datadog.otlp.logs.enabled | bool | `false` | Enable logs support in the OTLP ingest endpoint | | datadog.otlp.receiver.protocols.grpc.enabled | bool | `false` | Enable the OTLP/gRPC endpoint | | datadog.otlp.receiver.protocols.grpc.endpoint | string | `"0.0.0.0:4317"` | OTLP/gRPC endpoint | | datadog.otlp.receiver.protocols.grpc.useHostPort | bool | `true` | Enable the Host Port for the OTLP/gRPC endpoint | @@ -818,7 +819,7 @@ helm install \ | fips.image.name | string | `"fips-proxy"` | | | fips.image.pullPolicy | string | `"IfNotPresent"` | Datadog the FIPS sidecar image pull policy | | fips.image.repository | string | `nil` | Override default registry + image.name for the FIPS sidecar container. | -| fips.image.tag | string | `"1.0.1"` | Define the FIPS sidecar container version to use. | +| fips.image.tag | string | `"1.1.1"` | Define the FIPS sidecar container version to use. | | fips.local_address | string | `"127.0.0.1"` | Set local IP address | | fips.port | int | `9803` | Specifies which port is used by the containers to communicate to the FIPS sidecar. | | fips.portRange | int | `15` | Specifies the number of ports used, defaults to 13 https://github.com/DataDog/datadog-agent/blob/7.44.x/pkg/config/config.go#L1564-L1577 | diff --git a/charts/datadog/datadog/templates/_containers-common-env.yaml b/charts/datadog/datadog/templates/_containers-common-env.yaml index 50f70e8a8..dfb27ea2d 100644 --- a/charts/datadog/datadog/templates/_containers-common-env.yaml +++ b/charts/datadog/datadog/templates/_containers-common-env.yaml @@ -70,6 +70,7 @@ value: {{ .Values.datadog.containerExcludeLogs | quote }} {{- end }} {{- if .Values.datadog.otlp }} + {{- if .Values.datadog.otlp.receiver }} {{- if .Values.datadog.otlp.receiver.protocols }} {{- with .Values.datadog.otlp.receiver.protocols }} @@ -87,6 +88,12 @@ {{- end }} {{- end }} {{- end }} + +{{- with .Values.datadog.otlp.logs }} +- name: DD_OTLP_CONFIG_LOGS_ENABLED + value: {{ .enabled | quote }} +{{- end }} + {{- end }} {{- if eq (include "agent-has-env-ad" .) "true" }} {{- if .Values.datadog.dockerSocketPath }} diff --git a/charts/datadog/datadog/templates/daemonset.yaml b/charts/datadog/datadog/templates/daemonset.yaml index 4eced384e..5aba67ff2 100644 --- a/charts/datadog/datadog/templates/daemonset.yaml +++ b/charts/datadog/datadog/templates/daemonset.yaml @@ -9,6 +9,7 @@ metadata: labels: {{ include "datadog.labels" . | indent 4 }} app.kubernetes.io/component: agent + admission.datadoghq.com/enabled: "false" {{- if .Values.agents.additionalLabels }} {{ toYaml .Values.agents.additionalLabels | indent 4 }} {{- end }} diff --git a/charts/datadog/datadog/values.yaml b/charts/datadog/datadog/values.yaml index 40b116eda..dc79456f2 100644 --- a/charts/datadog/datadog/values.yaml +++ b/charts/datadog/datadog/values.yaml @@ -500,6 +500,9 @@ datadog: endpoint: "0.0.0.0:4318" # datadog.otlp.receiver.protocols.http.useHostPort -- Enable the Host Port for the OTLP/HTTP endpoint useHostPort: true + logs: + # datadog.otlp.logs.enabled -- Enable logs support in the OTLP ingest endpoint + enabled: false # datadog.envFrom -- Set environment variables for all Agents directly from configMaps and/or secrets @@ -1269,7 +1272,7 @@ fips: name: fips-proxy # fips.image.tag -- Define the FIPS sidecar container version to use. - tag: 1.0.1 + tag: 1.1.1 # fips.image.pullPolicy -- Datadog the FIPS sidecar image pull policy pullPolicy: IfNotPresent diff --git a/charts/dell/csi-isilon/Chart.yaml b/charts/dell/csi-isilon/Chart.yaml index 7e846b8a1..c1cdaa6f4 100644 --- a/charts/dell/csi-isilon/Chart.yaml +++ b/charts/dell/csi-isilon/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' catalog.cattle.io/release-name: isilon apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.9.1 description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as an Isilon StorageClass. ' @@ -19,4 +19,4 @@ name: csi-isilon sources: - https://github.com/dell/csi-isilon type: application -version: 2.9.0 +version: 2.9.1 diff --git a/charts/dell/csi-isilon/templates/controller.yaml b/charts/dell/csi-isilon/templates/controller.yaml index 3c279baaf..8466a8131 100644 --- a/charts/dell/csi-isilon/templates/controller.yaml +++ b/charts/dell/csi-isilon/templates/controller.yaml @@ -423,18 +423,6 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-isilon" ] args: - - "--leader-election" - {{- if hasKey .Values.controller "leaderElection" }} - {{- if hasKey .Values.controller.leaderElection "leaderElectionRenewDeadline" }} - - "--leader-election-renew-deadline={{ .Values.controller.leaderElection.leaderElectionRenewDeadline }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-lease-duration={{ .Values.controller.leaderElection.leaderElectionLeaseDuration }}" - {{end}} - {{- if hasKey .Values.controller.leaderElection "leaderElectionLeaseDuration" }} - - "--leader-election-retry-period={{ .Values.controller.leaderElection.leaderElectionRetryPeriod }}" - {{end}} - {{end}} - "--driver-config-params=/csi-isilon-config-params/driver-config-params.yaml" env: - name: CSI_ENDPOINT diff --git a/charts/dell/csi-isilon/values.yaml b/charts/dell/csi-isilon/values.yaml index 15b204765..4b0abe3f5 100644 --- a/charts/dell/csi-isilon/values.yaml +++ b/charts/dell/csi-isilon/values.yaml @@ -2,11 +2,11 @@ ######################## # version: version of this values file # Note: Do not change this value -version: "v2.9.0" +version: "v2.9.1" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-isilon:v2.9.0 + driver: dellemc/csi-isilon:v2.9.1 # CSI sidecars attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 @@ -16,10 +16,10 @@ images: healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.0 - podmon: dellemc/podmon:v1.8.0 - authorization: dellemc/csm-authorization-sidecar:v1.9.0 - metadataretriever: dellemc/csi-metadata-retriever:v1.4.0 + replication: dellemc/dell-csi-replicator:v1.7.1 + podmon: dellemc/podmon:v1.8.1 + authorization: dellemc/csm-authorization-sidecar:v1.9.1 + metadataretriever: dellemc/csi-metadata-retriever:v1.6.1 encryption: dellemc/csm-encryption:v0.3.0 # CSI driver log level diff --git a/charts/dell/csi-powermax/Chart.yaml b/charts/dell/csi-powermax/Chart.yaml index ee71890f3..e34197fcf 100644 --- a/charts/dell/csi-powermax/Chart.yaml +++ b/charts/dell/csi-powermax/Chart.yaml @@ -4,12 +4,12 @@ annotations: catalog.cattle.io/kube-version: '>= 1.23.0 < 1.29.0' catalog.cattle.io/release-name: csi-powermax apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.9.1 dependencies: - condition: required name: csireverseproxy repository: file://./charts/csireverseproxy - version: 2.8.0 + version: 2.8.1 description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerMax StorageClass. ' @@ -25,4 +25,4 @@ name: csi-powermax sources: - https://github.com/dell/csi-powermax type: application -version: 2.9.0 +version: 2.9.1 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml index ce730d887..341b4f716 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 -appVersion: 2.8.0 +appVersion: 2.8.1 description: A Helm chart for CSI PowerMax ReverseProxy name: csireverseproxy type: application -version: 2.8.0 +version: 2.8.1 diff --git a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml index bdfc36fae..5afbc2adb 100644 --- a/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml +++ b/charts/dell/csi-powermax/charts/csireverseproxy/values.yaml @@ -1,4 +1,4 @@ -image: dellemc/csipowermax-reverseproxy:v2.8.0 +image: dellemc/csipowermax-reverseproxy:v2.8.1 port: 2222 # TLS secret which is used for setting up the proxy HTTPS server diff --git a/charts/dell/csi-powermax/templates/controller.yaml b/charts/dell/csi-powermax/templates/controller.yaml index 12d6b2da6..9ff4308d4 100644 --- a/charts/dell/csi-powermax/templates/controller.yaml +++ b/charts/dell/csi-powermax/templates/controller.yaml @@ -358,8 +358,6 @@ spec: image: {{ required "Must provide the PowerMax driver image repository." .Values.images.driver }} imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-powermax.sh" ] - args: - - "--leader-election" env: {{- $_ := first .Values.global.storageArrays }} {{- $arraysStr := "" }} @@ -473,7 +471,7 @@ spec: - name: X_CSI_REVPROXY_WATCH_NAMESPACE value: {{ .Release.Namespace }} - name: X_CSI_REVPROXY_IS_LEADER_ENABLED - value: "true" + value: "false" volumeMounts: - name: configmap-volume mountPath: /etc/config/configmap diff --git a/charts/dell/csi-powermax/values.yaml b/charts/dell/csi-powermax/values.yaml index f2a3de106..117dc70c9 100644 --- a/charts/dell/csi-powermax/values.yaml +++ b/charts/dell/csi-powermax/values.yaml @@ -48,14 +48,14 @@ global: # Current version of the driver # Don't modify this value as this value will be used by the install script -version: "v2.9.0" +version: "v2.9.1" # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powermax:v2.9.0 - csireverseproxy: dellemc/csipowermax-reverseproxy:v2.8.0 + driver: dellemc/csi-powermax:v2.9.1 + csireverseproxy: dellemc/csipowermax-reverseproxy:v2.8.1 # CSI sidecars attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 @@ -64,8 +64,8 @@ images: registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.0 - authorization: dellemc/csm-authorization-sidecar:v1.9.0 + replication: dellemc/dell-csi-replicator:v1.7.1 + authorization: dellemc/csm-authorization-sidecar:v1.9.1 migration: dellemc/dell-csi-migrator:v1.3.0 # Node rescan sidecar does a rescan on nodes for identifying new paths # Default value: dellemc/dell-csi-node-rescanner:v1.0.1 diff --git a/charts/dell/csi-powerstore/Chart.yaml b/charts/dell/csi-powerstore/Chart.yaml index b67ebc688..59e29cbf0 100644 --- a/charts/dell/csi-powerstore/Chart.yaml +++ b/charts/dell/csi-powerstore/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' catalog.cattle.io/release-name: powerstore apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.9.1 description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a PowerStore StorageClass. ' @@ -20,4 +20,4 @@ name: csi-powerstore sources: - https://github.com/dell/csi-powerstore type: application -version: 2.9.0 +version: 2.9.1 diff --git a/charts/dell/csi-powerstore/values.yaml b/charts/dell/csi-powerstore/values.yaml index 4843fe5ee..500e3333d 100644 --- a/charts/dell/csi-powerstore/values.yaml +++ b/charts/dell/csi-powerstore/values.yaml @@ -23,13 +23,13 @@ driverName: "csi-powerstore.dellemc.com" # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.9.0 +version: v2.9.1 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-powerstore:v2.9.0 + driver: dellemc/csi-powerstore:v2.9.1 # CSI sidecars attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 @@ -39,10 +39,10 @@ images: healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.0 + replication: dellemc/dell-csi-replicator:v1.7.1 vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 - podmon: dellemc/podmon:v1.8.0 - metadataretriever: dellemc/csi-metadata-retriever:v1.6.0 + podmon: dellemc/podmon:v1.8.1 + metadataretriever: dellemc/csi-metadata-retriever:v1.6.1 # Specify kubelet config dir path. # Ensure that the config.yaml file is present at this path. diff --git a/charts/dell/csi-unity/Chart.yaml b/charts/dell/csi-unity/Chart.yaml index 9c393792e..b9b63b1b3 100644 --- a/charts/dell/csi-unity/Chart.yaml +++ b/charts/dell/csi-unity/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' catalog.cattle.io/release-name: unity apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.9.1 description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a Unity XT StorageClass. ' @@ -19,4 +19,4 @@ name: csi-unity sources: - https://github.com/dell/csi-unity type: application -version: 2.9.0 +version: 2.9.1 diff --git a/charts/dell/csi-unity/templates/controller.yaml b/charts/dell/csi-unity/templates/controller.yaml index 1f3e2220c..84b64b056 100644 --- a/charts/dell/csi-unity/templates/controller.yaml +++ b/charts/dell/csi-unity/templates/controller.yaml @@ -279,7 +279,6 @@ spec: - "--driver-name=csi-unity.dellemc.com" - "--driver-config=/unity-config/driver-config-params.yaml" - "--driver-secret=/unity-secret/config" - - "--leader-election" imagePullPolicy: {{ .Values.imagePullPolicy }} env: - name: CSI_ENDPOINT diff --git a/charts/dell/csi-unity/values.yaml b/charts/dell/csi-unity/values.yaml index c311a19f4..f5da26015 100644 --- a/charts/dell/csi-unity/values.yaml +++ b/charts/dell/csi-unity/values.yaml @@ -3,12 +3,12 @@ # version: version of this values file # Note: Do not change this value -# Examples : "v2.9.0" , "nightly" -version: "v2.9.0" +# Examples : "v2.9.1" , "nightly" +version: "v2.9.1" images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-unity:v2.9.0 + driver: dellemc/csi-unity:v2.9.1 # CSI sidecars attacher: registry.k8s.io/sig-storage/csi-attacher:v4.4.2 provisioner: registry.k8s.io/sig-storage/csi-provisioner:v3.6.2 @@ -18,7 +18,7 @@ images: healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 # CSM sidecars - podmon: dellemc/podmon:v1.8.0 + podmon: dellemc/podmon:v1.8.1 # LogLevel is used to set the logging level of the driver. # Allowed values: "error", "warn"/"warning", "info", "debug" diff --git a/charts/dell/csi-vxflexos/Chart.yaml b/charts/dell/csi-vxflexos/Chart.yaml index b31c7326a..640eae0a2 100644 --- a/charts/dell/csi-vxflexos/Chart.yaml +++ b/charts/dell/csi-vxflexos/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/namespace: vxflexos catalog.cattle.io/release-name: vxflexos apiVersion: v2 -appVersion: 2.9.0 +appVersion: 2.9.1 description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. This chart includes everything required to provision via CSI as well as a VxFlex OS StorageClass. ' @@ -19,4 +19,4 @@ maintainers: name: csi-vxflexos sources: - https://github.com/dell/csi-vxflexos -version: 2.9.0 +version: 2.9.1 diff --git a/charts/dell/csi-vxflexos/templates/controller.yaml b/charts/dell/csi-vxflexos/templates/controller.yaml index d308cc00a..a456049e0 100644 --- a/charts/dell/csi-vxflexos/templates/controller.yaml +++ b/charts/dell/csi-vxflexos/templates/controller.yaml @@ -394,7 +394,6 @@ spec: imagePullPolicy: {{ .Values.imagePullPolicy }} command: [ "/csi-vxflexos.sh" ] args: - - "--leader-election" - "--array-config=/vxflexos-config/config" - "--driver-config-params=/vxflexos-config-params/driver-config-params.yaml" env: diff --git a/charts/dell/csi-vxflexos/values.yaml b/charts/dell/csi-vxflexos/values.yaml index 7cfab7be5..94fcfbc04 100644 --- a/charts/dell/csi-vxflexos/values.yaml +++ b/charts/dell/csi-vxflexos/values.yaml @@ -3,14 +3,14 @@ # "version" is used to verify the values file matches driver version # Not recommend to change -version: v2.9.0 +version: v2.9.1 # "images" defines every container images used for the driver and its sidecars. # To use your own images, or a private registry, change the values here. images: # "driver" defines the container image, used for the driver container. - driver: dellemc/csi-vxflexos:v2.9.0 + driver: dellemc/csi-vxflexos:v2.9.1 # "powerflexSdc" defines the SDC image for init container. powerflexSdc: dellemc/sdc:4.5 # CSI sidecars @@ -21,10 +21,10 @@ images: registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.9.1 healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.10.0 # CSM sidecars - replication: dellemc/dell-csi-replicator:v1.7.0 + replication: dellemc/dell-csi-replicator:v1.7.1 vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.4.0 - podmon: dellemc/podmon:v1.8.0 - authorization: dellemc/csm-authorization-sidecar:v1.9.0 + podmon: dellemc/podmon:v1.8.1 + authorization: dellemc/csm-authorization-sidecar:v1.9.1 # Represents number of certificate secrets, which user is going to create for ssl authentication. (vxflexos-cert-0..vxflexos-cert-n) # If user does not use certificate, set to 0 diff --git a/charts/dh2i/dxemssql/.helmignore b/charts/dh2i/dxemssql/.helmignore index 0e8a0eb36..f82e96d46 100644 --- a/charts/dh2i/dxemssql/.helmignore +++ b/charts/dh2i/dxemssql/.helmignore @@ -1,23 +1,23 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/dh2i/dxemssql/Chart.yaml b/charts/dh2i/dxemssql/Chart.yaml index 7a374fe29..c0f27125e 100644 --- a/charts/dh2i/dxemssql/Chart.yaml +++ b/charts/dh2i/dxemssql/Chart.yaml @@ -5,7 +5,7 @@ annotations: catalog.cattle.io/release-name: dxemssql charts.openshift.io/name: DxEnterprise for Microsoft SQL AG apiVersion: v2 -appVersion: "22.0" +appVersion: "23.0" description: Helm chart for DH2i's DxEnterprise clustering solution with SQL Server availability groups icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png @@ -16,4 +16,4 @@ maintainers: url: https://dh2i.com name: dxemssql type: application -version: 1.0.4 +version: 1.0.5 diff --git a/charts/dh2i/dxemssql/README.md b/charts/dh2i/dxemssql/README.md index 813228eb6..7c0e7f527 100644 --- a/charts/dh2i/dxemssql/README.md +++ b/charts/dh2i/dxemssql/README.md @@ -1,15 +1,15 @@ -# DxEnterprise for Microsoft SQL AG - -This chart deploys a SQL Server availability group managed by DxEnterprise clustering technology. - -## Prerequisites - -- A secret on your Kubernetes cluster that contains SQL Server credentials (`MSSQL_SA_PASSWORD`) and your DxEnterprise cluster password (`DX_PASSKEY`) -- A DxEnterprise license key with availability group management features and tunnels enabled -- Optional: DxAdmin installed on a Windows machine. Installation instructions for DxAdmin can be found in [DH2i documentation](https://support.dh2i.com/docs/v22.0/guides/dxenterprise/installation/dxadmin-qsg) - -# Additional Information - -Instructions for creating this chart using Rancher can be found in the [DxEnterprise Rancher guide](https://support.dh2i.com/docs/v22.0/guides/dxenterprise/containers/kubernetes/mssql-ag-rancher#install-the-helm-chart), and additional DxEnterprise Kubernetes documentation can be found [here](https://support.dh2i.com/docs/v22.0/category/guides/dxenterprise/containers/kubernetes/). - -Before creating an availability group, reference SQL Server's [quorum considerations](https://support.dh2i.com/docs/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups) when determining the quantity of replicas to deploy. +# DxEnterprise for Microsoft SQL AG + +This chart deploys a SQL Server availability group managed by DxEnterprise clustering technology. + +## Prerequisites + +- A secret on your Kubernetes cluster that contains SQL Server credentials (`MSSQL_SA_PASSWORD`) and your DxEnterprise cluster password (`DX_PASSKEY`) +- A DxEnterprise license key with availability group management features and tunnels enabled +- Optional: DxAdmin installed on a Windows machine. Installation instructions for DxAdmin can be found in [DH2i documentation](https://support.dh2i.com/docs/v22.0/guides/dxenterprise/installation/dxadmin-qsg) + +# Additional Information + +Instructions for creating this chart using Rancher can be found in the [DxEnterprise Rancher guide](https://support.dh2i.com/docs/v22.0/guides/dxenterprise/containers/kubernetes/mssql-ag-rancher#install-the-helm-chart), and additional DxEnterprise Kubernetes documentation can be found [here](https://support.dh2i.com/docs/v22.0/guides/dxenterprise/containers/kubernetes). + +Before creating an availability group, reference SQL Server's [quorum considerations](https://support.dh2i.com/docs/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups) when determining the quantity of replicas to deploy. diff --git a/charts/dh2i/dxemssql/app-readme.md b/charts/dh2i/dxemssql/app-readme.md index 2821f95a4..2996119d4 100644 --- a/charts/dh2i/dxemssql/app-readme.md +++ b/charts/dh2i/dxemssql/app-readme.md @@ -1,8 +1,8 @@ -# Availability Groups With DxEnterprise - -DxEnterprise (DxE) uses Microsoft SQL Server Availability Groups clustering technology to dramatically reduce the complexity of configuring and managing highly available SQL Server AGs. DxEnterprise makes AGs highly available within containers without relying on WSFC or any other cumbersome and restrictive cluster orchestration technologies, while also providing advanced fault detection and failover automation to minimize outages for SQL Server databases, helping customers achieve nearest-to-zero total downtime. DxEnterprise AGs enable cross-network failover without opening external ports or the use of virtual private networks (VPNs), enabling simplified cross-network, cross-zone, and cross-region clusters. - -- SDP-enhanced highly available SQL Server Availability Groups -- Realtime health detection and automatic failover -- Discreet and secure networking across AG nodes in separate sites, regions, or clouds - without a VPN -- Management simplicity and minimal complexity +# Availability Groups With DxEnterprise + +DxEnterprise (DxE) uses Microsoft SQL Server Availability Groups clustering technology to dramatically reduce the complexity of configuring and managing highly available SQL Server AGs. DxEnterprise makes AGs highly available within containers without relying on WSFC or any other cumbersome and restrictive cluster orchestration technologies, while also providing advanced fault detection and failover automation to minimize outages for SQL Server databases, helping customers achieve nearest-to-zero total downtime. DxEnterprise AGs enable cross-network failover without opening external ports or the use of virtual private networks (VPNs), enabling simplified cross-network, cross-zone, and cross-region clusters. + +- SDP-enhanced highly available SQL Server Availability Groups +- Realtime health detection and automatic failover +- Discreet and secure networking across AG nodes in separate sites, regions, or clouds - without a VPN +- Management simplicity and minimal complexity diff --git a/charts/dh2i/dxemssql/questions.yml b/charts/dh2i/dxemssql/questions.yml index 431aa1aa3..b56fbe432 100644 --- a/charts/dh2i/dxemssql/questions.yml +++ b/charts/dh2i/dxemssql/questions.yml @@ -1,116 +1,116 @@ -questions: -- variable: replicas - label: "Replicas" - type: int - description: "The quantity of replicas (pods) to create. Note that setting the replica quantity to a value less than 3 does not meet Microsoft's quorum requirements for HA. Only set this value below 3 if you intend to add these replicas to an existing AG." - default: 3 - required: true - group: General -- variable: secretKeys - label: "Kubernetes Secret" - type: secret - description: "The name of the Kubernetes Secret to use for the MSSQL_SA_PASSWORD, DX_PASSKEY, and (optionally) DX_OTPK." - required: true - group: General -- variable: enableLoadBalancers - label: "Enable External Load Balancers" - type: string - description: "Enable or disable automatic provisioning of an external load balancer for each replica in the StatefulSet." - required: true - group: General -- variable: DX_LICENSE - label: "License Key" - type: string - description: "The license key for DxEnterprise." - required: true - group: "DxEnterprise" -- variable: DX_ACCEPT_EULA - label: "Accept EULA" - type: enum - default: "N" - description: "Accept the terms of the DxEnterprise license agreement. For more information, visit http://support.dh2i.com/docs/other/eula." - required: true - group: "DxEnterprise" - options: - - "Y" - - "N" -- variable: DX_VHOST_NAME - label: "Vhost Name" - type: string - description: "The name of the Vhost that the availability group will be created under." - default: "VHOST1" - group: "DxEnterprise" -- variable: DX_AG_NAME - label: "Availability Group Name" - type: string - description: "The name that will be given to the availability group." - default: "AG1" - group: "DxEnterprise" -- variable: DX_AG_OPTIONS - label: "Availability Group Options" - type: string - description: "Additional availability group options to apply during AG creation." - group: "DxEnterprise" -- variable: DX_NEW_CLUSTER - label: "Create a New Cluster" - type: string - description: "Whether or not to create a new DxEnterprise cluster, or join an existing one using the provided One-Time Passkey." - default: "true" - group: "DxEnterprise" -- variable: dxeImage.repository - label: "Repository" - type: string - description: "The repository to pull the DxEnterprise image from." - default: "dh2i/dxe" - group: "DxEnterprise" - subquestions: - - variable: dxeImage.pullPolicy - label: "Pull Policy" - type: string - description: "The pull policy for the DxEnterprise image." - default: "Always" - group: "DxEnterprise" - - variable: dxeImage.tag - label: "Image Tag" - type: string - description: "The tag to use for the DxEnterprise image." - default: "latest" - group: "DxEnterprise" - -- variable: MSSQL_PID - label: Edition - type: string - description: "The SQL Server edition (PID)." - required: true - default: Developer - group: "SQL Server" -- variable: ACCEPT_EULA - label: "Accept EULA" - type: enum - default: "N" - description: "Accept the terms of the SQL Server EULA." - required: true - group: "SQL Server" - options: - - "Y" - - "N" -- variable: sqlImage.repository - label: "Repository" - type: string - description: "The repository to pull the SQL Server image from." - default: "mcr.microsoft.com/mssql/server" - group: "SQL Server" - subquestions: - - variable: sqlImage.pullPolicy - label: "Pull Policy" - type: string - description: "The pull policy for the SQL Server image." - default: "Always" - group: "SQL Server" - - variable: sqlImage.tag - label: "Image Tag" - type: string - description: "The tag to use for the SQL Server image." - default: "2022-latest" - group: "SQL Server" +questions: +- variable: replicas + label: "Replicas" + type: int + description: "The quantity of replicas (pods) to create. Note that setting the replica quantity to a value less than 3 does not meet Microsoft's quorum requirements for HA. Only set this value below 3 if you intend to add these replicas to an existing AG." + default: 3 + required: true + group: General +- variable: secretKeys + label: "Kubernetes Secret" + type: secret + description: "The name of the Kubernetes Secret to use for the MSSQL_SA_PASSWORD, DX_PASSKEY, and (optionally) DX_OTPK." + required: true + group: General +- variable: enableLoadBalancers + label: "Enable External Load Balancers" + type: string + description: "Enable or disable automatic provisioning of an external load balancer for each replica in the StatefulSet." + required: true + group: General +- variable: DX_LICENSE + label: "License Key" + type: string + description: "The license key for DxEnterprise." + required: true + group: "DxEnterprise" +- variable: DX_ACCEPT_EULA + label: "Accept EULA" + type: enum + default: "N" + description: "Accept the terms of the DxEnterprise license agreement. For more information, visit http://support.dh2i.com/docs/other/eula." + required: true + group: "DxEnterprise" + options: + - "Y" + - "N" +- variable: DX_VHOST_NAME + label: "Vhost Name" + type: string + description: "The name of the Vhost that the availability group will be created under." + default: "VHOST1" + group: "DxEnterprise" +- variable: DX_AG_NAME + label: "Availability Group Name" + type: string + description: "The name that will be given to the availability group." + default: "AG1" + group: "DxEnterprise" +- variable: DX_AG_OPTIONS + label: "Availability Group Options" + type: string + description: "Additional availability group options to apply during AG creation." + group: "DxEnterprise" +- variable: DX_NEW_CLUSTER + label: "Create a New Cluster" + type: string + description: "Whether or not to create a new DxEnterprise cluster, or join an existing one using the provided One-Time Passkey." + default: "true" + group: "DxEnterprise" +- variable: dxeImage.repository + label: "Repository" + type: string + description: "The repository to pull the DxEnterprise image from." + default: "dh2i/dxe" + group: "DxEnterprise" + subquestions: + - variable: dxeImage.pullPolicy + label: "Pull Policy" + type: string + description: "The pull policy for the DxEnterprise image." + default: "Always" + group: "DxEnterprise" + - variable: dxeImage.tag + label: "Image Tag" + type: string + description: "The tag to use for the DxEnterprise image." + default: "latest" + group: "DxEnterprise" + +- variable: MSSQL_PID + label: Edition + type: string + description: "The SQL Server edition (PID)." + required: true + default: Developer + group: "SQL Server" +- variable: ACCEPT_EULA + label: "Accept EULA" + type: enum + default: "N" + description: "Accept the terms of the SQL Server EULA." + required: true + group: "SQL Server" + options: + - "Y" + - "N" +- variable: sqlImage.repository + label: "Repository" + type: string + description: "The repository to pull the SQL Server image from." + default: "mcr.microsoft.com/mssql/server" + group: "SQL Server" + subquestions: + - variable: sqlImage.pullPolicy + label: "Pull Policy" + type: string + description: "The pull policy for the SQL Server image." + default: "Always" + group: "SQL Server" + - variable: sqlImage.tag + label: "Image Tag" + type: string + description: "The tag to use for the SQL Server image." + default: "2022-latest" + group: "SQL Server" \ No newline at end of file diff --git a/charts/dh2i/dxemssql/templates/_helpers.tpl b/charts/dh2i/dxemssql/templates/_helpers.tpl index 9c3fe3394..5aa540e24 100644 --- a/charts/dh2i/dxemssql/templates/_helpers.tpl +++ b/charts/dh2i/dxemssql/templates/_helpers.tpl @@ -1,62 +1,62 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "dxemssql.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "dxemssql.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "dxemssql.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "dxemssql.labels" -}} -helm.sh/chart: {{ include "dxemssql.chart" . }} -{{ include "dxemssql.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "dxemssql.selectorLabels" -}} -app.kubernetes.io/name: {{ include "dxemssql.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "dxemssql.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "dxemssql.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} +{{/* +Expand the name of the chart. +*/}} +{{- define "dxemssql.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "dxemssql.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "dxemssql.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "dxemssql.labels" -}} +helm.sh/chart: {{ include "dxemssql.chart" . }} +{{ include "dxemssql.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "dxemssql.selectorLabels" -}} +app.kubernetes.io/name: {{ include "dxemssql.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "dxemssql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "dxemssql.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/dh2i/dxemssql/templates/external-lb.yaml b/charts/dh2i/dxemssql/templates/external-lb.yaml index c08f817e3..52e960acb 100644 --- a/charts/dh2i/dxemssql/templates/external-lb.yaml +++ b/charts/dh2i/dxemssql/templates/external-lb.yaml @@ -1,23 +1,23 @@ -{{- if eq (.Values.enableLoadBalancers | toString | lower) "true" }} -{{- range untilStep 0 (.Values.replicas | int) 1 }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "dxemssql.fullname" $ }}-lb-{{ . }} -spec: - type: LoadBalancer - externalTrafficPolicy: Local - selector: - statefulset.kubernetes.io/pod-name: {{ template "dxemssql.fullname" $ }}-{{ . }} - ports: - - name: sql - protocol: TCP - port: 1433 - targetPort: 1433 - - name: dxe-admin - protocol: TCP - port: 7979 - targetPort: 7979 ---- -{{- end }} +{{- if eq (.Values.enableLoadBalancers | toString | lower) "true" }} +{{- range untilStep 0 (.Values.replicas | int) 1 }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "dxemssql.fullname" $ }}-lb-{{ . }} +spec: + type: LoadBalancer + externalTrafficPolicy: Local + selector: + statefulset.kubernetes.io/pod-name: {{ template "dxemssql.fullname" $ }}-{{ . }} + ports: + - name: sql + protocol: TCP + port: 1433 + targetPort: 1433 + - name: dxe-admin + protocol: TCP + port: 7979 + targetPort: 7979 +--- +{{- end }} {{- end }} \ No newline at end of file diff --git a/charts/dh2i/dxemssql/templates/headless-svc.yaml b/charts/dh2i/dxemssql/templates/headless-svc.yaml index ed03dc92a..38eb0b301 100644 --- a/charts/dh2i/dxemssql/templates/headless-svc.yaml +++ b/charts/dh2i/dxemssql/templates/headless-svc.yaml @@ -1,25 +1,25 @@ -#headless services for local connections/resolution -{{- range untilStep 0 (.Values.replicas | int) 1 }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "dxemssql.fullname" $ }}-{{ . }} -spec: - clusterIP: None - selector: - statefulset.kubernetes.io/pod-name: {{ template "dxemssql.fullname" $ }}-{{ . }} - ports: - - name: dxlmonitor - protocol: TCP - port: 7979 - - name: dxcmonitor-tcp - protocol: TCP - port: 7980 - - name: dxcmonitor-udp - protocol: UDP - port: 7981 - - name: ag-endpoint - protocol: TCP - port: 5022 ---- +#headless services for local connections/resolution +{{- range untilStep 0 (.Values.replicas | int) 1 }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "dxemssql.fullname" $ }}-{{ . }} +spec: + clusterIP: None + selector: + statefulset.kubernetes.io/pod-name: {{ template "dxemssql.fullname" $ }}-{{ . }} + ports: + - name: dxlmonitor + protocol: TCP + port: 7979 + - name: dxcmonitor-tcp + protocol: TCP + port: 7980 + - name: dxcmonitor-udp + protocol: UDP + port: 7981 + - name: ag-endpoint + protocol: TCP + port: 5022 +--- {{- end }} \ No newline at end of file diff --git a/charts/dh2i/dxemssql/templates/statefulset.yaml b/charts/dh2i/dxemssql/templates/statefulset.yaml index 57b3d53e4..50dab324d 100644 --- a/charts/dh2i/dxemssql/templates/statefulset.yaml +++ b/charts/dh2i/dxemssql/templates/statefulset.yaml @@ -1,108 +1,108 @@ -#DxEnterprise + MSSQL StatefulSet -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "dxemssql.fullname" . }} - labels: - {{- include "dxemssql.labels" . | nindent 4 }} -spec: - serviceName: {{ include "dxemssql.fullname" . }} - replicas: {{ .Values.replicas }} - selector: - matchLabels: - {{- include "dxemssql.labels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "dxemssql.labels" . | nindent 8 }} - spec: - securityContext: - fsGroup: 10001 - containers: - - name: sql - image: "{{ .Values.sqlImage.repository }}:{{ .Values.sqlImage.tag }}" - imagePullPolicy: {{ .Values.sqlImage.pullPolicy }} - env: - - name: ACCEPT_EULA - value: {{ required "You must accept the SQL Server EULA." .Values.ACCEPT_EULA | upper | quote }} - - name: MSSQL_AGENT_ENABLED - value: {{ .Values.MSSQL_AGENT_ENABLED | quote }} - - name: MSSQL_ENABLE_HADR - value: "1" - - name: MSSQL_PID - value: {{ .Values.MSSQL_PID | quote }} - - name: MSSQL_SA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ required "You must provide a secret key that contains MSSQL_SA_PASSWORD and DX_PASSKEY." .Values.secretKeys }} - key: MSSQL_SA_PASSWORD - readinessProbe: - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 12 - tcpSocket: - port: 1433 - volumeMounts: - - name: mssql - mountPath: "/var/opt/mssql" - - name: dxe - image: "{{ .Values.dxeImage.repository }}:{{ .Values.dxeImage.tag }}" - imagePullPolicy: {{ .Values.dxeImage.pullPolicy }} - env: - - name: DX_LICENSE - value: {{ required "DxEnterprise license key is required." .Values.DX_LICENSE | upper | quote }} - - name: DX_ACCEPT_EULA - value: {{ required "You must accept the DxEnterprise EULA." .Values.DX_ACCEPT_EULA | lower | quote }} - - name: DX_OTPK - valueFrom: - secretKeyRef: - name: {{ .Values.secretKeys }} - key: DX_OTPK - optional: true - - name: DX_PASSKEY - valueFrom: - secretKeyRef: - name: {{ required "You must provide a secret key that contains MSSQL_SA_PASSWORD and DX_PASSKEY." .Values.secretKeys }} - key: DX_PASSKEY - - name: DX_VHOST_NAME - value: {{ .Values.DX_VHOST_NAME | upper | quote }} - - name: DX_AG_NAME - value: {{ .Values.DX_AG_NAME | upper | quote }} - - name: DX_AG_OPTIONS - value: {{ .Values.DX_AG_OPTIONS | quote }} - - name: DX_NEW_CLUSTER - value: {{ .Values.DX_NEW_CLUSTER | lower | quote }} - - name: MSSQL_SA_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.secretKeys }} - key: MSSQL_SA_PASSWORD - readinessProbe: - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 12 - exec: - command: - - sh - - -c - - "cat /opt/dh2i/sbin/ready | grep -q \"1\"" - volumeMounts: - - name: dxe - mountPath: "/etc/dh2i" - volumeClaimTemplates: - - metadata: - name: dxe - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - - metadata: - name: mssql - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 8Gi +#DxEnterprise + MSSQL StatefulSet +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "dxemssql.fullname" . }} + labels: + {{- include "dxemssql.labels" . | nindent 4 }} +spec: + serviceName: {{ include "dxemssql.fullname" . }} + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "dxemssql.labels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "dxemssql.labels" . | nindent 8 }} + spec: + securityContext: + fsGroup: 10001 + containers: + - name: sql + image: "{{ .Values.sqlImage.repository }}:{{ .Values.sqlImage.tag }}" + imagePullPolicy: {{ .Values.sqlImage.pullPolicy }} + env: + - name: ACCEPT_EULA + value: {{ required "You must accept the SQL Server EULA." .Values.ACCEPT_EULA | upper | quote }} + - name: MSSQL_AGENT_ENABLED + value: {{ .Values.MSSQL_AGENT_ENABLED | quote }} + - name: MSSQL_ENABLE_HADR + value: "1" + - name: MSSQL_PID + value: {{ .Values.MSSQL_PID | quote }} + - name: MSSQL_SA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ required "You must provide a secret key that contains MSSQL_SA_PASSWORD and DX_PASSKEY." .Values.secretKeys }} + key: MSSQL_SA_PASSWORD + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 12 + tcpSocket: + port: 1433 + volumeMounts: + - name: mssql + mountPath: "/var/opt/mssql" + - name: dxe + image: "{{ .Values.dxeImage.repository }}:{{ .Values.dxeImage.tag }}" + imagePullPolicy: {{ .Values.dxeImage.pullPolicy }} + env: + - name: DX_LICENSE + value: {{ required "DxEnterprise license key is required." .Values.DX_LICENSE | upper | quote }} + - name: DX_ACCEPT_EULA + value: {{ required "You must accept the DxEnterprise EULA." .Values.DX_ACCEPT_EULA | lower | quote }} + - name: DX_OTPK + valueFrom: + secretKeyRef: + name: {{ .Values.secretKeys }} + key: DX_OTPK + optional: true + - name: DX_PASSKEY + valueFrom: + secretKeyRef: + name: {{ required "You must provide a secret key that contains MSSQL_SA_PASSWORD and DX_PASSKEY." .Values.secretKeys }} + key: DX_PASSKEY + - name: DX_VHOST_NAME + value: {{ .Values.DX_VHOST_NAME | upper | quote }} + - name: DX_AG_NAME + value: {{ .Values.DX_AG_NAME | upper | quote }} + - name: DX_AG_OPTIONS + value: {{ .Values.DX_AG_OPTIONS | quote }} + - name: DX_NEW_CLUSTER + value: {{ .Values.DX_NEW_CLUSTER | lower | quote }} + - name: MSSQL_SA_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.secretKeys }} + key: MSSQL_SA_PASSWORD + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 12 + exec: + command: + - sh + - -c + - "cat /opt/dh2i/sbin/ready | grep -q \"1\"" + volumeMounts: + - name: dxe + mountPath: "/etc/dh2i" + volumeClaimTemplates: + - metadata: + name: dxe + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + - metadata: + name: mssql + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi diff --git a/charts/dh2i/dxemssql/templates/tests/test-setup.yaml b/charts/dh2i/dxemssql/templates/tests/test-setup.yaml index 697b293cb..e9ba50ec7 100644 --- a/charts/dh2i/dxemssql/templates/tests/test-setup.yaml +++ b/charts/dh2i/dxemssql/templates/tests/test-setup.yaml @@ -1,29 +1,29 @@ -#Test for dxemssql -apiVersion: v1 -kind: Pod -metadata: - name: "{{ include "dxemssql.fullname" . }}-test" - labels: - {{- include "dxemssql.labels" . | nindent 4 }} - annotations: - helm.sh/hook: test -spec: - restartPolicy: Never - containers: - - name: dxe - image: "{{ .Values.dxeImage.repository }}:{{ .Values.dxeImage.tag }}" - imagePullPolicy: {{ .Values.dxeImage.pullPolicy }} - env: - - name: DX_TARGET_HOSTNAME - value: "{{ include "dxemssql.fullname" . }}-0" - - name: DX_PASSKEY - valueFrom: - secretKeyRef: - name: {{ .Values.secretKeys }} - key: DX_PASSKEY - - name: DX_VHOST_NAME - value: {{ .Values.DX_VHOST_NAME | upper | quote }} - - name: DX_AG_NAME - value: {{ .Values.DX_AG_NAME | upper | quote }} - command: ["/bin/bash"] +#Test for dxemssql +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "dxemssql.fullname" . }}-test" + labels: + {{- include "dxemssql.labels" . | nindent 4 }} + annotations: + helm.sh/hook: test +spec: + restartPolicy: Never + containers: + - name: dxe + image: "{{ .Values.dxeImage.repository }}:{{ .Values.dxeImage.tag }}" + imagePullPolicy: {{ .Values.dxeImage.pullPolicy }} + env: + - name: DX_TARGET_HOSTNAME + value: "{{ include "dxemssql.fullname" . }}-0" + - name: DX_PASSKEY + valueFrom: + secretKeyRef: + name: {{ .Values.secretKeys }} + key: DX_PASSKEY + - name: DX_VHOST_NAME + value: {{ .Values.DX_VHOST_NAME | upper | quote }} + - name: DX_AG_NAME + value: {{ .Values.DX_AG_NAME | upper | quote }} + command: ["/bin/bash"] args: ["-c", "/opt/dh2i/sbin/helm-test.sh"] \ No newline at end of file diff --git a/charts/dh2i/dxemssql/values.schema.json b/charts/dh2i/dxemssql/values.schema.json index 47ef0134d..c84ceba4a 100644 --- a/charts/dh2i/dxemssql/values.schema.json +++ b/charts/dh2i/dxemssql/values.schema.json @@ -1,14 +1,14 @@ -{ - "$schema": "http://json-schema.org/schema#", - "type": "object", - "required": [ - "replicas" - ], - "properties": { - "replicas": { - "type": "integer", - "minimum": 1, - "maximum": 5 - } - } +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "replicas" + ], + "properties": { + "replicas": { + "type": "integer", + "minimum": 1, + "maximum": 5 + } + } } \ No newline at end of file diff --git a/charts/dh2i/dxemssql/values.yaml b/charts/dh2i/dxemssql/values.yaml index 9419e0c71..8729f77b4 100644 --- a/charts/dh2i/dxemssql/values.yaml +++ b/charts/dh2i/dxemssql/values.yaml @@ -1,38 +1,38 @@ -# Default values for dxemssql. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# General -# CAUTION: Setting the replica quantity to a value less than 3 does not meet Microsoft's quorum requirements for HA. -# See https://support.dh2i.com/docs/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups -# Only set this value below 3 if you intend to assign these replicas to an existing availability group -replicas: 3 -secretKeys: null -enableLoadBalancers: "true" - -# SQL Server settings -sqlImage: - repository: "mcr.microsoft.com/mssql/server" - pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. - tag: "2022-latest" -MSSQL_PID: "Developer" -ACCEPT_EULA: null -MSSQL_AGENT_ENABLED: "false" - -# DxEnterprise settings -dxeImage: - repository: dh2i/dxe - pullPolicy: Always - tag: latest -DX_LICENSE: null -DX_ACCEPT_EULA: null -DX_VHOST_NAME: "VHOST1" -DX_AG_NAME: "AG1" -DX_AG_OPTIONS: "" -DX_NEW_CLUSTER: "true" - -nameOverride: "" -fullnameOverride: "" - -podAnnotations: {} +# Default values for dxemssql. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# General +# CAUTION: Setting the replica quantity to a value less than 3 does not meet Microsoft's quorum requirements for HA. +# See https://support.dh2i.com/docs/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups +# Only set this value below 3 if you intend to assign these replicas to an existing availability group +replicas: 3 +secretKeys: null +enableLoadBalancers: "true" + +# SQL Server settings +sqlImage: + repository: "mcr.microsoft.com/mssql/server" + pullPolicy: Always + # Overrides the image tag whose default is the chart appVersion. + tag: "2022-latest" +MSSQL_PID: "Developer" +ACCEPT_EULA: null +MSSQL_AGENT_ENABLED: "false" + +# DxEnterprise settings +dxeImage: + repository: dh2i/dxe + pullPolicy: Always + tag: latest +DX_LICENSE: null +DX_ACCEPT_EULA: null +DX_VHOST_NAME: "VHOST1" +DX_AG_NAME: "AG1" +DX_AG_OPTIONS: "" +DX_NEW_CLUSTER: "true" + +nameOverride: "" +fullnameOverride: "" + +podAnnotations: {} diff --git a/charts/digitalis/vals-operator/Chart.yaml b/charts/digitalis/vals-operator/Chart.yaml index 59f6bf90b..30eafe89c 100644 --- a/charts/digitalis/vals-operator/Chart.yaml +++ b/charts/digitalis/vals-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: vals-operator apiVersion: v2 -appVersion: v0.7.8 +appVersion: v0.7.9 description: 'This helm chart installs the Digitalis Vals Operator to manage and sync secrets from supported backends into Kubernetes. ## About Vals-Operator Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals), @@ -20,4 +20,4 @@ maintainers: name: Digitalis.IO name: vals-operator type: application -version: 0.7.8 +version: 0.7.9 diff --git a/charts/digitalis/vals-operator/README.md b/charts/digitalis/vals-operator/README.md index cfc03bc27..48719cf0f 100644 --- a/charts/digitalis/vals-operator/README.md +++ b/charts/digitalis/vals-operator/README.md @@ -1,6 +1,6 @@ # vals-operator -![Version: 0.7.8](https://img.shields.io/badge/Version-0.7.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.8](https://img.shields.io/badge/AppVersion-v0.7.8-informational?style=flat-square) +![Version: 0.7.9](https://img.shields.io/badge/Version-0.7.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.9](https://img.shields.io/badge/AppVersion-v0.7.9-informational?style=flat-square) This helm chart installs the Digitalis Vals Operator to manage and sync secrets from supported backends into Kubernetes. ## About Vals-Operator diff --git a/charts/external-secrets/external-secrets/Chart.yaml b/charts/external-secrets/external-secrets/Chart.yaml index ce4f35501..cb4557c7b 100644 --- a/charts/external-secrets/external-secrets/Chart.yaml +++ b/charts/external-secrets/external-secrets/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: external-secrets apiVersion: v2 -appVersion: v0.9.11 +appVersion: v0.9.12 description: External secret management for Kubernetes home: https://github.com/external-secrets/external-secrets icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png @@ -17,4 +17,4 @@ maintainers: name: mcavoyk name: external-secrets type: application -version: 0.9.11 +version: 0.9.12 diff --git a/charts/external-secrets/external-secrets/README.md b/charts/external-secrets/external-secrets/README.md index 96d2de05a..7f5c86e73 100644 --- a/charts/external-secrets/external-secrets/README.md +++ b/charts/external-secrets/external-secrets/README.md @@ -4,7 +4,7 @@ [//]: # (README.md generated by gotmpl. DO NOT EDIT.) -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.11](https://img.shields.io/badge/Version-0.9.11-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.9.12](https://img.shields.io/badge/Version-0.9.12-informational?style=flat-square) External secret management for Kubernetes @@ -44,6 +44,7 @@ The command removes all the Kubernetes components associated with the chart and | certController.extraVolumes | list | `[]` | | | certController.fullnameOverride | string | `""` | | | certController.hostNetwork | bool | `false` | Run the certController on the host network | +| certController.image.flavour | string | `""` | | | certController.image.pullPolicy | string | `"IfNotPresent"` | | | certController.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | certController.image.tag | string | `""` | | @@ -98,9 +99,10 @@ The command removes all the Kubernetes components associated with the chart and | extraVolumes | list | `[]` | | | fullnameOverride | string | `""` | | | hostNetwork | bool | `false` | Run the controller on the host network | +| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | -| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default the distroless image is used. | +| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | | imagePullSecrets | list | `[]` | | | installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. | | leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. | @@ -153,7 +155,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector | | webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. | | webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ | -| webhook.certManager.cert.duration | string | `""` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec | +| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. | | webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec | | webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. | | webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ | @@ -166,6 +168,7 @@ The command removes all the Kubernetes components associated with the chart and | webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore | | webhook.fullnameOverride | string | `""` | | | webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. | +| webhook.image.flavour | string | `""` | The flavour of tag you want to use | | webhook.image.pullPolicy | string | `"IfNotPresent"` | | | webhook.image.repository | string | `"ghcr.io/external-secrets/external-secrets"` | | | webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. | diff --git a/charts/external-secrets/external-secrets/templates/_helpers.tpl b/charts/external-secrets/external-secrets/templates/_helpers.tpl index 92031fe2f..5b0f306b0 100644 --- a/charts/external-secrets/external-secrets/templates/_helpers.tpl +++ b/charts/external-secrets/external-secrets/templates/_helpers.tpl @@ -133,3 +133,13 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Determine the image to use, including if using a flavour. +*/}} +{{- define "external-secrets.image" -}} +{{- if .image.flavour -}} +{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }} +{{- else }} +{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }} +{{- end }} +{{- end }} diff --git a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml index 51083e565..31949bcb6 100644 --- a/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/cert-controller-deployment.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.certController.create (not .Values.webhook.certManager.enable) }} +{{- if and .Values.certController.create (not .Values.webhook.certManager.enabled) }} apiVersion: apps/v1 kind: Deployment metadata: @@ -45,7 +45,7 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - image: "{{ .Values.certController.image.repository }}:{{ .Values.certController.image.tag | default .Chart.AppVersion }}" + image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }} imagePullPolicy: {{ .Values.certController.image.pullPolicy }} args: - certcontroller diff --git a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml index 3d5919ced..c86e5fa61 100644 --- a/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/acraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: acraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -27,18 +27,39 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: "ACRAccessToken returns a Azure Container Registry token that can be used for pushing/pulling images. Note: by default it will return an ACR Refresh Token with full access (depending on the identity). This can be scoped down to the repository level using .spec.scope. In case scope is defined it will return an ACR Access Token. \n See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md" + description: |- + ACRAccessToken returns a Azure Container Registry token + that can be used for pushing/pulling images. + Note: by default it will return an ACR Refresh Token with full access + (depending on the identity). + This can be scoped down to the repository level using .spec.scope. + In case scope is defined it will return an ACR Access Token. + + + See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: 'ACRAccessTokenSpec defines how to generate the access token e.g. how to authenticate and which registry to use. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview' + description: |- + ACRAccessTokenSpec defines how to generate the access token + e.g. how to authenticate and which registry to use. + see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview properties: auth: properties: @@ -53,32 +74,42 @@ spec: description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure. properties: secretRef: - description: Configuration used to authenticate with Azure using static credentials stored in a Kind=Secret. + description: |- + Configuration used to authenticate with Azure using static + credentials stored in a Kind=Secret. properties: clientId: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -89,10 +120,15 @@ spec: description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure. properties: serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -100,7 +136,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -109,7 +147,11 @@ spec: type: object environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -117,10 +159,23 @@ spec: - GermanCloud type: string registry: - description: the domain name of the ACR registry e.g. foobarexample.azurecr.io + description: |- + the domain name of the ACR registry + e.g. foobarexample.azurecr.io type: string scope: - description: "Define the scope for the access token, e.g. pull/push access for a repository. if not provided it will return a refresh token that has full scope. Note: you need to pin it down to the repository level, there is no wildcard available. \n examples: repository:my-repository:pull,push repository:my-repository:pull \n see docs for details: https://docs.docker.com/registry/spec/auth/scope/" + description: |- + Define the scope for the access token, e.g. pull/push access for a repository. + if not provided it will return a refresh token that has full scope. + Note: you need to pin it down to the repository level, there is no wildcard available. + + + examples: + repository:my-repository:pull,push + repository:my-repository:pull + + + see docs for details: https://docs.docker.com/registry/spec/auth/scope/ type: string tenantId: description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. diff --git a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml index b71734e86..7e80cbf0e 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clusterexternalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterexternalsecrets.external-secrets.io spec: group: external-secrets.io @@ -40,10 +40,19 @@ spec: description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -74,7 +83,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -112,14 +123,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -139,7 +159,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -154,11 +176,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -196,7 +222,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -231,11 +259,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -248,10 +280,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -259,7 +295,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -283,7 +325,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -296,13 +340,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -314,11 +363,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -327,7 +380,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -337,7 +392,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -348,7 +406,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -442,16 +503,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -463,7 +532,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml index ea9ac2669..26ca77086 100644 --- a/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/clustersecretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustersecretstores.external-secrets.io spec: group: external-secrets.io @@ -38,10 +38,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,7 +58,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -66,7 +77,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -75,23 +88,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -99,7 +127,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -109,51 +139,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -212,26 +263,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -250,7 +309,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -259,7 +321,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -267,39 +332,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -330,32 +407,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -365,10 +454,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -376,7 +470,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -425,13 +521,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -447,7 +547,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -455,7 +558,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -482,13 +587,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -516,13 +625,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -547,29 +660,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -580,7 +705,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -588,7 +716,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -598,16 +728,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -657,7 +793,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -666,26 +805,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -704,13 +851,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -721,10 +875,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -732,7 +891,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -751,26 +912,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -779,55 +954,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -835,7 +1038,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -845,55 +1050,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -901,7 +1137,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -911,27 +1149,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -941,18 +1192,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -978,23 +1237,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1010,7 +1286,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1051,7 +1331,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1061,13 +1343,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1098,13 +1384,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1112,16 +1402,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1188,10 +1484,19 @@ spec: description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1201,7 +1506,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1209,16 +1516,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1230,7 +1545,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1242,7 +1560,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1259,7 +1579,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1268,23 +1590,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1292,7 +1629,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1302,51 +1641,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1359,7 +1719,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1405,26 +1767,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1448,7 +1818,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -1457,7 +1830,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1465,52 +1841,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1528,10 +1923,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -1573,32 +1978,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1606,7 +2023,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -1617,10 +2038,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1628,7 +2054,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1652,29 +2080,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1687,23 +2127,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1711,7 +2162,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1727,7 +2180,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -1736,7 +2192,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1755,7 +2213,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -1764,13 +2224,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1784,13 +2248,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1801,10 +2269,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -1820,16 +2292,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1902,13 +2381,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1924,7 +2407,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1932,7 +2418,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1959,13 +2447,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2020,13 +2512,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2041,16 +2537,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2071,29 +2573,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2101,7 +2615,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2109,7 +2626,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2118,16 +2637,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2153,7 +2678,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2186,13 +2713,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2218,7 +2749,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2227,26 +2760,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2265,13 +2806,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -2282,10 +2830,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2293,7 +2846,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2315,13 +2870,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2344,13 +2903,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2372,16 +2935,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2410,39 +2979,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2450,37 +3041,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -2492,7 +3099,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2500,7 +3110,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2522,39 +3134,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2568,25 +3195,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2594,7 +3237,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2604,55 +3249,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2660,7 +3336,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2670,27 +3348,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -2700,13 +3391,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -2714,23 +3409,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -2738,7 +3444,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2751,7 +3461,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2764,23 +3476,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -2796,7 +3574,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2837,7 +3619,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -2847,13 +3631,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2884,13 +3672,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2898,16 +3690,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2927,13 +3725,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2941,16 +3743,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object diff --git a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml index 4eae527ee..45d7a4df2 100644 --- a/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/ecrauthorizationtoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ecrauthorizationtokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -27,13 +27,28 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an authorization token. The authorization token is valid for 12 hours. The authorizationToken returned is a base64 encoded string that can be decoded and used in a docker login command to authenticate to a registry. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. + description: |- + ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an + authorization token. + The authorization token is valid for 12 hours. + The authorizationToken returned is a base64 encoded string that can be decoded + and used in a docker login command to authenticate to a registry. + For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,7 +64,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -57,52 +75,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -111,7 +148,9 @@ spec: description: Region specifies the region to operate in. type: string role: - description: You can assume a role before making calls to the desired AWS service. + description: |- + You can assume a role before making calls to the + desired AWS service. type: string required: - region diff --git a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml index 9d0fe9fda..6606ed807 100644 --- a/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/externalsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalsecrets.external-secrets.io spec: group: external-secrets.io @@ -41,10 +41,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -86,7 +95,9 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: description: ExternalSecretDataRemoteRef defines Provider data location. properties: @@ -112,13 +123,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -127,11 +143,15 @@ spec: - name type: object target: - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Merge @@ -141,7 +161,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -152,7 +175,10 @@ spec: type: object engineVersion: default: v1 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -224,7 +250,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -248,7 +277,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -280,10 +311,19 @@ spec: description: ExternalSecret is the Schema for the external-secrets API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -296,7 +336,9 @@ spec: description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data. properties: remoteRef: - description: RemoteRef points to the remote secret and defines which secret (version/property/..) to fetch. + description: |- + RemoteRef points to the remote secret and defines + which secret (version/property/..) to fetch. properties: conversionStrategy: default: Default @@ -334,14 +376,23 @@ spec: - key type: object secretKey: - description: SecretKey defines the key in which the controller stores the value. This is the key in the Kind=Secret + description: |- + SecretKey defines the key in which the controller stores + the value. This is the key in the Kind=Secret type: string sourceRef: - description: SourceRef allows you to override the source from which the value will pulled from. + description: |- + SourceRef allows you to override the source + from which the value will pulled from. maxProperties: 1 properties: generatorRef: - description: "GeneratorRef points to a generator custom resource. \n Deprecated: The generatorRef is not implemented in .data[]. this will be removed with v1." + description: |- + GeneratorRef points to a generator custom resource. + + + Deprecated: The generatorRef is not implemented in .data[]. + this will be removed with v1. properties: apiVersion: default: generators.external-secrets.io/v1alpha1 @@ -361,7 +412,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -376,11 +429,15 @@ spec: type: object type: array dataFrom: - description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order + description: |- + DataFrom is used to fetch all properties from a specific Provider data + If multiple entries are specified, the Secret keys are merged in the specified order items: properties: extract: - description: 'Used to extract multiple key/value pairs from one secret Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to extract multiple key/value pairs from one secret + Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -418,7 +475,9 @@ spec: - key type: object find: - description: 'Used to find secrets based on tags or regular expressions Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.' + description: |- + Used to find secrets based on tags or regular expressions + Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef. properties: conversionStrategy: default: Default @@ -453,11 +512,15 @@ spec: type: object type: object rewrite: - description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) + description: |- + Used to rewrite secret Keys after getting them from the secret Provider + Multiple Rewrite operations can be provided. They are applied in a layered order (first to last) items: properties: regexp: - description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation. + description: |- + Used to rewrite with regular expressions. + The resulting key will be the output of a regexp.ReplaceAll operation. properties: source: description: Used to define the regular expression of a re.Compiler. @@ -470,10 +533,14 @@ spec: - target type: object transform: - description: Used to apply string transformation on the secrets. The resulting key will be the output of the template applied by the operation. + description: |- + Used to apply string transformation on the secrets. + The resulting key will be the output of the template applied by the operation. properties: template: - description: Used to define the template to apply on the secret name. `.value ` will specify the secret name in the template. + description: |- + Used to define the template to apply on the secret name. + `.value ` will specify the secret name in the template. type: string required: - template @@ -481,7 +548,13 @@ spec: type: object type: array sourceRef: - description: SourceRef points to a store or generator which contains secret values ready to use. Use this in combination with Extract or Find pull values out of a specific SecretStore. When sourceRef points to a generator Extract or Find is not supported. The generator returns a static map of values + description: |- + SourceRef points to a store or generator + which contains secret values ready to use. + Use this in combination with Extract or Find pull values out of + a specific SecretStore. + When sourceRef points to a generator Extract or Find is not supported. + The generator returns a static map of values maxProperties: 1 properties: generatorRef: @@ -505,7 +578,9 @@ spec: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -518,13 +593,18 @@ spec: type: array refreshInterval: default: 1h - description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h. + description: |- + RefreshInterval is the amount of time before the values are read again from the SecretStore provider + Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" + May be set to zero to fetch and create it once. Defaults to 1h. type: string secretStoreRef: description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data. properties: kind: - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string name: description: Name of the SecretStore resource @@ -536,11 +616,15 @@ spec: default: creationPolicy: Owner deletionPolicy: Retain - description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret. + description: |- + ExternalSecretTarget defines the Kubernetes Secret to be created + There can be only one target per ExternalSecret. properties: creationPolicy: default: Owner - description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner' + description: |- + CreationPolicy defines rules on how to create the resulting Secret + Defaults to 'Owner' enum: - Owner - Orphan @@ -549,7 +633,9 @@ spec: type: string deletionPolicy: default: Retain - description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain' + description: |- + DeletionPolicy defines rules on how to delete the resulting Secret + Defaults to 'Retain' enum: - Delete - Merge @@ -559,7 +645,10 @@ spec: description: Immutable defines if the final secret will be immutable type: boolean name: - description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource + description: |- + Name defines the name of the Secret resource to be managed + This field is immutable + Defaults to the .metadata.name of the ExternalSecret resource type: string template: description: Template defines a blueprint for the created Secret resource. @@ -570,7 +659,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -664,7 +756,10 @@ spec: description: Binding represents a servicebinding.io Provisioned Service reference to the secret properties: name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string type: object x-kubernetes-map-type: atomic @@ -688,7 +783,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string diff --git a/charts/external-secrets/external-secrets/templates/crds/fake.yaml b/charts/external-secrets/external-secrets/templates/crds/fake.yaml index 11fd839e5..237fce3c3 100644 --- a/charts/external-secrets/external-secrets/templates/crds/fake.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/fake.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: fakes.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -27,13 +27,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Fake generator is used for testing. It lets you define a static set of credentials that is always returned. + description: |- + Fake generator is used for testing. It lets you define + a static set of credentials that is always returned. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,12 +52,16 @@ spec: description: FakeSpec contains the static data. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string data: additionalProperties: type: string - description: Data defines the static data returned by this generator. + description: |- + Data defines the static data returned + by this generator. type: object type: object type: object diff --git a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml index f5bc903d9..fb9d5784e 100644 --- a/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/gcraccesstoken.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: gcraccesstokens.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -27,13 +27,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: GCRAccessToken generates an GCP access token that can be used to authenticate with GCR. + description: |- + GCRAccessToken generates an GCP access token + that can be used to authenticate with GCR. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -48,13 +59,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -70,7 +85,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -78,7 +96,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name diff --git a/charts/external-secrets/external-secrets/templates/crds/password.yaml b/charts/external-secrets/external-secrets/templates/crds/password.yaml index 0daa607a9..75d45d4d7 100644 --- a/charts/external-secrets/external-secrets/templates/crds/password.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/password.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: passwords.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -27,13 +27,25 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: Password generates a random password based on the configuration parameters in spec. You can specify the length, characterset and other attributes. + description: |- + Password generates a random password based on the + configuration parameters in spec. + You can specify the length, characterset and other attributes. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -45,21 +57,29 @@ spec: description: set AllowRepeat to true to allow repeating characters. type: boolean digits: - description: Digits specifies the number of digits in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Digits specifies the number of digits in the generated + password. If omitted it defaults to 25% of the length of the password type: integer length: default: 24 - description: Length of the password to be generated. Defaults to 24 + description: |- + Length of the password to be generated. + Defaults to 24 type: integer noUpper: default: false description: Set NoUpper to disable uppercase characters type: boolean symbolCharacters: - description: SymbolCharacters specifies the special characters that should be used in the generated password. + description: |- + SymbolCharacters specifies the special characters that should be used + in the generated password. type: string symbols: - description: Symbols specifies the number of symbol characters in the generated password. If omitted it defaults to 25% of the length of the password + description: |- + Symbols specifies the number of symbol characters in the generated + password. If omitted it defaults to 25% of the length of the password type: integer required: - allowRepeat diff --git a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml index 306eafea5..42b45dcde 100644 --- a/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/pushsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: pushsecrets.external-secrets.io spec: group: external-secrets.io @@ -34,10 +34,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -70,7 +79,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match @@ -91,7 +102,9 @@ spec: properties: kind: default: SecretStore - description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore` + description: |- + Kind of the SecretStore resource (SecretStore or ClusterSecretStore) + Defaults to `SecretStore` type: string labelSelector: description: Optionally, sync to secret stores with label selector @@ -99,16 +112,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -120,7 +141,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -153,7 +177,10 @@ spec: type: object engineVersion: default: v2 - description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[]. + description: |- + EngineVersion specifies the template engine version + that should be used to compile/execute the + template specified in .data and .templateFrom[]. enum: - v1 - v2 @@ -268,7 +295,9 @@ spec: type: object type: array refreshTime: - description: refreshTime is the time and date the external secret was fetched and the target secret updated + description: |- + refreshTime is the time and date the external secret was fetched and + the target secret updated format: date-time nullable: true type: string @@ -298,7 +327,9 @@ spec: - remoteRef type: object metadata: - description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation. + description: |- + Metadata is metadata attached to the secret. + The structure of metadata is provider specific, please look it up in the provider documentation. x-kubernetes-preserve-unknown-fields: true required: - match diff --git a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml index 20adc876c..faef89de5 100644 --- a/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/secretstore.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: group: external-secrets.io @@ -38,10 +38,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,7 +58,9 @@ spec: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -66,7 +77,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -75,23 +88,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -99,7 +127,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -109,51 +139,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -212,26 +263,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -250,7 +309,10 @@ spec: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -259,7 +321,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -267,39 +332,51 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -330,32 +407,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -365,10 +454,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -376,7 +470,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -425,13 +521,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -447,7 +547,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -455,7 +558,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -482,13 +587,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -516,13 +625,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -547,29 +660,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -580,7 +705,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -588,7 +716,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -598,16 +728,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -657,7 +793,10 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -666,26 +805,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -704,13 +851,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -721,10 +875,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -732,7 +891,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -751,26 +912,40 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -779,55 +954,83 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -835,7 +1038,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -845,55 +1050,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -901,7 +1137,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -911,27 +1149,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -941,18 +1192,26 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -978,23 +1237,40 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1010,7 +1286,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1051,7 +1331,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1061,13 +1343,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1098,13 +1384,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1112,16 +1402,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1188,10 +1484,19 @@ spec: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1201,7 +1506,9 @@ spec: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1209,16 +1516,24 @@ spec: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1230,7 +1545,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1242,7 +1560,9 @@ spec: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1259,7 +1579,9 @@ spec: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1268,23 +1590,38 @@ spec: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1292,7 +1629,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1302,51 +1641,72 @@ spec: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1359,7 +1719,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1405,26 +1767,34 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1448,7 +1818,10 @@ spec: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -1457,7 +1830,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1465,52 +1841,71 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1528,10 +1923,20 @@ spec: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -1573,32 +1978,44 @@ spec: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1606,7 +2023,11 @@ spec: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -1617,10 +2038,15 @@ spec: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1628,7 +2054,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1652,29 +2080,41 @@ spec: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1687,23 +2127,34 @@ spec: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1711,7 +2162,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1727,7 +2180,10 @@ spec: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -1736,7 +2192,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1755,7 +2213,9 @@ spec: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -1764,13 +2224,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1784,13 +2248,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1801,10 +2269,14 @@ spec: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -1820,16 +2292,23 @@ spec: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1902,13 +2381,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1924,7 +2407,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1932,7 +2418,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1959,13 +2447,17 @@ spec: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2020,13 +2512,17 @@ spec: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2041,16 +2537,22 @@ spec: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2071,29 +2573,41 @@ spec: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2101,7 +2615,10 @@ spec: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2109,7 +2626,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2118,16 +2637,22 @@ spec: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2153,7 +2678,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2186,13 +2713,17 @@ spec: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2218,7 +2749,9 @@ spec: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2227,26 +2760,34 @@ spec: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2265,13 +2806,20 @@ spec: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -2282,10 +2830,15 @@ spec: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2293,7 +2846,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2315,13 +2870,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2344,13 +2903,17 @@ spec: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2372,16 +2935,22 @@ spec: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2410,39 +2979,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2450,37 +3041,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -2492,7 +3099,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2500,7 +3110,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2522,39 +3134,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2568,25 +3195,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2594,7 +3237,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2604,55 +3249,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2660,7 +3336,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2670,27 +3348,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -2700,13 +3391,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -2714,23 +3409,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -2738,7 +3444,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2751,7 +3461,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2764,23 +3476,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -2796,7 +3574,11 @@ spec: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2837,7 +3619,9 @@ spec: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -2847,13 +3631,17 @@ spec: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2884,13 +3672,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2898,16 +3690,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2927,13 +3725,17 @@ spec: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2941,16 +3743,22 @@ spec: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object diff --git a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml index 123558f86..bdd9c4161 100644 --- a/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml +++ b/charts/external-secrets/external-secrets/templates/crds/vaultdynamicsecret.yaml @@ -9,7 +9,7 @@ metadata: {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }} cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook {{- end }} - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: vaultdynamicsecrets.generators.external-secrets.io spec: group: generators.external-secrets.io @@ -29,17 +29,28 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters VDS based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters VDS based on this property type: string method: description: Vault API method to use (GET/POST/other) @@ -57,39 +68,61 @@ spec: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -97,37 +130,53 @@ spec: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -139,7 +188,10 @@ spec: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -147,7 +199,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -169,39 +223,54 @@ spec: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -215,25 +284,41 @@ spec: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -241,7 +326,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -251,55 +338,86 @@ spec: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -307,7 +425,9 @@ spec: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -317,27 +437,40 @@ spec: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -347,13 +480,17 @@ spec: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -361,23 +498,34 @@ spec: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -385,7 +533,11 @@ spec: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -398,7 +550,9 @@ spec: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -411,23 +565,89 @@ spec: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -438,7 +658,12 @@ spec: type: object resultType: default: Data - description: Result type defines which data is returned from the generator. By default it is the "data" section of the Vault API response. When using e.g. /auth/token/create the "data" section is empty but the "auth" section contains the generated token. Please refer to the vault docs regarding the result data structure. + description: |- + Result type defines which data is returned from the generator. + By default it is the "data" section of the Vault API response. + When using e.g. /auth/token/create the "data" section is empty but + the "auth" section contains the generated token. + Please refer to the vault docs regarding the result data structure. enum: - Data - Auth diff --git a/charts/external-secrets/external-secrets/templates/deployment.yaml b/charts/external-secrets/external-secrets/templates/deployment.yaml index 00ea999ba..3dafc2c9d 100644 --- a/charts/external-secrets/external-secrets/templates/deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/deployment.yaml @@ -45,7 +45,7 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }} imagePullPolicy: {{ .Values.image.pullPolicy }} {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }} args: diff --git a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml index 5ab8fe9f6..f5d640d5b 100644 --- a/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml +++ b/charts/external-secrets/external-secrets/templates/webhook-deployment.yaml @@ -45,7 +45,7 @@ spec: securityContext: {{- toYaml . | nindent 12 }} {{- end }} - image: "{{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag | default .Chart.AppVersion }}" + image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }} imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} args: - webhook diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap index 24b24dca3..e1bee95fd 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/cert_controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 name: RELEASE-NAME-external-secrets-cert-controller namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-cert-controller - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 spec: automountServiceAccountToken: true containers: @@ -38,7 +38,7 @@ should match snapshot of default values: - --secret-namespace=NAMESPACE - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.11 + image: ghcr.io/external-secrets/external-secrets:v0.9.12 imagePullPolicy: IfNotPresent name: cert-controller ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap index 123207b31..44cc61eff 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/controller_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 name: RELEASE-NAME-external-secrets namespace: NAMESPACE spec: @@ -24,15 +24,15 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 spec: automountServiceAccountToken: true containers: - args: - --concurrent=1 - --metrics-addr=:8080 - image: ghcr.io/external-secrets/external-secrets:v0.9.11 + image: ghcr.io/external-secrets/external-secrets:v0.9.12 imagePullPolicy: IfNotPresent name: external-secrets ports: diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap index fa5b3224a..affb9f21c 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/crds_test.yaml.snap @@ -4,7 +4,7 @@ should match snapshot of default values: kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: secretstores.external-secrets.io spec: conversion: @@ -43,10 +43,19 @@ should match snapshot of default values: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -54,7 +63,9 @@ should match snapshot of default values: description: SecretStoreSpec defines the desired state of SecretStore. properties: controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -71,7 +82,9 @@ should match snapshot of default values: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -80,23 +93,38 @@ should match snapshot of default values: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -104,7 +132,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -114,51 +144,72 @@ should match snapshot of default values: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -217,26 +268,34 @@ should match snapshot of default values: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -255,7 +314,10 @@ should match snapshot of default values: description: AWS configures this store to sync secrets using AWS Secret Manager provider properties: auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -264,7 +326,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -272,39 +337,51 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -335,32 +412,44 @@ should match snapshot of default values: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -370,10 +459,15 @@ should match snapshot of default values: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -381,7 +475,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -430,13 +526,17 @@ should match snapshot of default values: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -452,7 +552,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -460,7 +563,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -487,13 +592,17 @@ should match snapshot of default values: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -521,13 +630,17 @@ should match snapshot of default values: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -552,29 +665,41 @@ should match snapshot of default values: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -585,7 +710,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -593,7 +721,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -603,16 +733,22 @@ should match snapshot of default values: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -662,7 +798,10 @@ should match snapshot of default values: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, instance principal is used. Optionally, the authenticating principal type and/or user data may be supplied for the use of workload identity and user principal. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, instance principal is used. Optionally, the authenticating principal type + and/or user data may be supplied for the use of workload identity and user principal. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -671,26 +810,34 @@ should match snapshot of default values: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -709,13 +856,20 @@ should match snapshot of default values: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -726,10 +880,15 @@ should match snapshot of default values: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -737,7 +896,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -756,26 +917,40 @@ should match snapshot of default values: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -784,55 +959,83 @@ should match snapshot of default values: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. items: type: string type: array expirationSeconds: - description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes. + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -840,7 +1043,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -850,55 +1055,86 @@ should match snapshot of default values: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -906,7 +1142,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -916,27 +1154,40 @@ should match snapshot of default values: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -946,18 +1197,26 @@ should match snapshot of default values: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -983,23 +1242,40 @@ should match snapshot of default values: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -1015,7 +1291,11 @@ should match snapshot of default values: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1056,7 +1336,9 @@ should match snapshot of default values: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -1066,13 +1348,17 @@ should match snapshot of default values: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1103,13 +1389,17 @@ should match snapshot of default values: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1117,16 +1407,22 @@ should match snapshot of default values: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1193,10 +1489,19 @@ should match snapshot of default values: description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1206,7 +1511,9 @@ should match snapshot of default values: conditions: description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore items: - description: ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in for a ClusterSecretStore instance. + description: |- + ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in + for a ClusterSecretStore instance. properties: namespaceSelector: description: Choose namespace using a labelSelector @@ -1214,16 +1521,24 @@ should match snapshot of default values: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1235,7 +1550,10 @@ should match snapshot of default values: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1247,7 +1565,9 @@ should match snapshot of default values: type: object type: array controller: - description: 'Used to select the correct ESO controller (think: ingress.ingressClassName) The ESO controller is instantiated with a specific controller name and filters ES based on this property' + description: |- + Used to select the correct ESO controller (think: ingress.ingressClassName) + The ESO controller is instantiated with a specific controller name and filters ES based on this property type: string provider: description: Used to configure the provider. Only one provider may be set @@ -1264,7 +1584,9 @@ should match snapshot of default values: description: Auth configures how the operator authenticates with Akeyless. properties: kubernetesAuth: - description: Kubernetes authenticates with Akeyless by passing the ServiceAccount token stored in the named Secret resource. + description: |- + Kubernetes authenticates with Akeyless by passing the ServiceAccount + token stored in the named Secret resource. properties: accessID: description: the Akeyless Kubernetes auth-method access-id @@ -1273,23 +1595,38 @@ should match snapshot of default values: description: Kubernetes-auth configuration name in Akeyless-Gateway type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Akeyless. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Akeyless. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Akeyless. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Akeyless. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1297,7 +1634,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1307,51 +1646,72 @@ should match snapshot of default values: - k8sConfName type: object secretRef: - description: Reference to a Secret that contains the details to authenticate with Akeyless. + description: |- + Reference to a Secret that contains the details + to authenticate with Akeyless. properties: accessID: description: The SecretAccessID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessType: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessTypeParam: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object type: object caBundle: - description: PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used + if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -1364,7 +1724,9 @@ should match snapshot of default values: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1410,26 +1772,34 @@ should match snapshot of default values: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object accessKeySecretSecretRef: description: The AccessKeySecret is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1453,7 +1823,10 @@ should match snapshot of default values: type: string type: array auth: - description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials' + description: |- + Auth defines the information necessary to authenticate against AWS + if not set aws sdk will infer credentials from your environment + see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials properties: jwt: description: Authenticate against AWS using service account tokens. @@ -1462,7 +1835,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1470,52 +1846,71 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name type: object type: object secretRef: - description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. + description: |- + AWSAuthSecretRef holds secret references for AWS credentials + both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate. properties: accessKeyIDSecretRef: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1533,10 +1928,20 @@ should match snapshot of default values: description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager properties: forceDeleteWithoutRecovery: - description: 'Specifies whether to delete the secret without any recovery window. You can''t use both this parameter and RecoveryWindowInDays in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery' + description: |- + Specifies whether to delete the secret without any recovery window. You + can't use both this parameter and RecoveryWindowInDays in the same call. + If you don't use either, then by default Secrets Manager uses a 30 day + recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery type: boolean recoveryWindowInDays: - description: 'The number of days from 7 to 30 that Secrets Manager waits before permanently deleting the secret. You can''t use both this parameter and ForceDeleteWithoutRecovery in the same call. If you don''t use either, then by default Secrets Manager uses a 30 day recovery window. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays' + description: |- + The number of days from 7 to 30 that Secrets Manager waits before + permanently deleting the secret. You can't use both this parameter and + ForceDeleteWithoutRecovery in the same call. If you don't use either, + then by default Secrets Manager uses a 30 day recovery window. + see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays format: int64 type: integer type: object @@ -1578,32 +1983,44 @@ should match snapshot of default values: description: The Azure clientId of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientSecret: description: The Azure ClientSecret of the service principle used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object authType: default: ServicePrincipal - description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)' + description: |- + Auth type defines how to authenticate to the keyvault service. + Valid values are: + - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) + - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity) enum: - ServicePrincipal - ManagedIdentity @@ -1611,7 +2028,11 @@ should match snapshot of default values: type: string environmentType: default: PublicCloud - description: 'EnvironmentType specifies the Azure cloud environment endpoints to use for connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud' + description: |- + EnvironmentType specifies the Azure cloud environment endpoints to use for + connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint. + The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152 + PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud enum: - PublicCloud - USGovernmentCloud @@ -1622,10 +2043,15 @@ should match snapshot of default values: description: If multiple Managed Identity is assigned to the pod, you can select the one to be used type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1633,7 +2059,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1657,29 +2085,41 @@ should match snapshot of default values: account: type: string apiKeyRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1692,23 +2132,34 @@ should match snapshot of default values: account: type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Conjur using the JWT authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Conjur using the JWT authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional ServiceAccountRef specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountRef specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1716,7 +2167,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1732,7 +2185,10 @@ should match snapshot of default values: caBundle: type: string caProvider: - description: Used to provide custom certificate authority (CA) certificates for a secret store. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate. + description: |- + Used to provide custom certificate authority (CA) certificates + for a secret store. The CAProvider points to a Secret or ConfigMap resource + that contains a PEM-encoded certificate. properties: key: description: The key where the CA certificate can be found in the Secret or ConfigMap. @@ -1741,7 +2197,9 @@ should match snapshot of default values: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -1760,7 +2218,9 @@ should match snapshot of default values: - url type: object delinea: - description: Delinea DevOps Secrets Vault https://docs.delinea.com/online-help/products/devops-secrets-vault/current + description: |- + Delinea DevOps Secrets Vault + https://docs.delinea.com/online-help/products/devops-secrets-vault/current properties: clientId: description: ClientID is the non-secret part of the credential. @@ -1769,13 +2229,17 @@ should match snapshot of default values: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1789,13 +2253,17 @@ should match snapshot of default values: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -1806,10 +2274,14 @@ should match snapshot of default values: description: Tenant is the chosen hostname / site name. type: string tld: - description: TLD is based on the server location that was chosen during provisioning. If unset, defaults to "com". + description: |- + TLD is based on the server location that was chosen during provisioning. + If unset, defaults to "com". type: string urlTemplate: - description: URLTemplate If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". + description: |- + URLTemplate + If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s". type: string required: - clientId @@ -1825,16 +2297,23 @@ should match snapshot of default values: secretRef: properties: dopplerToken: - description: The DopplerToken is used for authentication. See https://docs.doppler.com/reference/api#authentication for auth token types. The Key attribute defaults to dopplerToken if not specified. + description: |- + The DopplerToken is used for authentication. + See https://docs.doppler.com/reference/api#authentication for auth token types. + The Key attribute defaults to dopplerToken if not specified. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -1907,13 +2386,17 @@ should match snapshot of default values: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -1929,7 +2412,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -1937,7 +2423,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -1964,13 +2452,17 @@ should match snapshot of default values: description: AccessToken is used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2025,13 +2517,17 @@ should match snapshot of default values: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2046,16 +2542,22 @@ should match snapshot of default values: description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider properties: authRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object folderID: @@ -2076,29 +2578,41 @@ should match snapshot of default values: description: has both clientCert and clientKey as secretKeySelector properties: clientCert: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object clientKey: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2106,7 +2620,10 @@ should match snapshot of default values: description: points to a service account that should be used for authentication properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2114,7 +2631,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2123,16 +2642,22 @@ should match snapshot of default values: description: use static token to authenticate with properties: bearerToken: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2158,7 +2683,9 @@ should match snapshot of default values: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2191,13 +2718,17 @@ should match snapshot of default values: description: The ConnectToken is used for authentication to a 1Password Connect Server. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2223,7 +2754,9 @@ should match snapshot of default values: description: Oracle configures this store to sync secrets using Oracle Vault provider properties: auth: - description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth. + description: |- + Auth configures how secret-manager authenticates with the Oracle Vault. + If empty, use the instance principal, otherwise the user credentials specified in Auth. properties: secretRef: description: SecretRef to pass through sensitive information. @@ -2232,26 +2765,34 @@ should match snapshot of default values: description: Fingerprint is the fingerprint of the API private key. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object privatekey: description: PrivateKey is the user's API Signing Key in PEM format, used for authentication. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2270,13 +2811,20 @@ should match snapshot of default values: - user type: object compartment: - description: Compartment is the vault compartment OCID. Required for PushSecret + description: |- + Compartment is the vault compartment OCID. + Required for PushSecret type: string encryptionKey: - description: EncryptionKey is the OCID of the encryption key within the vault. Required for PushSecret + description: |- + EncryptionKey is the OCID of the encryption key within the vault. + Required for PushSecret type: string principalType: - description: The type of principal to use for authentication. If left blank, the Auth struct will determine the principal type. This optional field must be specified if using workload identity. + description: |- + The type of principal to use for authentication. If left blank, the Auth struct will + determine the principal type. This optional field must be specified if using + workload identity. enum: - "" - UserPrincipal @@ -2287,10 +2835,15 @@ should match snapshot of default values: description: Region is the region where vault is located. type: string serviceAccountRef: - description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity. + description: |- + ServiceAccountRef specified the service account + that should be used when authenticating with WorkloadIdentity. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2298,7 +2851,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2320,13 +2875,17 @@ should match snapshot of default values: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2349,13 +2908,17 @@ should match snapshot of default values: description: SecretRef references a key in a secret that will be used as value. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object value: @@ -2377,16 +2940,22 @@ should match snapshot of default values: clientId: type: string clientSecretSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2415,39 +2984,61 @@ should match snapshot of default values: description: Auth configures how secret-manager authenticates with the Vault server. properties: appRole: - description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource. + description: |- + AppRole authenticates with Vault using the App Role auth mechanism, + with the role and secret stored in a Kubernetes Secret resource. properties: path: default: approle - description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"' + description: |- + Path where the App Role authentication backend is mounted + in Vault, e.g: "approle" type: string roleId: - description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault. + description: |- + RoleID configured in the App Role authentication backend when setting + up the authentication backend in Vault. type: string roleRef: - description: Reference to a key in a Secret that contains the App Role ID used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role id. + description: |- + Reference to a key in a Secret that contains the App Role ID used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role id. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret. + description: |- + Reference to a key in a Secret that contains the App Role secret used + to authenticate with Vault. + The `key` field must be specified and denotes which entry within the Secret + resource is used as the app role secret. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2455,37 +3046,53 @@ should match snapshot of default values: - secretRef type: object cert: - description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method + description: |- + Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate + Cert authentication method properties: clientCert: - description: ClientCert is a certificate to authenticate using the Cert Vault authentication method + description: |- + ClientCert is a certificate to authenticate using the Cert Vault + authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretRef: - description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method + description: |- + SecretRef to a key in a Secret resource containing client private key to + authenticate with Vault using the Cert authentication method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object iam: - description: Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials AWS IAM authentication method + description: |- + Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials + AWS IAM authentication method properties: externalID: description: AWS External ID set on assumed IAM roles @@ -2497,7 +3104,10 @@ should match snapshot of default values: description: A reference to a ServiceAccount resource. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2505,7 +3115,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2527,39 +3139,54 @@ should match snapshot of default values: description: The AccessKeyID is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object secretAccessKeySecretRef: description: The SecretAccessKey is used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object sessionTokenSecretRef: - description: 'The SessionToken used for authentication This must be defined if AccessKeyID and SecretAccessKey are temporary credentials see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html' + description: |- + The SessionToken used for authentication + This must be defined if AccessKeyID and SecretAccessKey are temporary credentials + see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2573,25 +3200,41 @@ should match snapshot of default values: - vaultRole type: object jwt: - description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method + description: |- + Jwt authenticates with Vault by passing role and JWT token using the + JWT/OIDC authentication method properties: kubernetesServiceAccountToken: - description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API. + description: |- + Optional ServiceAccountToken specifies the Kubernetes service account for which to request + a token for with the `TokenRequest` API. properties: audiences: - description: 'Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified. Deprecated: use serviceAccountRef.Audiences instead' + description: |- + Optional audiences field that will be used to request a temporary Kubernetes service + account token for the service account referenced by `serviceAccountRef`. + Defaults to a single audience `vault` it not specified. + Deprecated: use serviceAccountRef.Audiences instead items: type: string type: array expirationSeconds: - description: 'Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Deprecated: this will be removed in the future. Defaults to 10 minutes.' + description: |- + Optional expiration time in seconds that will be used to request a temporary + Kubernetes service account token for the service account referenced by + `serviceAccountRef`. + Deprecated: this will be removed in the future. + Defaults to 10 minutes. format: int64 type: integer serviceAccountRef: description: Service account field containing the name of a kubernetes ServiceAccount. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2599,7 +3242,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2609,55 +3254,86 @@ should match snapshot of default values: type: object path: default: jwt - description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"' + description: |- + Path where the JWT authentication backend is mounted + in Vault, e.g: "jwt" type: string role: - description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method + description: |- + Role is a JWT role to authenticate using the JWT/OIDC Vault + authentication method type: string secretRef: - description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method. + description: |- + Optional SecretRef that refers to a key in a Secret resource containing JWT token to + authenticate with Vault using the JWT/OIDC authentication method. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: - path type: object kubernetes: - description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server. + description: |- + Kubernetes authenticates with Vault by passing the ServiceAccount + token stored in the named Secret resource to the Vault server. properties: mountPath: default: kubernetes - description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"' + description: |- + Path where the Kubernetes authentication backend is mounted in Vault, e.g: + "kubernetes" type: string role: - description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies. + description: |- + A required field containing the Vault Role to assume. A Role binds a + Kubernetes ServiceAccount with a set of Vault policies. type: string secretRef: - description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used. + description: |- + Optional secret field containing a Kubernetes ServiceAccount JWT used + for authenticating with Vault. If a name is specified without a key, + `token` is the default. If one is not specified, the one bound to + the controller will be used. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object serviceAccountRef: - description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead. + description: |- + Optional service account field containing the name of a kubernetes ServiceAccount. + If the service account is specified, the service account secret token JWT will be used + for authenticating with Vault. If the service account selector is not supplied, + the secretRef will be used instead. properties: audiences: - description: Audience specifies the `aud` claim for the service account token If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity then this audiences will be appended to the list + description: |- + Audience specifies the `aud` claim for the service account token + If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity + then this audiences will be appended to the list items: type: string type: array @@ -2665,7 +3341,9 @@ should match snapshot of default values: description: The name of the ServiceAccount resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string required: - name @@ -2675,27 +3353,40 @@ should match snapshot of default values: - role type: object ldap: - description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method + description: |- + Ldap authenticates with Vault by passing username/password pair using + the LDAP authentication method properties: path: default: ldap - description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"' + description: |- + Path where the LDAP authentication backend is mounted + in Vault, e.g: "ldap" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the LDAP + user used to authenticate with Vault using the LDAP authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method + description: |- + Username is a LDAP user name used to authenticate using the LDAP Vault + authentication method type: string required: - path @@ -2705,13 +3396,17 @@ should match snapshot of default values: description: TokenSecretRef authenticates with Vault by presenting a token. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object userPass: @@ -2719,23 +3414,34 @@ should match snapshot of default values: properties: path: default: user - description: 'Path where the UserPassword authentication backend is mounted in Vault, e.g: "user"' + description: |- + Path where the UserPassword authentication backend is mounted + in Vault, e.g: "user" type: string secretRef: - description: SecretRef to a key in a Secret resource containing password for the user used to authenticate with Vault using the UserPass authentication method + description: |- + SecretRef to a key in a Secret resource containing password for the + user used to authenticate with Vault using the UserPass authentication + method properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object username: - description: Username is a user name used to authenticate using the UserPass Vault authentication method + description: |- + Username is a user name used to authenticate using the UserPass Vault + authentication method type: string required: - path @@ -2743,7 +3449,11 @@ should match snapshot of default values: type: object type: object caBundle: - description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate Vault server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2756,7 +3466,9 @@ should match snapshot of default values: description: The name of the object located at the provider type. type: string namespace: - description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore. + description: |- + The namespace the Provider type is in. + Can only be defined when used in a ClusterSecretStore. type: string type: description: The type of provider to use such as "Secret", or "ConfigMap". @@ -2769,23 +3481,89 @@ should match snapshot of default values: - type type: object forwardInconsistent: - description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header + description: |- + ForwardInconsistent tells Vault to forward read-after-write requests to the Vault + leader instead of simply retrying within a loop. This can increase performance if + the option is enabled serverside. + https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header type: boolean namespace: - description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces' + description: |- + Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows + Vault environments to support Secure Multi-tenancy. e.g: "ns1". + More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces type: string path: - description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.' + description: |- + Path is the mount path of the Vault KV backend endpoint, e.g: + "secret". The v2 KV secret engine version specific "/data" path suffix + for fetching secrets from Vault is optional and will be appended + if not present in specified path. type: string readYourWrites: - description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency + description: |- + ReadYourWrites ensures isolated read-after-write semantics by + providing discovered cluster replication states in each request. + More information about eventual consistency in Vault can be found here + https://www.vaultproject.io/docs/enterprise/consistency type: boolean server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + tls: + description: |- + The configuration used for client side related TLS communication, when the Vault server + requires mutual authentication. Only used if the Server URL is using HTTPS protocol. + This parameter is ignored for plain HTTP protocol connection. + It's worth noting this configuration is different from the "TLS certificates auth method", + which is available under the `auth.cert` section. + properties: + certSecretRef: + description: |- + CertSecretRef is a certificate added to the transport layer + when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.crt'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + keySecretRef: + description: |- + KeySecretRef to a key in a Secret resource containing client private key + added to the transport layer when communicating with the Vault server. + If no key for the Secret is specified, external-secret will default to 'tls.key'. + properties: + key: + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. + type: string + name: + description: The name of the Secret resource being referred to. + type: string + namespace: + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. + type: string + type: object + type: object version: default: v2 - description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2". + description: |- + Version is the Vault KV secret engine version. This can be either "v1" or + "v2". Version defaults to "v2". enum: - v1 - v2 @@ -2801,7 +3579,11 @@ should match snapshot of default values: description: Body type: string caBundle: - description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection. + description: |- + PEM encoded CA bundle used to validate webhook server certificate. Only used + if the Server URL is using HTTPS protocol. This parameter is ignored for + plain HTTP protocol connection. If not set the system root certificates + are used to validate the TLS connection. format: byte type: string caProvider: @@ -2842,7 +3624,9 @@ should match snapshot of default values: type: string type: object secrets: - description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name + description: |- + Secrets to fill in templates + These secrets will be passed to the templating function as key value pairs under the given name items: properties: name: @@ -2852,13 +3636,17 @@ should match snapshot of default values: description: Secret ref to fill in credentials properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object required: @@ -2889,13 +3677,17 @@ should match snapshot of default values: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2903,16 +3695,22 @@ should match snapshot of default values: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2932,13 +3730,17 @@ should match snapshot of default values: description: The authorized key used for authentication properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object @@ -2946,16 +3748,22 @@ should match snapshot of default values: description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate. properties: certSecretRef: - description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field. + description: |- + A reference to a specific 'key' within a Secret resource, + In some instances, `key` is a required field. properties: key: - description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required. + description: |- + The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be + defaulted, in others it may be required. type: string name: description: The name of the Secret resource being referred to. type: string namespace: - description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent. + description: |- + Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults + to the namespace of the referent. type: string type: object type: object diff --git a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap index b5aa2391a..344059a56 100644 --- a/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap +++ b/charts/external-secrets/external-secrets/tests/__snapshot__/webhook_test.yaml.snap @@ -7,8 +7,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE spec: @@ -24,8 +24,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.11 - helm.sh/chart: external-secrets-0.9.11 + app.kubernetes.io/version: v0.9.12 + helm.sh/chart: external-secrets-0.9.12 spec: automountServiceAccountToken: true containers: @@ -37,7 +37,7 @@ should match snapshot of default values: - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 - image: ghcr.io/external-secrets/external-secrets:v0.9.11 + image: ghcr.io/external-secrets/external-secrets:v0.9.12 imagePullPolicy: IfNotPresent name: webhook ports: @@ -81,8 +81,8 @@ should match snapshot of default values: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: external-secrets-webhook - app.kubernetes.io/version: v0.9.11 + app.kubernetes.io/version: v0.9.12 external-secrets.io/component: webhook - helm.sh/chart: external-secrets-0.9.11 + helm.sh/chart: external-secrets-0.9.12 name: RELEASE-NAME-external-secrets-webhook namespace: NAMESPACE diff --git a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml index 52cce7efd..8f2769d62 100644 --- a/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml +++ b/charts/external-secrets/external-secrets/tests/cert_controller_test.yaml @@ -61,3 +61,20 @@ tests: - equal: path: spec.template.spec.containers[0].args[6] value: "--metrics-addr=:8888" + - it: should override image flavour + set: + certController.image.repository: ghcr.io/external-secrets/external-secrets + certController.image.tag: v0.9.8 + certController.image.flavour: ubi-boringssl + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl + - it: should override image flavour + set: + certController.image.repository: example.com/external-secrets/external-secrets + certController.image.tag: v0.9.9-ubi + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: example.com/external-secrets/external-secrets:v0.9.9-ubi diff --git a/charts/external-secrets/external-secrets/tests/controller_test.yaml b/charts/external-secrets/external-secrets/tests/controller_test.yaml index f74af187b..c437d64fc 100644 --- a/charts/external-secrets/external-secrets/tests/controller_test.yaml +++ b/charts/external-secrets/external-secrets/tests/controller_test.yaml @@ -54,3 +54,20 @@ tests: - equal: path: spec.template.spec.containers[0].args[1] value: "--metrics-addr=:8888" + - it: should override image flavour + set: + image.repository: ghcr.io/external-secrets/external-secrets + image.tag: v0.9.8 + image.flavour: ubi-boringssl + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl + - it: should override image flavour + set: + image.repository: example.com/external-secrets/external-secrets + image.tag: v0.9.9-ubi + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: example.com/external-secrets/external-secrets:v0.9.9-ubi diff --git a/charts/external-secrets/external-secrets/tests/webhook_test.yaml b/charts/external-secrets/external-secrets/tests/webhook_test.yaml index b157e3bd4..8c6f761b0 100644 --- a/charts/external-secrets/external-secrets/tests/webhook_test.yaml +++ b/charts/external-secrets/external-secrets/tests/webhook_test.yaml @@ -170,3 +170,24 @@ tests: - equal: path: spec.template.spec.containers[0].args[5] value: "--metrics-addr=:8888" + - it: should override image flavour + set: + webhook.image.repository: ghcr.io/external-secrets/external-secrets + webhook.image.tag: v0.9.8 + webhook.image.flavour: ubi-boringssl + templates: + - webhook-deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: ghcr.io/external-secrets/external-secrets:v0.9.8-ubi-boringssl + - it: should override image flavour + set: + webhook.image.repository: example.com/external-secrets/external-secrets + webhook.image.tag: v0.9.9-ubi + templates: + - webhook-deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].image + value: example.com/external-secrets/external-secrets:v0.9.9-ubi diff --git a/charts/external-secrets/external-secrets/values.yaml b/charts/external-secrets/external-secrets/values.yaml index 5b4335720..f2f5597c1 100644 --- a/charts/external-secrets/external-secrets/values.yaml +++ b/charts/external-secrets/external-secrets/values.yaml @@ -7,10 +7,12 @@ image: repository: ghcr.io/external-secrets/external-secrets pullPolicy: IfNotPresent # -- The image tag to use. The default is the chart appVersion. + tag: "" + # -- The flavour of tag you want to use # There are different image flavours available, like distroless and ubi. # Please see GitHub release notes for image tags for these flavors. # By default the distroless image is used. - tag: "" + flavour: "" # -- If set, install and upgrade CRDs through helm chart. installCRDs: true @@ -224,8 +226,10 @@ webhook: image: repository: ghcr.io/external-secrets/external-secrets pullPolicy: IfNotPresent - # -- The image tag to use. The default is the chart appVersion. + # -- The image tag to use. The default is the chart appVersion. tag: "" + # -- The flavour of tag you want to use + flavour: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -271,7 +275,8 @@ webhook: name: "my-issuer" # -- Set the requested duration (i.e. lifetime) of the Certificate. See # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec - duration: "" + # One year by default. + duration: "8760h" # -- How long before the currently issued certificate’s expiry # cert-manager should renew the certificate. See # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec @@ -375,6 +380,7 @@ certController: repository: ghcr.io/external-secrets/external-secrets pullPolicy: IfNotPresent tag: "" + flavour: "" imagePullSecrets: [] nameOverride: "" fullnameOverride: "" diff --git a/charts/hashicorp/consul/Chart.yaml b/charts/hashicorp/consul/Chart.yaml index 58acd9ad0..2fa3de6fd 100644 --- a/charts/hashicorp/consul/Chart.yaml +++ b/charts/hashicorp/consul/Chart.yaml @@ -1,11 +1,11 @@ annotations: artifacthub.io/images: | - name: consul - image: hashicorp/consul:1.17.1 + image: hashicorp/consul:1.17.2 - name: consul-k8s-control-plane - image: hashicorp/consul-k8s-control-plane:1.3.1 + image: hashicorp/consul-k8s-control-plane:1.3.2 - name: consul-dataplane - image: hashicorp/consul-dataplane:1.3.1 + image: hashicorp/consul-dataplane:1.3.2 - name: envoy image: envoyproxy/envoy:v1.25.11 artifacthub.io/license: MPL-2.0 @@ -25,7 +25,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: consul apiVersion: v2 -appVersion: 1.17.1 +appVersion: 1.17.2 description: Official HashiCorp Consul Chart home: https://www.consul.io icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png @@ -34,4 +34,4 @@ name: consul sources: - https://github.com/hashicorp/consul - https://github.com/hashicorp/consul-k8s -version: 1.3.1 +version: 1.3.2 diff --git a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml index 2fafae7df..b87c8223b 100644 --- a/charts/hashicorp/consul/templates/connect-inject-deployment.yaml +++ b/charts/hashicorp/consul/templates/connect-inject-deployment.yaml @@ -259,7 +259,8 @@ spec: -default-sidecar-proxy-lifecycle-shutdown-grace-period-seconds={{ .Values.connectInject.sidecarProxy.lifecycle.defaultShutdownGracePeriodSeconds }} \ -default-sidecar-proxy-lifecycle-graceful-port={{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulPort }} \ -default-sidecar-proxy-lifecycle-graceful-shutdown-path="{{ .Values.connectInject.sidecarProxy.lifecycle.defaultGracefulShutdownPath }}" \ - + -default-sidecar-proxy-startup-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultStartupFailureSeconds }} \ + -default-sidecar-proxy-liveness-failure-seconds={{ .Values.connectInject.sidecarProxy.defaultLivenessFailureSeconds }} \ {{- if .Values.connectInject.initContainer }} {{- $initResources := .Values.connectInject.initContainer.resources }} {{- if not (kindIs "invalid" $initResources.limits.memory) }} diff --git a/charts/hashicorp/consul/values.yaml b/charts/hashicorp/consul/values.yaml index 80245654a..0d2d3aaa3 100644 --- a/charts/hashicorp/consul/values.yaml +++ b/charts/hashicorp/consul/values.yaml @@ -66,7 +66,7 @@ global: # image: "hashicorp/consul-enterprise:1.10.0-ent" # ``` # @default: hashicorp/consul: - image: hashicorp/consul:1.17.1 + image: hashicorp/consul:1.17.2 # Array of objects containing image pull secret names that will be applied to each service account. # This can be used to reference image pull secrets if using a custom consul or consul-k8s-control-plane Docker image. @@ -86,7 +86,7 @@ global: # image that is used for functionality such as catalog sync. # This can be overridden per component. # @default: hashicorp/consul-k8s-control-plane: - imageK8S: hashicorp/consul-k8s-control-plane:1.3.1 + imageK8S: hashicorp/consul-k8s-control-plane:1.3.2 # The name of the datacenter that the agents should # register as. This can't be changed once the Consul cluster is up and running @@ -639,7 +639,7 @@ global: # The name (and tag) of the consul-dataplane Docker image used for the # connect-injected sidecar proxies and mesh, terminating, and ingress gateways. # @default: hashicorp/consul-dataplane: - imageConsulDataplane: hashicorp/consul-dataplane:1.3.1 + imageConsulDataplane: hashicorp/consul-dataplane:1.3.2 # Configuration for running this Helm chart on the Red Hat OpenShift platform. # This Helm chart currently supports OpenShift v4.x+. @@ -2701,6 +2701,13 @@ connectInject: # @type: string defaultGracefulShutdownPath: "/graceful_shutdown" + # Configures how long the k8s startup probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultStartupFailureSeconds: 0 + # Configures how long the k8s liveness probe will wait before the proxy is considered to be unhealthy and the container is restarted. + # A value of zero disables the probe. + defaultLivenessFailureSeconds: 0 + # The resource settings for the Connect injected init container. If null, the resources # won't be set for the initContainer. The defaults are optimized for developer instances of # Kubernetes, however they should be tweaked with the recommended defaults as shown below to speed up service registration times. diff --git a/charts/jenkins/jenkins/CHANGELOG.md b/charts/jenkins/jenkins/CHANGELOG.md index bf1415bd7..b52622b1e 100644 --- a/charts/jenkins/jenkins/CHANGELOG.md +++ b/charts/jenkins/jenkins/CHANGELOG.md @@ -12,6 +12,66 @@ Use the following links to reference issues, PRs, and commits prior to v2.6.0. The changelog until v1.5.7 was auto-generated based on git commits. Those entries include a reference to the git commit to be able to get more details. +## 5.0.13 + +Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` + +## 5.0.12 + +Fix controller.sidecars.additionalSidecarContainers renaming and add tests + +## 5.0.11 + +* Add controller.sidecars.configAutoReload.scheme to specify protocol scheme when connecting Jenkins configuration-as-code reload endpoint +* Add controller.sidecars.configAutoReload.skipTlsVerify to force the k8s-sidecar container to skip TLS verification when connecting to an HTTPS Jenkins configuration-as-code reload endpoint + +## 5.0.10 + +Update `jenkins/inbound-agent` to version `jenkins/inbound-agent` + +## 5.0.9 + +Update `kubernetes` to version `4186.v1d804571d5d4` + +## 5.0.8 + +Update `configuration-as-code` to version `1775.v810dc950b_514` + +## 5.0.7 + +Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` + +## 5.0.6 + +Removed `docker.io` prefix from inbound-agent image + +## 5.0.5 + +Prefixed artifacthub.io/images with `docker.io` + +## 5.0.4 + +Updated super-linter to v6. Updated README.md and CHANGELOG.md to fix linting issues. + +## 5.0.2 + +Update `git` to version `5.2.1` + +## 5.0.1 + +Update `docker.io/bats/bats` to version `v1.10.0` + +## 5.0.0 + + > [!CAUTION] + > Several fields have been renamed or removed. See [UPGRADING.md](./UPGRADING.md#to-500) + +The Helm Chart is now updated automatically via [Renovate](https://docs.renovatebot.com/) + +## 4.12.1 + +Update Jenkins image and appVersion to jenkins lts release version 2.426.3 + ## 4.12.0 Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`. @@ -1441,13 +1501,13 @@ Make `agent.slaveConnectTimeout` configurable: by increasing this value Jenkins ## 1.9.7 Update plugin versions -plugin | old version | new version ---------------------- | ----------- | ---------- -kubernetes | 1.18.2 | 1.21.2 -workflow-job | 2.33 | 2.36 -credentials-binding | 1.19 | 1.20 -git | 3.11.0 | 4.0.0 -configuration-as-code | 1.27 | 1.32 +| plugin | old version | new version | +|-----------------------|-------------|-------------| +| kubernetes | 1.18.2 | 1.21.2 | +| workflow-job | 2.33 | 2.36 | +| credentials-binding | 1.19 | 1.20 | +| git | 3.11.0 | 4.0.0 | +| configuration-as-code | 1.27 | 1.32 | ## 1.9.6 @@ -1573,7 +1633,7 @@ JCasC default configuration includes: - maxRequestsPerHostStr: "32" - name: "kubernetes" - namespace - - serverUrl: "https://kubernetes.default" + - serverUrl: `"https://kubernetes.default"` - template - containers - alwaysPullImage: `agent.alwaysPullImage` diff --git a/charts/jenkins/jenkins/Chart.yaml b/charts/jenkins/jenkins/Chart.yaml index 43c738094..74d0caa3d 100644 --- a/charts/jenkins/jenkins/Chart.yaml +++ b/charts/jenkins/jenkins/Chart.yaml @@ -1,16 +1,14 @@ annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | - - Add support for [generic ephemeral storage](https://github.com/jenkinsci/kubernetes-plugin/pull/1489) in `agent.volumes` and `agents.workspaceVolume`. + - Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` artifacthub.io/images: | - name: jenkins - image: jenkins/jenkins:2.426.2-jdk17 + image: docker.io/jenkins/jenkins:2.426.3-jdk17 - name: k8s-sidecar - image: kiwigrid/k8s-sidecar:1.24.4 + image: docker.io/kiwigrid/k8s-sidecar:1.25.4 - name: inbound-agent - image: jenkins/inbound-agent:3192.v713e3b_039fb_e-5 - - name: backup - image: maorfr/kube-tasks:0.2.0 + image: jenkins/inbound-agent:3206.vb_15dcf73f6a_9-3 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Chart Source @@ -24,7 +22,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.14-0' catalog.cattle.io/release-name: jenkins apiVersion: v2 -appVersion: 2.426.2 +appVersion: 2.426.3 description: Jenkins - Build great things at any scale! The leading open source automation server, Jenkins provides over 1800 plugins to support building, deploying and automating any project. @@ -51,4 +49,4 @@ sources: - https://github.com/jenkinsci/docker-inbound-agent - https://github.com/maorfr/kube-tasks - https://github.com/jenkinsci/configuration-as-code-plugin -version: 4.12.0 +version: 5.0.13 diff --git a/charts/jenkins/jenkins/README.md b/charts/jenkins/jenkins/README.md index 32172e1b6..9b7db0737 100644 --- a/charts/jenkins/jenkins/README.md +++ b/charts/jenkins/jenkins/README.md @@ -490,315 +490,6 @@ controller: RBAC is enabled by default. If you want to disable it you will need to set `rbac.create` to `false`. -### Backup - -Adds a backup CronJob for jenkins, along with required RBAC resources. See additional `backup` values using [configuration commands](#configuration). - -#### Example: Backup to Google Cloud Storage Bucket - -Let's look at a quick example. Let's pretend we are backing up Jenkins to a **Google Cloud Storage (GCS) Bucket**. Here is what the process would look like: - -##### 1. Create a Google Cloud Platform Account - -If you don't have a GCP account, you can create a Free Account with the link below: - -- - -##### 2. Create a GCS bucket with a unique name - -You need to create a GCS bucket with a unique name, which you can do by following the guide below: - -- - -##### 3. Create a GCP Service Account - -In order for the backup job to upload Jenkins data to the GCS bucket, you need to provide it with a Google Service Account, which you can create by following the guide below: - -- - -##### 4. Bind `roles/storage.admin` role to Service Account - -Now you need to provide your GCP Service Account with the `roles/storage.admin` role, which has permissions to read/write content to a GCS bucket. You can do this by following the guide below: - -- - -##### 5. Create a Service Account Key - -Now that you have a Service Account (SA), you need to create a Service Account Key, which is a file that represents the GCP Service Account that will get passed to the Backup Job (and later on to the Recovery Job). You can create it by following the guide below: - -- - -##### 6. Create a Kubernetes Secret from the Service Account key - -In order for the Backup Job to access the GCP Service Account Key you need to create Kubernetes Secret, which you can create using the command below: - -```bash -# Replace with the path to the SA Key -kubectl -n jenkins create secret generic jenkinsgcp --from-file=sa-credentials.json=/path/to/sa_key.json -``` - -**NOTE**: This assumes that you will deploy the Jenkins chart in the `jenkins` namespace. - -##### 7. Deploy the Jenkins Helm Chart using a modified values file - -Rather than using a long command to pass on all the new Chart values, create a values file called `values.yaml`, then put the following content on it, then save it: - -```yaml -backup: - enabled: true - schedule: "0 2 * * *" # Runs every day at 2 am, change it to whatever interval works for you - existingSecret: - jenkinsgcp: # This is the secret name - gcpcredentials: sa-credentials.json # The service account file in the secret - destination: "gcs://BUCKET_NAME/jenkins-k8s-backup" # Replace with Bucket Name from previous step -controller: - initializeOnce: true # Installs latest plugins as soon as Jenkins starts - installLatestPlugins: true -persistence: - enabled: true # So that we have a PVC that we can backup -``` - -**NOTE**: The [`gcpcredentials`](https://github.com/fabiogomezdiaz/helm-charts-1/blob/main/charts/jenkins/values.yaml#L829) key in the [`jenkinsgcp`](https://github.com/fabiogomezdiaz/helm-charts-1/blob/main/charts/jenkins/values.yaml#L827) field tells the Helm chart that we will be using a GCS bucket as our backup. - -##### 8. Deploy Jenkins Chart with new values - -Now that we have everything in place, let's deploy the Jenkins Chart with the new values file: - -```bash -helm upgrade --install jenkins --namespace jenkins \ - -f values.yaml \ - jenkinsci/jenkins; -``` - -**NOTE**: Save the password from this installation as it will be needed in the [Restore from Backup in Google Cloud Storage Bucket](#example-restore-from-backup-in-google-cloud-storage-bucket) section. - -##### 9. Create resources to backup in Jenkins - -Once Jenkins is available, go to Jenkins and create jobs, download plugins, and create credentials so that we have something to backup other than the default Jenkins installation. - -##### 10. Trigger the backup job - -The values file we used to deploy Jenkins runs the backup job every day at 2 AM. - -If you don't want to wait that long for the job to start running, then patch the CronJob to run in the next minute with the following commands: - -```bash -# Update CronJob to run every minute -kubectl -n jenkins patch cronjob.batch/jenkins-backup --patch '{"spec": {"schedule": "* * * * *"}}' - -# Run this command until the "jenkins-backup-*" container is running -kubectl get pods | grep backup; - -# To prevent multiple jobs from spanning every minute, change the CronJob back to original schedule -kubectl -n jenkins patch cronjob.batch/jenkins-backup --patch '{"spec": {"schedule": "0 2 * * *"}}' -``` - -##### 11. Verify that the backup job completed successfully - -Once the job is running, then query the backup pod logs to monitor progress as follows: - -```bash -# Get backup container name -BACKUP_CONTAINER=$(kubectl get pods | grep backup | awk '{print $1}'); - -# Stream logs of backup container until job is finished -kubectl logs -f ${BACKUP_CONTAINER}; -``` - -**NOTE**: The backup job will create a time-stamped folder in the GCS bucket each time the backup job runs. - -If you can see a success message from the backup job and can see the contents of the backup on your GCS bucket, then the backup was successful! - -A similar process would work for AWS S3. See additional `backup` values using [configuration commands](#configuration). - -**NOTE**: If an environmental variable `AWS_REGION` is not provided, the region of the AWS S3 bucket will be assumed to be `eu-central-1`. If you want to use an S3 bucket in another region, you need to provide the bucket's region as an environmental variable as below: - -```yaml -backup: - env: # The region of your S3 bucket. - - name: AWS_REGION - value: us-east-1 -``` - -### Restore From Backup - -To restore a backup, you can use the `kube-tasks` underlying tool called [skbn](https://github.com/maorfr/skbn), which copies files from cloud storage to Kubernetes. -The best way to do it would be using a `Job` to copy files from the desired backup tag to the Jenkins pod. - -See the following example for more details. - -#### Example: Restore from Backup in Google Cloud Storage Bucket - -**NOTE**: This section assumes that you ran the steps in [Example: Backup to Google Cloud Storage Bucket](#example-backup-to-google-cloud-storage-bucket) beforehand and that you **saved the password** for that Jenkins installation, which you will need at the end of this section. - -Let's pretend you are restoring a backup from a Google Cloud Storage Bucket because you completely lost your Jenkins installation and you are starting from scratch. - -In the following steps, we will explain what this process would look like: - -##### 1. Reinstall the Jenkins Helm Chart - -First, we need to remove the old Jenkins installation that we backed up previously, then we can install a clean Jenkins instance to restore from GCS backup. - -To do so, run the following commands: - -```bash -# Delete old Jenkins installation -helm delete jenkins - -# Install Jenkins Chart -helm upgrade --install jenkins --namespace jenkins \ - -f values.yaml \ - jenkinsci/jenkins; -``` - -**NOTE**: This Command uses the same values file that was created in the [7. Deploy the Jenkins Helm Chart using a modified values file](#7-deploy-the-jenkins-helm-chart-using-a-modified-values-file) section. - -Now verify that Jenkins is up and running and it DOES NOT have any of the resources you created earlier. - -##### 2. Create a Kubernetes Service Account for the Restore Job - -In order for the Restore job to pull backup data from the GCS bucket and put it in the jenkins `/var/jenkins_home` folder in the Jenkins pod, you need to create the following: - -- A [Kubernetes Service Account](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/) (not to be confused with a GCP Service Account) for the Restore job. -- A [Kubernetes ClusterRole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) that lists the necessary permissions to update the data in the volumes of other pods. -- A [Kubernetes ClusterRoleBinding](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) that binds the above ClusterRole to the Service Account. - -To do so, create a file called `restore-rbac.yaml` and enter the following content, then save it: - -```yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: skbn - name: skbn - namespace: jenkins ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app: skbn - name: skbn -rules: -- apiGroups: [""] - resources: ["pods", "pods/log"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["pods/exec"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: skbn - name: skbn -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: skbn -subjects: -- kind: ServiceAccount - name: skbn - namespace: jenkins -``` - -To apply the above manifest, run the following command: - -```bash -kubectl apply -f restore-rbac.yaml -``` - -##### 3. Create a Kubernetes Job to restore Jenkins - -The logic that will execute the Jenkins restoration from a GCS backup will be done through a -[Kubernetes Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/), which will run only once as needed. - -To create the job, create a manifest file called `restore.yaml` with the following content, then save it: - -```yaml -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app: skbn - name: skbn - namespace: jenkins -spec: - template: - metadata: - labels: - app: skbn - spec: - restartPolicy: OnFailure - serviceAccountName: skbn - containers: - - name: skbn - image: maorfr/skbn - command: ["skbn"] - args: - - "cp" - - "--src" - - "gcs://BUCKET_NAME/jenkins-k8s-backup/BACKUP_NAME" - - "--dst" - - "k8s://jenkins/jenkins-0/jenkins/var/jenkins_home" - imagePullPolicy: IfNotPresent - env: - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/run/secrets/jenkinsgcp/sa-credentials.json - volumeMounts: - - mountPath: /var/run/secrets/jenkinsgcp - name: jenkinsgcp - volumes: - - name: jenkinsgcp - secret: - secretName: jenkinsgcp -``` - -While the above Job manifest is mostly complete, you need to replace a couple of things, as follows: - -- Replace `BUCKET_NAME` with the GCS Bucket name created in [Create a GCS bucket with a unique name](#2-create-a-gcs-bucket-with-a-unique-name). -- Go to your GCS bucket and find the name of the latest timestamped folder (i.e. `20210717154947`), then replace `BACKUP_NAME` with it, then save the file. - -Notice that we are using the `jenkinsgcp` Kubernetes Secret that holds the `sa-credentials.json` key file for the GCP Service Account that we created in [Create a Service Account Key](#5-create-a-service-account-key). - -Having the Kubernetes Secret provide the GCP Service Account Key to the Restore Kubernetes Job is what will allow the Job to download the contents of the backup from the GCS bucket and put it into the `/var/jenkins_home` folder in the Persistent Volume Claim of the `jenkins-0` pod. - -##### 4. Deploy the Restore Job - -Deploy the Restore Job using the following command: - -```bash -kubectl apply -f restore.yaml -``` - -Wait about a minute for the Job to start, then query the logs using the following commands: - -```bash -# Get restore container name -RESTORE_CONTAINER=$(kubectl get pods | grep skbn | awk '{print $1}'); - -# Stream logs of restore container until job is finished -kubectl logs -f ${RESTORE_CONTAINER}; -``` - -Watch the logs until the job is done. This usually takes a few minutes. - -##### 5. Verify that Jenkins was restored from GCS Backup - -Login to Jenkins, then click on `Manage Jenkins-> Reload Configuration from Disk`, then press `OK`. - -Jenkins is now going to reload the backup content from disk and restart. Now, if you performed this on a new Jenkins installation, you will **not be able to login** using the password for the new installation of Jenkins. - -Because we are restoring from the backup of a previous installation, we need to login using the password for the old Jenkins installation. - -So, refresh your browser and login to Jenkins using the password from the backup. - -Now, verify that all your jobs, plugins, and credentials from that backup are showing up, and if they are, then CONGRATULATIONS on successfully restoring Jenkins from a GCS Backup! - -A similar process would work for AWS S3. See additional `backup` values using [configuration commands](#configuration) to figure out how what fields to put in the Restore Job manifest. - ### Adding Custom Pod Templates It is possible to add custom pod templates for the default configured kubernetes cloud. @@ -954,10 +645,10 @@ controller: ### HTTPS Keystore Configuration -[This configuration](https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777) enables jenkins to use keystore in order to serve https. +[This configuration](https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777) enables jenkins to use keystore in order to serve HTTPS. Here is the [value file section](https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777#RunningJenkinswithnativeSSL/HTTPS-ConfigureJenkinstouseHTTPSandtheJKSkeystore) related to keystore configuration. Keystore itself should be placed in front of `jenkinsKeyStoreBase64Encoded` key and in base64 encoded format. To achieve that after having `keystore.jks` file simply do this: `cat keystore.jks | base64` and paste the output in front of `jenkinsKeyStoreBase64Encoded`. -After enabling `httpsKeyStore.enable` make sure that `httpPort` and `targetPort` are not the same, as `targetPort` will serve https. +After enabling `httpsKeyStore.enable` make sure that `httpPort` and `targetPort` are not the same, as `targetPort` will serve HTTPS. Do not set `controller.httpsKeyStore.httpPort` to `-1` because it will cause readiness and liveliness prob to fail. If you already have a kubernetes secret that has keystore and its password you can specify its' name in front of `jenkinsHttpsJksSecretName`, You need to remember that your secret should have proper data key names `jenkins-jks-file` (or override the key name using `jenkinsHttpsJksSecretKey`) and `https-jks-password` (or override the key name using `jenkinsHttpsJksPasswordSecretKey`; additionally you can make it get the password from a different secret using `jenkinsHttpsJksPasswordSecretName`). Example: @@ -1012,116 +703,4 @@ Upgrade an existing release from `stable/jenkins` to `jenkins/jenkins` seamlessl Chart release versions follow [SemVer](../../CONTRIBUTING.md#versioning), where a MAJOR version change (example `1.0.0` -> `2.0.0`) indicates an incompatible breaking change needing manual actions. -### To 3.0.0 - -* Check `securityRealm` and `authorizationStrategy` and adjust it. - Otherwise, your configured users and permissions will be overridden. -* You need to use helm version 3 as the `Chart.yaml` uses `apiVersion: v2`. -* All XML configuration options have been removed. - In case those are still in use you need to migrate to configuration as code. - Upgrade guide to 2.0.0 contains pointers how to do that. -* Jenkins is now using a `StatefulSet` instead of a `Deployment` -* terminology has been adjusted that's also reflected in values.yaml - The following values from `values.yaml` have been renamed: - - * `master` => `controller` - * `master.useSecurity` => `controller.adminSecret` - * `master.slaveListenerPort` => `controller.agentListenerPort` - * `master.slaveHostPort` => `controller.agentListenerHostPort` - * `master.slaveKubernetesNamespace` => `agent.namespace` - * `master.slaveDefaultsProviderTemplate` => `agent.defaultsProviderTemplate` - * `master.slaveJenkinsUrl` => `agent.jenkinsUrl` - * `master.slaveJenkinsTunnel` => `agent.jenkinsTunnel` - * `master.slaveConnectTimeout` => `agent.kubernetesConnectTimeout` - * `master.slaveReadTimeout` => `agent.kubernetesReadTimeout` - * `master.slaveListenerServiceAnnotations` => `controller.agentListenerServiceAnnotations` - * `master.slaveListenerServiceType` => `controller.agentListenerServiceType` - * `master.slaveListenerLoadBalancerIP` => `controller.agentListenerLoadBalancerIP` - * `agent.slaveConnectTimeout` => `agent.connectTimeout` -* Removed values: - - * `master.imageTag`: use `controller.image` and `controller.tag` instead - * `slave.imageTag`: use `agent.image` and `agent.tag` instead - -### To 2.0.0 - -Configuration as Code is now default + container does not run as root anymore. - -#### Configuration as Code new default - -Configuration is done via [Jenkins Configuration as Code Plugin](https://github.com/jenkinsci/configuration-as-code-plugin) by default. -That means that changes in values which result in a configuration change are always applied. -In contrast, the XML configuration was only applied during the first start and never altered. - -:exclamation::exclamation::exclamation: -Attention: -This also means if you manually altered configuration then this will most likely be reset to what was configured by default. -It also applies to `securityRealm` and `authorizationStrategy` as they are also configured using configuration as code. -:exclamation::exclamation::exclamation: - -#### Image does not run as root anymore - -It's not recommended to run containers in Kubernetes as `root`. - -❗Attention: If you had not configured a different user before then you need to ensure that your image supports the user and group ID configured and also manually change permissions of all files so that Jenkins is still able to use them. - -#### Summary of updated values - -As version 2.0.0 only updates default values and nothing else it's still possible to migrate to this version and opt out of some or all new defaults. -All you have to do is ensure the old values are set in your installation. - -Here we show which values have changed and the previous default values: - -```yaml -controller: - runAsUser: 1000 # was unset before - fsGroup: 1000 # was unset before - JCasC: - enabled: true # was false - defaultConfig: true # was false - sidecars: - configAutoReload: - enabled: true # was false -``` - -#### Migration steps - -Migration instructions heavily depend on your current setup. -So think of the list below more as a general guideline of what should be done. - -- Ensure that the Jenkins image you are using contains a user with ID 1000 and a group with the same ID. - That's the case for `jenkins/jenkins:lts` image, which the chart uses by default -- Make a backup of your existing installation especially the persistent volume -- Ensure that you have the configuration as code plugin installed -- Export your current settings via the plugin: - `Manage Jenkins` -> `Configuration as Code` -> `Download Configuration` -- prepare your values file for the update e.g. add additional configuration as code setting that you need. - The export taken from above might be a good starting point for this. - In addition, the [demos](https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos) from the plugin itself are quite useful. -- Test drive those setting on a separate installation -- Put Jenkins to Quiet Down mode so that it does not accept new jobs - `/quietDown` -- Change permissions of all files and folders to the new user and group id: - - ```console - kubectl exec -it -c jenkins /bin/bash - chown -R 1000:1000 /var/jenkins_home - ``` - -- Update Jenkins - -### To 1.0.0 - -Breaking changes: - -- Values have been renamed to follow [helm recommended naming conventions](https://helm.sh/docs/chart_best_practices/#naming-conventions) so that all variables start with a lowercase letter and words are separated with camelcase -- All resources are now using [helm recommended standard labels](https://helm.sh/docs/chart_best_practices/#standard-labels) - -As a result of the label changes also the selectors of the deployment have been updated. -Those are immutable so trying an updated will cause an error like: - -```console -Error: Deployment.apps "jenkins" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"jenkins-controller", "app.kubernetes.io/instance":"jenkins"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable -``` - -In order to upgrade, [uninstall](#uninstall-chart) the Jenkins Deployment before upgrading: +See [UPGRADING.md](./UPGRADING.md) for a list of breaking changes diff --git a/charts/jenkins/jenkins/UPGRADING.md b/charts/jenkins/jenkins/UPGRADING.md new file mode 100644 index 000000000..41e424dbd --- /dev/null +++ b/charts/jenkins/jenkins/UPGRADING.md @@ -0,0 +1,148 @@ +# Upgrade Notes + +## To 5.0.0 +- `controller.image`, `controller.tag`, and `controller.tagLabel` have been removed. If you want to overwrite the image you now need to configure any or all of: + - `controller.image.registry` + - `controller.image.repository` + - `controller.image.tag` + - `controller.image.tagLabel` +- `controller.imagePullPolicy` has been removed. If you want to overwrite the pull policy you now need to configure `controller.image.pullPolicy`. +- `controller.sidecars.configAutoReload.image` has been removed. If you want to overwrite the configAutoReload image you now need to configure any or all of: + - `controller.sidecars.configAutoReload.image.registry` + - `controller.sidecars.configAutoReload.image.repository` + - `controller.sidecars.configAutoReload.image.tag` +- `controller.sidecars.other` has been renamed to `controller.sidecars.additionalSidecarContainers`. +- `agent.image` and `agent.tag` have been removed. If you want to overwrite the agent image you now need to configure any or all of: + - `agent.image.repository` + - `agent.image.tag` + - The registry can still be overwritten by `agent.jnlpregistry` +- `agent.additionalContainers[*].image` has been renamed to `agent.additionalContainers[*].image.repository` +- `agent.additionalContainers[*].tag` has been renamed to `agent.additionalContainers[*].image.tag` +- `additionalAgents.*.image` has been renamed to `additionalAgents.*.image.repository` +- `additionalAgents.*.tag` has been renamed to `additionalAgents.*.image.tag` +- `additionalClouds.*.additionalAgents.*.image` has been renamed to `additionalClouds.*.additionalAgents.*.image.repository` +- `additionalClouds.*.additionalAgents.*.tag` has been renamed to `additionalClouds.*.additionalAgents.*.image.tag` +- `helmtest.bats.image` has been split up to: + - `helmtest.bats.image.registry` + - `helmtest.bats.image.repository` + - `helmtest.bats.image.tag` +- `controller.adminUsername` and `controller.adminPassword` have been renamed to `controller.admin.username` and `controller.admin.password` respectively +- `controller.adminSecret` has been renamed to `controller.admin.createSecret` +- `backup.*` was unmaintained and has thus been removed. See the following page for alternatives: [Kubernetes Backup and Migrations](https://nubenetes.com/kubernetes-backup-migrations/). + +## To 4.0.0 +Removes automatic `remotingSecurity` setting when using a container tag older than `2.326` (introduced in [`3.11.7`](./CHANGELOG.md#3117)). If you're using a version older than `2.326`, you should explicitly set `.controller.legacyRemotingSecurityEnabled` to `true`. + +## To 3.0.0 + +* Check `securityRealm` and `authorizationStrategy` and adjust it. + Otherwise, your configured users and permissions will be overridden. +* You need to use helm version 3 as the `Chart.yaml` uses `apiVersion: v2`. +* All XML configuration options have been removed. + In case those are still in use you need to migrate to configuration as code. + Upgrade guide to 2.0.0 contains pointers how to do that. +* Jenkins is now using a `StatefulSet` instead of a `Deployment` +* terminology has been adjusted that's also reflected in values.yaml + The following values from `values.yaml` have been renamed: + + * `master` => `controller` + * `master.useSecurity` => `controller.adminSecret` + * `master.slaveListenerPort` => `controller.agentListenerPort` + * `master.slaveHostPort` => `controller.agentListenerHostPort` + * `master.slaveKubernetesNamespace` => `agent.namespace` + * `master.slaveDefaultsProviderTemplate` => `agent.defaultsProviderTemplate` + * `master.slaveJenkinsUrl` => `agent.jenkinsUrl` + * `master.slaveJenkinsTunnel` => `agent.jenkinsTunnel` + * `master.slaveConnectTimeout` => `agent.kubernetesConnectTimeout` + * `master.slaveReadTimeout` => `agent.kubernetesReadTimeout` + * `master.slaveListenerServiceAnnotations` => `controller.agentListenerServiceAnnotations` + * `master.slaveListenerServiceType` => `controller.agentListenerServiceType` + * `master.slaveListenerLoadBalancerIP` => `controller.agentListenerLoadBalancerIP` + * `agent.slaveConnectTimeout` => `agent.connectTimeout` +* Removed values: + + * `master.imageTag`: use `controller.image` and `controller.tag` instead + * `slave.imageTag`: use `agent.image` and `agent.tag` instead + +## To 2.0.0 + +Configuration as Code is now default + container does not run as root anymore. + +### Configuration as Code new default + +Configuration is done via [Jenkins Configuration as Code Plugin](https://github.com/jenkinsci/configuration-as-code-plugin) by default. +That means that changes in values which result in a configuration change are always applied. +In contrast, the XML configuration was only applied during the first start and never altered. + +:exclamation::exclamation::exclamation: +Attention: +This also means if you manually altered configuration then this will most likely be reset to what was configured by default. +It also applies to `securityRealm` and `authorizationStrategy` as they are also configured using configuration as code. +:exclamation::exclamation::exclamation: + +### Image does not run as root anymore + +It's not recommended to run containers in Kubernetes as `root`. + +❗Attention: If you had not configured a different user before then you need to ensure that your image supports the user and group ID configured and also manually change permissions of all files so that Jenkins is still able to use them. + +### Summary of updated values + +As version 2.0.0 only updates default values and nothing else it's still possible to migrate to this version and opt out of some or all new defaults. +All you have to do is ensure the old values are set in your installation. + +Here we show which values have changed and the previous default values: + +```yaml +controller: + runAsUser: 1000 # was unset before + fsGroup: 1000 # was unset before + JCasC: + enabled: true # was false + defaultConfig: true # was false + sidecars: + configAutoReload: + enabled: true # was false +``` + +### Migration steps + +Migration instructions heavily depend on your current setup. +So think of the list below more as a general guideline of what should be done. + +- Ensure that the Jenkins image you are using contains a user with ID 1000 and a group with the same ID. + That's the case for `jenkins/jenkins:lts` image, which the chart uses by default +- Make a backup of your existing installation especially the persistent volume +- Ensure that you have the configuration as code plugin installed +- Export your current settings via the plugin: + `Manage Jenkins` -> `Configuration as Code` -> `Download Configuration` +- prepare your values file for the update e.g. add additional configuration as code setting that you need. + The export taken from above might be a good starting point for this. + In addition, the [demos](https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos) from the plugin itself are quite useful. +- Test drive those setting on a separate installation +- Put Jenkins to Quiet Down mode so that it does not accept new jobs + `/quietDown` +- Change permissions of all files and folders to the new user and group id: + + ```console + kubectl exec -it -c jenkins /bin/bash + chown -R 1000:1000 /var/jenkins_home + ``` + +- Update Jenkins + +## To 1.0.0 + +Breaking changes: + +- Values have been renamed to follow [helm recommended naming conventions](https://helm.sh/docs/chart_best_practices/#naming-conventions) so that all variables start with a lowercase letter and words are separated with camelcase +- All resources are now using [helm recommended standard labels](https://helm.sh/docs/chart_best_practices/#standard-labels) + +As a result of the label changes also the selectors of the deployment have been updated. +Those are immutable so trying an updated will cause an error like: + +```console +Error: Deployment.apps "jenkins" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"jenkins-controller", "app.kubernetes.io/instance":"jenkins"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable +``` + +In order to upgrade, [uninstall](./README.md#uninstall-chart) the Jenkins Deployment before upgrading: diff --git a/charts/jenkins/jenkins/VALUES_SUMMARY.md b/charts/jenkins/jenkins/VALUES_SUMMARY.md index 11671ee2f..f18f29dfe 100644 --- a/charts/jenkins/jenkins/VALUES_SUMMARY.md +++ b/charts/jenkins/jenkins/VALUES_SUMMARY.md @@ -31,7 +31,11 @@ The following tables list the configurable parameters of the Jenkins chart and t | `controller.JCasC.authorizationStrategy` | Jenkins Config as Code for Authorization Strategy | `loggedInUsersCanDoAnything` | | `controller.sidecars.configAutoReload` | Jenkins Config as Code auto-reload settings | | | `controller.sidecars.configAutoReload.enabled` | Jenkins Config as Code auto-reload settings (Attention: rbac needs to be enabled otherwise the sidecar can't read the config map) | `true` | -| `controller.sidecars.configAutoReload.image` | Image which triggers the reload | `kiwigrid/k8s-sidecar:1.24.4` | +| `controller.sidecars.configAutoReload.image.registry` | Registry for the image which triggers the reload | `docker.io` | +| `controller.sidecars.configAutoReload.image.repository` | Image which triggers the reload | `kiwigrid/k8s-sidecar` | +| `controller.sidecars.configAutoReload.image.tag` | Tag for the image which triggers the reload | `1.24.4` | +| `controller.sidecars.configAutoReload.scheme` | The HTTP scheme to use when connecting to the Jenkins configuration as code endpoint | `http` | +| `controller.sidecars.configAutoReload.skipTlsVerify` | Skip TLS verification when connecting to the Jenkins configuration as code endpoint | `false` | | `controller.sidecars.configAutoReload.reqRetryConnect` | How many connection-related errors to retry on | `10` | | `controller.sidecars.configAutoReload.sleepTime` | How many seconds to wait before updating config-maps/secrets (sets METHOD=SLEEP on the sidecar) | Not set | | `controller.sidecars.configAutoReload.envFrom` | Environment variable sources for the Jenkins Config as Code auto-reload container | Not set | @@ -109,10 +113,11 @@ The following tables list the configurable parameters of the Jenkins chart and t | Parameter | Description | Default | |--------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------| -| `controller.image` | Controller image name | `jenkins/jenkins` | -| `controller.tagLabel` | Controller image tag label | `jdk17` | -| `controller.tag` | Controller image tag override | Not set | -| `controller.imagePullPolicy` | Controller image pull policy | `Always` | +| `controller.image.registry` | Controller image registry | `docker.io` | +| `controller.image.repository` | Controller image name | `jenkins/jenkins` | +| `controller.image.tagLabel` | Controller image tag label | `jdk17` | +| `controller.image.tag` | Controller image tag override | Not set | +| `controller.image.pullPolicy` | Controller image pull policy | `Always` | | `controller.imagePullSecretName` | Controller image pull secret | Not set | | `controller.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 50m, memory: 256Mi}, limits: {cpu: 2000m, memory: 4096Mi}}` | | `controller.initContainerResources` | Resources allocation (Requests and Limits) for Init Container | Not set | @@ -155,7 +160,7 @@ The following tables list the configurable parameters of the Jenkins chart and t | `controller.admin.userKey` | The key in the existing admin secret containing the username. | `jenkins-admin-user` | | `controller.admin.passwordKey` | The key in the existing admin secret containing the password. | `jenkins-admin-password` | | `controller.customInitContainers` | Custom init-container specification in raw-yaml format | Not set | -| `controller.sidecars.other` | Configures additional sidecar container(s) for Jenkins controller | `[]` | +| `controller.sidecars.additionalSidecarContainers`| Configures additional sidecar container(s) for Jenkins controller | `[]` | #### Kubernetes Pod Disruption Budget @@ -255,9 +260,9 @@ The following tables list the configurable parameters of the Jenkins chart and t | Parameter | Description | Default | |----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------| -| `controller.adminUser` | Admin username (and password) created as a secret if adminSecret is true | `admin` | -| `controller.adminPassword` | Admin password (and user) created as a secret if adminSecret is true | Random value | -| `controller.existingSecret` | The name of an existing secret containing keys credentials. | `""` | +| `controller.admin.username` | Admin username (and password) created as a secret if `controller.admin.createSecret` is true | `admin` | +| `controller.admin.password` | Admin password (and user) created as a secret if `controller.admin.createSecret` is true | Random value | +| `controller.admin.existingSecret` | The name of an existing secret containing keys credentials. | `""` | | `controller.additionalSecrets` | List of additional secrets to create and mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | | `controller.additionalExistingSecrets` | List of additional existing secrets to mount according to [JCasC docs](https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/docs/features/secrets.adoc#kubernetes-secrets) | `[]` | | `controller.secretClaims` | List of `SecretClaim` resources to create | `[]` | @@ -341,20 +346,21 @@ The following tables list the configurable parameters of the Jenkins chart and t #### Side Container Configuration -| Parameter | Description | Default | -|---------------------------|------------------------------------------------|------------------------------------------------------------------------------| -| `agent.sideContainerName` | Side container name in agent | jnlp | -| `agent.image` | Agent image name | `jenkins/inbound-agent` | -| `agent.tag` | Agent image tag | `3192.v713e3b_039fb_e-5` | -| `agent.alwaysPullImage` | Always pull agent container image before build | `false` | -| `agent.privileged` | Agent privileged container | `false` | -| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` | -| `agent.runAsUser` | Configure container user | Not set | -| `agent.runAsGroup` | Configure container group | Not set | -| `agent.command` | Executed command when side container starts | Not set | -| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` | -| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false | -| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` | +| Parameter | Description | Default | +|---------------------------| ----------------------------------------------- |--------------------------------------------------------------------------------| +| `agent.sideContainerName` | Side container name in agent | jnlp | +| `agent.image.repository` | Agent image name | `jenkins/inbound-agent` | +| `agent.image.tag` | Agent image tag | `3192.v713e3b_039fb_e-5` | +| `agent.alwaysPullImage` | Always pull agent container image before build | `false` | +| `agent.privileged` | Agent privileged container | `false` | +| `agent.resources` | Resources allocation (Requests and Limits) | `{requests: {cpu: 512m, memory: 512Mi}, limits: {cpu: 512m, memory: 512Mi}}` | +| `agent.runAsUser` | Configure container user | Not set | +| `agent.runAsGroup` | Configure container group | Not set | +| `agent.command` | Executed command when side container starts | Not set | +| `agent.args` | Arguments passed to executed command | `${computer.jnlpmac} ${computer.name}` | +| `agent.TTYEnabled` | Allocate pseudo tty to the side container | false | +| `agent.workingDir` | Configure working directory for default agent | `/home/jenkins/agent` | + #### Other @@ -380,42 +386,10 @@ The following tables list the configurable parameters of the Jenkins chart and t | `persistence.volumes` | Additional volumes | `nil` | | `persistence.mounts` | Additional mounts | `nil` | -### Backup - -| Parameter | Description | Default | -|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|----------------------------| -| `backup.enabled` | Enable the use of a backup CronJob | `false` | -| `backup.schedule` | Schedule to run jobs | `0 2 * * *` | -| `backup.labels` | Backup pod labels | `{}` | -| `backup.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `backup.serviceAccount.name` | name of the backup ServiceAccount | autogenerated | -| `backup.serviceAccount.annotations` | Backup pod annotations | `{}` | -| `backup.image.repo` | Backup image repository | `maorfr/kube-tasks` | -| `backup.image.tag` | Backup image tag | `0.2.0` | -| `backup.image.imagePullSecretName` | Backup image pull secret | Not set | -| `backup.extraArgs` | Additional arguments for kube-tasks | `[]` | -| `backup.existingSecret` | Environment variables to add to the cronjob container | `{}` | -| `backup.existingSecret.*` | Specify the secret name containing the AWS or GCP credentials | `jenkinsaws` | -| `backup.existingSecret.*.awsaccesskey` | `secretKeyRef.key` used for `AWS_ACCESS_KEY_ID` | `jenkins_aws_access_key` | -| `backup.existingSecret.*.awssecretkey` | `secretKeyRef.key` used for `AWS_SECRET_ACCESS_KEY` | `jenkins_aws_secret_key` | -| `backup.existingSecret.*.azstorageaccount` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCOUNT` | `""` | -| `backup.existingSecret.*.azstoragekey` | `secretKeyRef.key` used for `AZURE_STORAGE_ACCESS_KEY` | `""` | -| `backup.existingSecret.*.gcpcredentials` | Mounts secret as volume and sets `GOOGLE_APPLICATION_CREDENTIALS` | `credentials.json` | -| `backup.env` | Backup environment variables | `[]` | -| `backup.resources` | Backup CPU/Memory resource requests/limits | Memory: `1Gi`, CPU: `1` | -| `backup.destination` | Destination to store backup artifacts | `s3://jenkins-data/backup` | -| `backup.onlyJobs` | Only backup the job folder | `false` | -| `backup.usePodSecurityContext` | Enable backup pod's security context (must be `true` if `runAsUser`, `fsGroup`, or `podSecurityContextOverride` are set) | `true` | -| `backup.runAsUser` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that jenkins runs with. | `1000` | -| `backup.fsGroup` | Deprecated in favor of `backup.podSecurityContextOverride`. uid that will be used for persistent volume. | `1000` | -| `backup.podSecurityContextOverride` | Completely overwrites the contents of the backup pod's security context, ignoring the values provided for `runAsUser`, and `fsGroup`. | Not set | -| `cronJob.apiVersion` | CronJob API version | 'batch/v1' | -| `awsSecurityGroupPolicies.enabled` | Enable the creation of SecurityGroupPolicy resources | `false` | -| `awsSecurityGroupPolicies.policies` | Security Group Policy definitions. `awsSecurityGroupPolicies.enabled` must be `true` | Not set | - ### Helm Tests -| Parameter | Description | Default | -|-----------------------|-----------------------------------|-------------| -| `helmtest.bats.image` | Image used to test the framework | `bats/bats` | -| `helmtest.bats.tag` | Test framework image tag override | `1.2.1` | +| Parameter | Description | Default | +|----------------------------------|-------------------------------------|-------------| +| `helmtest.bats.image.registry` | Registry used to test the framework | `docker.io` | +| `helmtest.bats.image.repository` | Image used to test the framework | `bats/bats` | +| `helmtest.bats.image.tag` | Test framework image tag override | `1.2.1` | diff --git a/charts/jenkins/jenkins/templates/NOTES.txt b/charts/jenkins/jenkins/templates/NOTES.txt index 0d2df0b93..953dd2606 100644 --- a/charts/jenkins/jenkins/templates/NOTES.txt +++ b/charts/jenkins/jenkins/templates/NOTES.txt @@ -1,6 +1,6 @@ {{- $prefix := .Values.controller.jenkinsUriPrefix | default "" -}} {{- $url := "" -}} -1. Get your '{{ .Values.controller.adminUser }}' user password by running: +1. Get your '{{ .Values.controller.admin.username }}' user password by running: kubectl exec --namespace {{ template "jenkins.namespace" . }} -it svc/{{ template "jenkins.fullname" . }} -c jenkins -- /bin/cat /run/secrets/additional/chart-admin-password && echo {{- if .Values.controller.ingress.hostName -}} {{- if .Values.controller.ingress.tls -}} @@ -43,7 +43,7 @@ {{- end }} {{- end }} -3. Login with the password from step 1 and the username: {{ .Values.controller.adminUser }} +3. Login with the password from step 1 and the username: {{ .Values.controller.admin.username }} 4. Configure security realm and authorization strategy 5. Use Jenkins Configuration as Code by specifying configScripts in your values.yaml file, see documentation: {{ $url }}/configuration-as-code and examples: https://github.com/jenkinsci/configuration-as-code-plugin/tree/master/demos @@ -53,7 +53,7 @@ https://cloud.google.com/solutions/jenkins-on-container-engine For more information about Jenkins Configuration as Code, visit: https://jenkins.io/projects/jcasc/ -{{ if (eq .Values.controller.image "jenkins/jenkins") }} +{{ if and (eq .Values.controller.image.repository "jenkins/jenkins") (eq .Values.controller.image.registry "docker.io") }} NOTE: Consider using a custom image with pre-installed plugins {{- else if .Values.controller.installPlugins }} NOTE: Consider disabling `installPlugins` if your image already contains plugins. diff --git a/charts/jenkins/jenkins/templates/_helpers.tpl b/charts/jenkins/jenkins/templates/_helpers.tpl index 1b416c805..ef7f1ef82 100644 --- a/charts/jenkins/jenkins/templates/_helpers.tpl +++ b/charts/jenkins/jenkins/templates/_helpers.tpl @@ -61,8 +61,8 @@ Returns the admin password https://github.com/helm/charts/issues/5167#issuecomment-619137759 */}} {{- define "jenkins.password" -}} - {{ if .Values.controller.adminPassword -}} - {{- .Values.controller.adminPassword | b64enc | quote }} + {{- if .Values.controller.admin.password -}} + {{- .Values.controller.admin.password | b64enc | quote }} {{- else -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "jenkins.fullname" .)).data -}} {{- if $secret -}} @@ -180,10 +180,10 @@ jenkins: value: {{ $val | quote }} {{- end }} templates: - {{- if not .Values.agent.disableDefaultAgent }} + {{- if not .Values.agent.disableDefaultAgent }} {{- include "jenkins.casc.podTemplate" . | nindent 8 }} - {{- end }} - {{- if .Values.additionalAgents }} + {{- end }} + {{- if .Values.additionalAgents }} {{- /* save .Values.agent */}} {{- $agent := .Values.agent }} {{- range $name, $additionalAgent := .Values.additionalAgents }} @@ -200,11 +200,11 @@ jenkins: {{- end }} {{- /* restore .Values.agent */}} {{- $_ := set .Values "agent" $agent }} - {{- end }} + {{- end }} {{- if .Values.agent.podTemplates }} - {{- range $key, $val := .Values.agent.podTemplates }} - {{- tpl $val $ | nindent 8 }} - {{- end }} + {{- range $key, $val := .Values.agent.podTemplates }} + {{- tpl $val $ | nindent 8 }} + {{- end }} {{- end }} {{- end }} {{- if .Values.additionalClouds }} @@ -284,8 +284,8 @@ jenkins: {{- /* restore .Values.agent */}} {{- $_ := set .Values "agent" $agent }} {{- end }} - {{- if .Values.agent.podTemplates }} - {{- range $key, $val := .Values.agent.podTemplates }} + {{- with .Values.agent.podTemplates }} + {{- range $key, $val := . }} {{- tpl $val $ | nindent 8 }} {{- end }} {{- end }} @@ -301,16 +301,18 @@ jenkins: excludeClientIPFromCrumb: {{ if .Values.controller.csrf.defaultCrumbIssuer.proxyCompatability }}true{{ else }}false{{- end }} {{- end }} {{- include "jenkins.casc.security" . }} -{{- if .Values.controller.scriptApproval }} +{{- with .Values.controller.scriptApproval }} scriptApproval: approvedSignatures: -{{- range $key, $val := .Values.controller.scriptApproval }} + {{- range $key, $val := . }} - "{{ $val }}" -{{- end }} + {{- end }} {{- end }} unclassified: location: - adminAddress: {{ default "" .Values.controller.jenkinsAdminEmail }} + {{- with .Values.controller.jenkinsAdminEmail }} + adminAddress: {{ . }} + {{- end }} url: {{ template "jenkins.url" . }} {{- end -}} @@ -342,7 +344,9 @@ Returns kubernetes pod template configuration as code - name: "{{ .Values.agent.sideContainerName }}" alwaysPullImage: {{ .Values.agent.alwaysPullImage }} args: "{{ .Values.agent.args | replace "$" "^$" }}" - command: {{ .Values.agent.command }} + {{- with .Values.agent.command }} + command: {{ . }} + {{- end }} envVars: - envVar: {{- if .Values.agent.directConnection }} @@ -360,7 +364,7 @@ Returns kubernetes pod template configuration as code value: "http://{{ template "jenkins.fullname" . }}.{{ template "jenkins.namespace" . }}.svc.{{.Values.clusterZone}}:{{.Values.controller.servicePort}}{{ default "/" .Values.controller.jenkinsUriPrefix }}" {{- end }} {{- end }} - image: "{{ .Values.agent.image }}:{{ .Values.agent.tag }}" + image: "{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag }}" {{- if .Values.agent.livenessProbe }} livenessProbe: execArgs: {{.Values.agent.livenessProbe.execArgs | quote}} @@ -373,23 +377,29 @@ Returns kubernetes pod template configuration as code privileged: "{{- if .Values.agent.privileged }}true{{- else }}false{{- end }}" resourceLimitCpu: {{.Values.agent.resources.limits.cpu}} resourceLimitMemory: {{.Values.agent.resources.limits.memory}} - {{- if .Values.agent.resources.limits.ephemeralStorage }} - resourceLimitEphemeralStorage: {{.Values.agent.resources.limits.ephemeralStorage}} + {{- with .Values.agent.resources.limits.ephemeralStorage }} + resourceLimitEphemeralStorage: {{.}} {{- end }} resourceRequestCpu: {{.Values.agent.resources.requests.cpu}} resourceRequestMemory: {{.Values.agent.resources.requests.memory}} - {{- if .Values.agent.resources.requests.ephemeralStorage }} - resourceRequestEphemeralStorage: {{.Values.agent.resources.requests.ephemeralStorage}} + {{- with .Values.agent.resources.requests.ephemeralStorage }} + resourceRequestEphemeralStorage: {{.}} + {{- end }} + {{- with .Values.agent.runAsUser }} + runAsUser: {{ . }} + {{- end }} + {{- with .Values.agent.runAsGroup }} + runAsGroup: {{ . }} {{- end }} - runAsUser: {{ .Values.agent.runAsUser }} - runAsGroup: {{ .Values.agent.runAsGroup }} ttyEnabled: {{ .Values.agent.TTYEnabled }} workingDir: {{ .Values.agent.workingDir }} {{- range $additionalContainers := .Values.agent.additionalContainers }} - name: "{{ $additionalContainers.sideContainerName }}" alwaysPullImage: {{ $additionalContainers.alwaysPullImage | default $.Values.agent.alwaysPullImage }} args: "{{ $additionalContainers.args | replace "$" "^$" }}" - command: {{ $additionalContainers.command }} + {{- with $additionalContainers.command }} + command: {{ . }} + {{- end }} envVars: - envVar: key: "JENKINS_URL" @@ -398,7 +408,7 @@ Returns kubernetes pod template configuration as code {{- else }} value: "http://{{ template "jenkins.fullname" $ }}.{{ template "jenkins.namespace" $ }}.svc.{{ $.Values.clusterZone }}:{{ $.Values.controller.servicePort }}{{ default "/" $.Values.controller.jenkinsUriPrefix }}" {{- end }} - image: "{{ $additionalContainers.image }}:{{ $additionalContainers.tag }}" + image: "{{ $additionalContainers.image.repository }}:{{ $additionalContainers.image.tag }}" {{- if $additionalContainers.livenessProbe }} livenessProbe: execArgs: {{$additionalContainers.livenessProbe.execArgs | quote}} @@ -413,8 +423,12 @@ Returns kubernetes pod template configuration as code resourceLimitMemory: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.limits.memory }}{{ else }}{{ $.Values.agent.resources.limits.memory }}{{ end }} resourceRequestCpu: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.requests.cpu }}{{ else }}{{ $.Values.agent.resources.requests.cpu }}{{ end }} resourceRequestMemory: {{ if $additionalContainers.resources }}{{ $additionalContainers.resources.requests.memory }}{{ else }}{{ $.Values.agent.resources.requests.memory }}{{ end }} + {{- if or $additionalContainers.runAsUser $.Values.agent.runAsUser }} runAsUser: {{ $additionalContainers.runAsUser | default $.Values.agent.runAsUser }} + {{- end }} + {{- if or $additionalContainers.runAsGroup $.Values.agent.runAsGroup }} runAsGroup: {{ $additionalContainers.runAsGroup | default $.Values.agent.runAsGroup }} + {{- end }} ttyEnabled: {{ $additionalContainers.TTYEnabled | default $.Values.agent.TTYEnabled }} workingDir: {{ $additionalContainers.workingDir | default $.Values.agent.workingDir }} {{- end }} @@ -509,7 +523,7 @@ Returns kubernetes pod template configuration as code {{- define "jenkins.kubernetes-version" -}} {{- if .Values.controller.installPlugins -}} {{- range .Values.controller.installPlugins -}} - {{ if hasPrefix "kubernetes:" . }} + {{- if hasPrefix "kubernetes:" . }} {{- $split := splitList ":" . }} {{- printf "%s" (index $split 1 ) -}} {{- end -}} @@ -548,25 +562,14 @@ Create the name of the service account for Jenkins agents to use {{- end -}} {{- end -}} -{{/* -Create the name of the service account for Jenkins backup to use -*/}} -{{- define "backup.serviceAccountBackupName" -}} -{{- if .Values.backup.serviceAccount.create -}} - {{ default (printf "%s-%s" (include "jenkins.fullname" .) "backup") .Values.backup.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.backup.serviceAccount.name }} -{{- end -}} -{{- end -}} - {{/* Create a full tag name for controller image */}} -{{- define "controller.tag" -}} -{{- if .Values.controller.tagLabel -}} - {{- default (printf "%s-%s" .Chart.AppVersion .Values.controller.tagLabel) .Values.controller.tag -}} +{{- define "controller.image.tag" -}} +{{- if .Values.controller.image.tagLabel -}} + {{- default (printf "%s-%s" .Chart.AppVersion .Values.controller.image.tagLabel) .Values.controller.image.tag -}} {{- else -}} - {{- default .Chart.AppVersion .Values.controller.tag -}} + {{- default .Chart.AppVersion .Values.controller.image.tag -}} {{- end -}} {{- end -}} @@ -586,7 +589,7 @@ Create the HTTP port for interacting with the controller {{- $containerName := index . 1 -}} {{- $containerType := index . 2 -}} - name: {{ $containerName }} - image: "{{ $root.Values.controller.sidecars.configAutoReload.image }}" + image: "{{ $root.Values.controller.sidecars.configAutoReload.image.registry }}/{{ $root.Values.controller.sidecars.configAutoReload.image.repository }}:{{ $root.Values.controller.sidecars.configAutoReload.image.tag }}" imagePullPolicy: {{ $root.Values.controller.sidecars.configAutoReload.imagePullPolicy }} {{- if $root.Values.controller.sidecars.configAutoReload.containerSecurityContext }} securityContext: {{- toYaml $root.Values.controller.sidecars.configAutoReload.containerSecurityContext | nindent 4 }} @@ -617,11 +620,15 @@ Create the HTTP port for interacting with the controller {{- end }} {{- if eq $containerType "sidecar" }} - name: REQ_URL - value: "http://localhost:{{- include "controller.httpPort" $root -}}{{- $root.Values.controller.jenkinsUriPrefix -}}/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)" + value: "{{- default "http" $root.Values.controller.sidecars.configAutoReload.scheme }}://localhost:{{- include "controller.httpPort" $root -}}{{- $root.Values.controller.jenkinsUriPrefix -}}/reload-configuration-as-code/?casc-reload-token=$(POD_NAME)" - name: REQ_METHOD value: "POST" - name: REQ_RETRY_CONNECT value: "{{ $root.Values.controller.sidecars.configAutoReload.reqRetryConnect }}" + {{- if $root.Values.controller.sidecars.configAutoReload.skipTlsVerify }} + - name: REQ_SKIP_TLS_VERIFY + value: "true" + {{- end }} {{- end }} {{- if $root.Values.controller.sidecars.configAutoReload.env }} diff --git a/charts/jenkins/jenkins/templates/deprecation.yaml b/charts/jenkins/jenkins/templates/deprecation.yaml index 43a798de9..f54017ce4 100644 --- a/charts/jenkins/jenkins/templates/deprecation.yaml +++ b/charts/jenkins/jenkins/templates/deprecation.yaml @@ -4,7 +4,7 @@ {{- end }} {{- if .Values.controller.imageTag }} - {{ fail "`controller.imageTag` does no longer exist. Please use `controller.tag` instead" }} + {{ fail "`controller.imageTag` does no longer exist. Please use `controller.image.tag` instead" }} {{- end }} {{- if .Values.controller.slaveListenerPort }} @@ -112,4 +112,40 @@ {{- if .Values.controller.rollingUpdate }} {{ fail "`controller.rollingUpdate` does no longer exist. It is no longer relevant, since a StatefulSet is used for the Jenkins controller" }} {{- end }} + + {{- if .Values.controller.tag }} + {{ fail "`controller.tag` no longer exists. It has been renamed to `controller.image.tag'" }} + {{- end }} + + {{- if .Values.controller.tagLabel }} + {{ fail "`controller.tagLabel` no longer exists. It has been renamed to `controller.image.tagLabel`" }} + {{- end }} + + {{- if .Values.controller.adminSecret }} + {{ fail "`controller.adminSecret` no longer exists. It has been renamed to `controller.admin.createSecret`" }} + {{- end }} + + {{- if .Values.controller.adminUser }} + {{ fail "`controller.adminUser` no longer exists. It has been renamed to `controller.admin.username`" }} + {{- end }} + + {{- if .Values.controller.adminPassword }} + {{ fail "`controller.adminPassword` no longer exists. It has been renamed to `controller.admin.password`" }} + {{- end }} + + {{- if .Values.controller.sidecars.other }} + {{ fail "`controller.sidecars.other` no longer exists. It has been renamed to `controller.sidecars.additionalSidecarContainers`" }} + {{- end }} + + {{- if .Values.agent.tag }} + {{ fail "`controller.agent.tag` no longer exists. It has been renamed to `controller.agent.image.tag`" }} + {{- end }} + + {{- if .Values.backup }} + {{ fail "`controller.backup` no longer exists." }} + {{- end }} + + {{- if .Values.helmtest.bats.tag }} + {{ fail "`helmtest.bats.tag` no longer exists. It has been renamed to `helmtest.bats.image.tag`" }} + {{- end }} {{- end }} diff --git a/charts/jenkins/jenkins/templates/jcasc-config.yaml b/charts/jenkins/jenkins/templates/jcasc-config.yaml index 684c985ab..e40419452 100644 --- a/charts/jenkins/jenkins/templates/jcasc-config.yaml +++ b/charts/jenkins/jenkins/templates/jcasc-config.yaml @@ -40,6 +40,6 @@ metadata: {{ template "jenkins.fullname" $root }}-jenkins-config: "true" data: jcasc-default-config.yaml: |- - {{- include "jenkins.casc.defaults" . |nindent 4 }} + {{- include "jenkins.casc.defaults" . | nindent 4 }} {{- end}} {{- end }} diff --git a/charts/jenkins/jenkins/templates/jenkins-backup-cronjob.yaml b/charts/jenkins/jenkins/templates/jenkins-backup-cronjob.yaml deleted file mode 100644 index d710dd5e5..000000000 --- a/charts/jenkins/jenkins/templates/jenkins-backup-cronjob.yaml +++ /dev/null @@ -1,168 +0,0 @@ -{{- if .Values.backup.enabled }} -apiVersion: {{ .Values.cronJob.apiVersion }} -kind: CronJob -metadata: - name: {{ template "jenkins.fullname" . }}-backup - namespace: {{ template "jenkins.namespace" . }} - labels: - "app.kubernetes.io/name": '{{ template "jenkins.name" .}}' - {{- if .Values.renderHelmLabels }} - "helm.sh/chart": "{{ template "jenkins.label" .}}" - {{- end }} - "app.kubernetes.io/managed-by": "{{ .Release.Service }}" - "app.kubernetes.io/instance": "{{ .Release.Name }}" - "app.kubernetes.io/component": "{{ .Values.backup.componentName }}" -spec: - schedule: {{ .Values.backup.schedule | quote }} - concurrencyPolicy: Forbid - startingDeadlineSeconds: 120 - jobTemplate: - spec: -{{- if .Values.backup.activeDeadlineSeconds }} - activeDeadlineSeconds: {{ .Values.backup.activeDeadlineSeconds }} -{{- end }} - template: - metadata: - {{- if .Values.backup.labels }} - labels: - {{- toYaml .Values.backup.labels | trim | nindent 12 }} - {{- end }} - {{- if .Values.backup.annotations }} - annotations: - {{- toYaml .Values.backup.annotations | trim | nindent 12 }} - {{- end }} - spec: - restartPolicy: OnFailure - serviceAccountName: {{ include "backup.serviceAccountBackupName" . }} - {{- if .Values.backup.usePodSecurityContext }} - securityContext: - {{- if hasKey .Values.backup "podSecurityContextOverride" }} - {{- tpl (toYaml .Values.backup.podSecurityContextOverride | nindent 12) . }} - {{- else }} - runAsUser: {{ default 0 .Values.backup.runAsUser }} - {{- if and (.Values.backup.runAsUser) (.Values.backup.fsGroup) }} - {{- if not (eq (int .Values.backup.runAsUser) 0) }} - fsGroup: {{ .Values.backup.fsGroup }} - {{- end }} - {{- end }} - {{- if .Values.backup.securityContextCapabilities }} - capabilities: - {{- toYaml .Values.backup.securityContextCapabilities | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - containers: - - name: jenkins-backup - image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}" - command: ["kube-tasks"] - args: - - simple-backup - - -n - - {{ template "jenkins.namespace" . }} - - -l - - app.kubernetes.io/instance={{ .Release.Name }} - - --container - - jenkins - - --path - {{- if .Values.backup.onlyJobs }} - - {{ .Values.controller.jenkinsHome }}/jobs - {{- else}} - - {{ .Values.controller.jenkinsHome }} - {{- end}} - - --dst - - {{ .Values.backup.destination }} - {{- with .Values.backup.extraArgs }} - {{- toYaml . | nindent 12 }} - {{- end }} - env: - {{- with .Values.backup.env }} - {{- toYaml . | trim | nindent 12 }} - {{- end }} - {{- if .Values.backup.existingSecret }} - {{- range $key,$value := .Values.backup.existingSecret }} - {{- if $value.awsaccesskey }} - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: {{ $key }} - key: {{ $value.awsaccesskey | quote }} - {{- end }} - {{- if $value.awssecretkey }} - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ $key }} - key: {{ $value.awssecretkey | quote}} - {{- end }} - {{- if $value.azstorageaccount }} - - name: AZURE_STORAGE_ACCOUNT - valueFrom: - secretKeyRef: - name: {{ $key }} - key: {{ $value.azstorageaccount | quote}} - {{- end }} - {{- if $value.azstoragekey }} - - name: AZURE_STORAGE_ACCESS_KEY - valueFrom: - secretKeyRef: - name: {{ $key }} - key: {{ $value.azstoragekey | quote}} - {{- end }} - {{- if $value.gcpcredentials }} - - name: GOOGLE_APPLICATION_CREDENTIALS - value: "/var/run/secrets/{{ $key }}/{{ $value.gcpcredentials }}" - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.backup.resources }} - resources: - {{- toYaml . | trim | nindent 14 }} - {{- end }} - volumeMounts: - {{- if .Values.backup.existingSecret }} - {{- range $key,$value := .Values.backup.existingSecret }} - {{- if $value.gcpcredentials }} - - mountPath: /var/run/secrets/{{ $key }} - name: {{ $key }} - {{- end }} - {{- end }} - {{- end }} - volumes: - {{- if .Values.backup.existingSecret }} - {{- range $key,$value := .Values.backup.existingSecret }} - {{- if $value.gcpcredentials }} - - name: {{ $key }} - secret: - secretName: {{ $key }} - {{- end }} - {{- end }} - {{- end }} - affinity: - podAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - {{ template "jenkins.fullname" . }} - - key: release - operator: In - values: - - {{ .Release.Name }} - {{- with .Values.controller.tolerations }} - tolerations: - {{- toYaml . | nindent 10 }} - {{- end }} - {{- with .Values.controller.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.backup.imagePullSecretName }} - imagePullSecrets: - - name: {{ .Values.backup.imagePullSecretName }} - {{- end -}} -{{- end }} diff --git a/charts/jenkins/jenkins/templates/jenkins-backup-rbac.yaml b/charts/jenkins/jenkins/templates/jenkins-backup-rbac.yaml deleted file mode 100644 index 0f94fa833..000000000 --- a/charts/jenkins/jenkins/templates/jenkins-backup-rbac.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{- if .Values.backup.enabled }} -{{- if .Values.backup.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "backup.serviceAccountBackupName" . }} - namespace: {{ template "jenkins.namespace" . }} - labels: - "app.kubernetes.io/name": '{{ template "jenkins.name" .}}' - {{- if .Values.renderHelmLabels }} - "helm.sh/chart": "{{ template "jenkins.label" .}}" - {{- end }} - "app.kubernetes.io/managed-by": "{{ .Release.Service }}" - "app.kubernetes.io/instance": "{{ .Release.Name }}" - "app.kubernetes.io/component": "{{ .Values.controller.componentName }}" - {{- if .Values.backup.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.backup.serviceAccount.annotations | nindent 4 }} - {{- end }} -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "jenkins.fullname" . }}-backup - namespace: {{ template "jenkins.namespace" . }} - labels: - "app.kubernetes.io/name": '{{ template "jenkins.name" .}}' - {{- if .Values.renderHelmLabels }} - "helm.sh/chart": "{{ template "jenkins.label" .}}" - {{- end }} - "app.kubernetes.io/managed-by": "{{ .Release.Service }}" - "app.kubernetes.io/instance": "{{ .Release.Name }}" - "app.kubernetes.io/component": "{{ .Values.controller.componentName }}" -rules: -- apiGroups: [""] - resources: ["pods", "pods/log"] - verbs: ["get", "list"] -- apiGroups: [""] - resources: ["pods/exec"] - verbs: ["create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "jenkins.fullname" . }}-backup - namespace: {{ template "jenkins.namespace" . }} - labels: - "app.kubernetes.io/name": '{{ template "jenkins.name" .}}' - {{- if .Values.renderHelmLabels }} - "helm.sh/chart": "{{ template "jenkins.label" .}}" - {{- end }} - "app.kubernetes.io/managed-by": "{{ .Release.Service }}" - "app.kubernetes.io/instance": "{{ .Release.Name }}" - "app.kubernetes.io/component": "{{ .Values.controller.componentName }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "jenkins.fullname" . }}-backup -subjects: -- kind: ServiceAccount - name: {{ include "backup.serviceAccountBackupName" . }} - namespace: {{ template "jenkins.namespace" . }} -{{- end }} diff --git a/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml b/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml index 9cfe93633..364debb9e 100644 --- a/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml +++ b/charts/jenkins/jenkins/templates/jenkins-controller-statefulset.yaml @@ -118,8 +118,8 @@ spec: {{- end}} - name: "init" - image: "{{ .Values.controller.image }}:{{- include "controller.tag" . -}}" - imagePullPolicy: "{{ .Values.controller.imagePullPolicy }}" + image: "{{ .Values.controller.image.registry }}/{{ .Values.controller.image.repository }}:{{- include "controller.image.tag" . -}}" + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" {{- if .Values.controller.containerSecurityContext }} securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 12 }} {{- end }} @@ -170,8 +170,8 @@ spec: {{- end }} containers: - name: jenkins - image: "{{ .Values.controller.image }}:{{- include "controller.tag" . -}}" - imagePullPolicy: "{{ .Values.controller.imagePullPolicy }}" + image: "{{ .Values.controller.image.registry }}/{{ .Values.controller.image.repository }}:{{- include "controller.image.tag" . -}}" + imagePullPolicy: "{{ .Values.controller.image.pullPolicy }}" {{- if .Values.controller.containerSecurityContext }} securityContext: {{- toYaml .Values.controller.containerSecurityContext | nindent 12 }} {{- end }} @@ -205,7 +205,7 @@ spec: {{- if .Values.controller.containerEnv }} {{ (tpl ( toYaml .Values.controller.containerEnv) .) | indent 12 }} {{- end }} - {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }} + {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.admin.createSecret }} - name: SECRETS value: /run/secrets/additional {{- end }} @@ -298,7 +298,7 @@ spec: - name: sc-config-volume mountPath: {{ .Values.controller.sidecars.configAutoReload.folder | default (printf "%s/casc_configs" (.Values.controller.jenkinsRef)) }} {{- end }} - {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }} + {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.admin.createSecret }} - name: jenkins-secrets mountPath: /run/secrets/additional readOnly: true @@ -313,8 +313,8 @@ spec: {{- end}} -{{- if .Values.controller.sidecars.other}} -{{ tpl (toYaml .Values.controller.sidecars.other | indent 8) .}} +{{- if .Values.controller.sidecars.additionalSidecarContainers}} +{{ tpl (toYaml .Values.controller.sidecars.additionalSidecarContainers | indent 8) .}} {{- end }} volumes: @@ -351,7 +351,7 @@ spec: - name: plugin-dir emptyDir: {} {{- end }} - {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.adminSecret }} + {{- if or .Values.controller.additionalSecrets .Values.controller.existingSecret .Values.controller.additionalExistingSecrets .Values.controller.admin.createSecret }} - name: jenkins-secrets projected: sources: @@ -368,7 +368,7 @@ spec: path: {{ tpl $value.name $ }}-{{ tpl $value.keyName $ }} {{- end }} {{- end }} - {{- if .Values.controller.adminSecret }} + {{- if .Values.controller.admin.createSecret }} - secret: name: {{ .Values.controller.admin.existingSecret | default (include "jenkins.fullname" .) }} items: diff --git a/charts/jenkins/jenkins/templates/secret.yaml b/charts/jenkins/jenkins/templates/secret.yaml index 4feb52f42..cc6ace179 100644 --- a/charts/jenkins/jenkins/templates/secret.yaml +++ b/charts/jenkins/jenkins/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if and (not .Values.controller.admin.existingSecret) (.Values.controller.adminSecret) -}} +{{- if and (not .Values.controller.admin.existingSecret) (.Values.controller.admin.createSecret) -}} apiVersion: v1 kind: Secret @@ -16,5 +16,5 @@ metadata: type: Opaque data: jenkins-admin-password: {{ template "jenkins.password" . }} - jenkins-admin-user: {{ .Values.controller.adminUser | b64enc | quote }} + jenkins-admin-user: {{ .Values.controller.admin.username | b64enc | quote }} {{- end }} diff --git a/charts/jenkins/jenkins/templates/tests/jenkins-test.yaml b/charts/jenkins/jenkins/templates/tests/jenkins-test.yaml index 20e06b593..12a935ecc 100644 --- a/charts/jenkins/jenkins/templates/tests/jenkins-test.yaml +++ b/charts/jenkins/jenkins/templates/tests/jenkins-test.yaml @@ -17,7 +17,7 @@ spec: {{- end }} initContainers: - name: "test-framework" - image: {{ .Values.helmtest.bats.image }}:{{ .Values.helmtest.bats.tag }} + image: "{{ .Values.helmtest.bats.image.registry }}/{{ .Values.helmtest.bats.image.repository }}:{{ .Values.helmtest.bats.image.tag }}" command: - "bash" - "-c" @@ -31,7 +31,7 @@ spec: name: tools containers: - name: {{ .Release.Name }}-ui-test - image: "{{ .Values.controller.image }}:{{- include "controller.tag" . -}}" + image: "{{ .Values.controller.image.registry }}/{{ .Values.controller.image.repository }}:{{- include "controller.image.tag" . -}}" command: ["/tools/bats/bin/bats", "-t", "/tests/run.sh"] volumeMounts: - mountPath: /tests diff --git a/charts/jenkins/jenkins/values.yaml b/charts/jenkins/jenkins/values.yaml index cc6e6626d..a70faeeb1 100644 --- a/charts/jenkins/jenkins/values.yaml +++ b/charts/jenkins/jenkins/values.yaml @@ -24,10 +24,12 @@ renderHelmLabels: true controller: # Used for label app.kubernetes.io/component componentName: "jenkins-controller" - image: "jenkins/jenkins" - # tag: "2.426.2-jdk17" - tagLabel: jdk17 - imagePullPolicy: "Always" + image: + registry: "docker.io" + repository: "jenkins/jenkins" + # tag: "2.426.3-jdk17" + tagLabel: jdk17 + pullPolicy: "Always" imagePullSecretName: # Optionally configure lifetime for controller-container lifecycle: @@ -43,20 +45,23 @@ controller: # This is ignored if enableRawHtmlMarkupFormatter is true markupFormatter: plainText customJenkinsLabels: [] - # The default configuration uses this secret to configure an admin user - # If you don't need that user or use a different security realm then you can disable it - adminSecret: true hostNetworking: false # When enabling LDAP or another non-Jenkins identity source, the built-in admin account will no longer exist. # If you disable the non-Jenkins identity store and instead use the Jenkins internal one, - # you should revert controller.adminUser to your preferred admin user: - adminUser: "admin" - # adminPassword: + # you should revert controller.admin.username to your preferred admin user: admin: - existingSecret: "" + username: "admin" + # password: + userKey: jenkins-admin-user passwordKey: jenkins-admin-password + + # The default configuration uses this secret to configure an admin user + # If you don't need that user or use a different security realm then you can disable it + createSecret: true + existingSecret: "" + # This values should not be changed unless you use your custom image of jenkins or any devired from. If you want to use # Cloudbees Jenkins Distribution docker, you should set jenkinsHome: "/var/cloudbees-jenkins-distribution" jenkinsHome: "/var/jenkins_home" @@ -247,10 +252,10 @@ controller: # List of plugins to be install during Jenkins controller start installPlugins: - - kubernetes:4174.v4230d0ccd951 + - kubernetes:4186.v1d804571d5d4 - workflow-aggregator:596.v8c21c963d92d - - git:5.1.0 - - configuration-as-code:1670.v564dc8b_982d0 + - git:5.2.1 + - configuration-as-code:1775.v810dc950b_514 # Set to false to download the minimum required version of all dependencies. installLatestPlugins: true @@ -359,7 +364,7 @@ controller: # Optionally specify additional init-containers customInitContainers: [] # - name: custom-init - # image: "alpine:3.7" + # image: "alpine:3" # imagePullPolicy: Always # command: [ "uname", "-a" ] @@ -369,7 +374,10 @@ controller: # jcasc changes will cause a reboot and will only be applied at the subsequent start-up. Auto-reload uses the # http:///reload-configuration-as-code endpoint to reapply config when changes to the configScripts are detected. enabled: true - image: kiwigrid/k8s-sidecar:1.24.4 + image: + registry: docker.io + repository: kiwigrid/k8s-sidecar + tag: 1.25.4 imagePullPolicy: IfNotPresent resources: {} # limits: @@ -399,8 +407,8 @@ controller: readOnlyRootFilesystem: true allowPrivilegeEscalation: false - # Allows you to inject additional/other sidecars - other: [] + # Allows you to inject additional sidecars + additionalSidecarContainers: [] ## The example below runs the client for https://smee.io as sidecar container next to Jenkins, ## that allows to trigger build behind a secure firewall. ## https://jenkins.io/blog/2019/01/07/webhook-firewalls/#triggering-builds-with-webhooks-behind-a-secure-firewall @@ -638,8 +646,9 @@ agent: namespace: # private registry for agent image jnlpregistry: - image: "jenkins/inbound-agent" - tag: "3192.v713e3b_039fb_e-5" + image: + repository: "jenkins/inbound-agent" + tag: "3206.vb_15dcf73f6a_9-3" workingDir: "/home/jenkins/agent" nodeUsageMode: "NORMAL" customJenkinsLabels: [] @@ -791,8 +800,9 @@ agent: # Containers specified here are added to all agents. Set key empty to remove container from additional agents. additionalContainers: [] # - sideContainerName: dind - # image: docker - # tag: dind + # image: + # repository: docker + # tag: dind # command: dockerd-entrypoint.sh # args: "" # privileged: true @@ -840,14 +850,16 @@ additionalAgents: {} # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp -# image: jenkins/jnlp-agent-maven -# tag: latest +# image: +# repository: jenkins/jnlp-agent-maven +# tag: latest # python: # podName: python # customJenkinsLabels: python # sideContainerName: python -# image: python -# tag: "3" +# image: +# repository: python +# tag: "3" # command: "/bin/sh -c" # args: "cat" # TTYEnabled: true @@ -867,8 +879,9 @@ additionalClouds: {} # customJenkinsLabels: maven # # An example of overriding the jnlp container # # sideContainerName: jnlp -# image: jenkins/jnlp-agent-maven -# tag: latest +# image: +# repository: jenkins/jnlp-agent-maven +# tag: latest # namespace: my-other-maven-namespace # remote-cloud-2: # kubernetesURL: https://api.remote-cloud.com @@ -945,76 +958,6 @@ serviceAccountAgent: extraLabels: {} imagePullSecretName: -## Backup cronjob configuration -## Ref: https://github.com/maorfr/kube-tasks -backup: - # Backup must use RBAC - # So by enabling backup you are enabling RBAC specific for backup - enabled: false - # Used for label app.kubernetes.io/component - componentName: "backup" - # Schedule to run jobs. Must be in cron time format - # Ref: https://crontab.guru/ - schedule: "0 2 * * *" - labels: {} - serviceAccount: - create: true - name: - annotations: {} - # Example for authorization to AWS S3 using kube2iam or IRSA - # Can also be done using environment variables - # iam.amazonaws.com/role: "jenkins" - # "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/jenkins-backup" - # Set this to terminate the job that is running/failing continously and set the job status to "Failed" - activeDeadlineSeconds: "" - image: - repository: "maorfr/kube-tasks" - tag: "0.2.0" - imagePullSecretName: - # Additional arguments for kube-tasks - # Ref: https://github.com/maorfr/kube-tasks#simple-backup - extraArgs: [] - # Add existingSecret for AWS credentials - existingSecret: {} - ## Example for using an existing secret - # jenkinsaws: - ## Use this key for AWS access key ID - # awsaccesskey: jenkins_aws_access_key - ## Use this key for AWS secret access key - # awssecretkey: jenkins_aws_secret_key - # Add additional environment variables - # jenkinsgcp: - ## Use this key for GCP credentials - # gcpcredentials: credentials.json - env: [] - # Example environment variable required for AWS credentials chain - # - name: "AWS_REGION" - # value: "us-east-1" - resources: - requests: - memory: 1Gi - cpu: 1 - limits: - memory: 1Gi - cpu: 1 - # Destination to store the backup artifacts - # Supported cloud storage services: AWS S3, Minio S3, Azure Blob Storage, Google Cloud Storage - # Additional support can added. Visit this repository for details - # Ref: https://github.com/maorfr/skbn - destination: "s3://jenkins-data/backup" - # By enabling only the jenkins_home/jobs folder gets backed up, not the whole jenkins instance - onlyJobs: false - # Enable backup pod security context (must be `true` if runAsUser or fsGroup are set) - usePodSecurityContext: true - # When setting runAsUser to a different value than 0 also set fsGroup to the same value: - runAsUser: 1000 - fsGroup: 1000 - securityContextCapabilities: {} - # drop: - # - NET_RAW -cronJob: - apiVersion: batch/v1 - checkDeprecation: true awsSecurityGroupPolicies: @@ -1029,5 +972,7 @@ helmtest: # A testing framework for bash bats: # Bash Automated Testing System (BATS) - image: "bats/bats" - tag: "1.9.0" + image: + registry: "docker.io" + repository: "bats/bats" + tag: "v1.10.0" diff --git a/charts/jfrog/artifactory-ha/.helmignore b/charts/jfrog/artifactory-ha/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/charts/jfrog/artifactory-ha/.helmignore +++ b/charts/jfrog/artifactory-ha/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/CHANGELOG.md b/charts/jfrog/artifactory-ha/CHANGELOG.md index 9987e6dec..a36e0b66c 100644 --- a/charts/jfrog/artifactory-ha/CHANGELOG.md +++ b/charts/jfrog/artifactory-ha/CHANGELOG.md @@ -1,10 +1,29 @@ # JFrog Artifactory-ha Chart Changelog All changes to this chart will be documented in this file -## [107.71.11] - Nov 15, 2023 +## [107.77.0] - Dec 21, 2023 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) + +## [107.77.5] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.70.0] - Nov 30, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) * Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml * Fixed - Artifactory primary service condition +* Fixed - SecurityContext with runAsGroup in artifactory-ha [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift ## [107.69.0] - Sep 18, 2023 * Adjust rtfs context diff --git a/charts/jfrog/artifactory-ha/Chart.yaml b/charts/jfrog/artifactory-ha/Chart.yaml index 7f44c5d46..90619f508 100644 --- a/charts/jfrog/artifactory-ha/Chart.yaml +++ b/charts/jfrog/artifactory-ha/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA - catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-ha apiVersion: v2 -appVersion: 7.71.11 +appVersion: 7.77.5 dependencies: - condition: postgresql.enabled name: postgresql @@ -18,7 +18,7 @@ keywords: - artifactory - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -26,4 +26,4 @@ name: artifactory-ha sources: - https://github.com/jfrog/charts type: application -version: 107.71.11 +version: 107.77.5 diff --git a/charts/jfrog/artifactory-ha/README.md b/charts/jfrog/artifactory-ha/README.md index de40eebce..ea332fc19 100644 --- a/charts/jfrog/artifactory-ha/README.md +++ b/charts/jfrog/artifactory-ha/README.md @@ -8,7 +8,7 @@ Below you will find the basic instructions for installing, uninstalling, and del ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory HA license ## Chart Details @@ -40,6 +40,13 @@ To install the chart with the release name `artifactory`: helm upgrade --install artifactory-ha --namespace artifactory-ha jfrog/artifactory-ha ``` +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory-ha --namespace artifactory-ha jfrog/artifactory-ha -f sizing/artifactory-small-extra-config.yaml -f sizing/artifactory-small.yaml +``` + ## Uninstalling Artifactory Uninstall is supported only on Helm v3 and on. diff --git a/charts/jfrog/artifactory-ha/ci/large-values.yaml b/charts/jfrog/artifactory-ha/ci/large-values.yaml index 8c1bacd34..153307aa2 100644 --- a/charts/jfrog/artifactory-ha/ci/large-values.yaml +++ b/charts/jfrog/artifactory-ha/ci/large-values.yaml @@ -75,14 +75,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-ha/ci/medium-values.yaml b/charts/jfrog/artifactory-ha/ci/medium-values.yaml index 3f04f68df..115e7d460 100644 --- a/charts/jfrog/artifactory-ha/ci/medium-values.yaml +++ b/charts/jfrog/artifactory-ha/ci/medium-values.yaml @@ -75,14 +75,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-ha/ci/rtsplit-access-tls-values.yaml b/charts/jfrog/artifactory-ha/ci/rtsplit-access-tls-values.yaml index 7ab2221da..58a8cb207 100644 --- a/charts/jfrog/artifactory-ha/ci/rtsplit-access-tls-values.yaml +++ b/charts/jfrog/artifactory-ha/ci/rtsplit-access-tls-values.yaml @@ -105,14 +105,6 @@ event: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-ha/ci/rtsplit-values.yaml b/charts/jfrog/artifactory-ha/ci/rtsplit-values.yaml index 2b88d70a8..ef334e5e6 100644 --- a/charts/jfrog/artifactory-ha/ci/rtsplit-values.yaml +++ b/charts/jfrog/artifactory-ha/ci/rtsplit-values.yaml @@ -155,21 +155,6 @@ event: preStop: exec: command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] observability: resources: requests: diff --git a/charts/jfrog/artifactory-ha/ci/small-values.yaml b/charts/jfrog/artifactory-ha/ci/small-values.yaml index 501d357b9..b4557289e 100644 --- a/charts/jfrog/artifactory-ha/ci/small-values.yaml +++ b/charts/jfrog/artifactory-ha/ci/small-values.yaml @@ -77,14 +77,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-ha/files/binarystore.xml b/charts/jfrog/artifactory-ha/files/binarystore.xml index f6b99dbe0..dc13eb870 100644 --- a/charts/jfrog/artifactory-ha/files/binarystore.xml +++ b/charts/jfrog/artifactory-ha/files/binarystore.xml @@ -261,6 +261,12 @@ {{- with .maxConnections }} {{ . }} {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} {{- with .kmsServerSideEncryptionKeyId }} {{ . }} {{- end }} diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml new file mode 100644 index 000000000..d3891eca4 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge-extra-config.yaml @@ -0,0 +1,40 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + +access: + tomcat: + connector: + maxThreads: 200 + + database: + maxOpenConnections: 200 + +metadata: + database: + maxOpenConnections: 200 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..ef809864f --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,118 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: "1" + memory: 1Gi + limits: + # cpu: "6" + memory: 2Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2500" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-large-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-large-extra-config.yaml new file mode 100644 index 000000000..038c2ac4a --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-large-extra-config.yaml @@ -0,0 +1,40 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + +access: + tomcat: + connector: + maxThreads: 125 + + database: + maxOpenConnections: 100 + +metadata: + database: + maxOpenConnections: 100 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-large.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-large.yaml new file mode 100644 index 000000000..083643ca2 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-large.yaml @@ -0,0 +1,118 @@ +############################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 400Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "1000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-medium-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-medium-extra-config.yaml new file mode 100644 index 000000000..47a4004df --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-medium-extra-config.yaml @@ -0,0 +1,40 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-medium.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..a9f0756d2 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-medium.yaml @@ -0,0 +1,118 @@ +############################################################## +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "350" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-small-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-small-extra-config.yaml new file mode 100644 index 000000000..47a4004df --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-small-extra-config.yaml @@ -0,0 +1,40 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-small.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-small.yaml new file mode 100644 index 000000000..3a3db7c89 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-small.yaml @@ -0,0 +1,118 @@ +############################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "350" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml new file mode 100644 index 000000000..e266e0638 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge-extra-config.yaml @@ -0,0 +1,39 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + +access: + tomcat: + connector: + maxThreads: 150 + + database: + maxOpenConnections: 150 + +metadata: + database: + maxOpenConnections: 150 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..ccd336589 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-xlarge.yaml @@ -0,0 +1,118 @@ +############################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2500" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml new file mode 100644 index 000000000..cc557abd5 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall-extra-config.yaml @@ -0,0 +1,40 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + primary: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + +access: + tomcat: + connector: + maxThreads: 15 + + database: + maxOpenConnections: 15 + +metadata: + database: + maxOpenConnections: 15 + diff --git a/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall.yaml b/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..e46ee61b6 --- /dev/null +++ b/charts/jfrog/artifactory-ha/sizing/artifactory-xsmall.yaml @@ -0,0 +1,118 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +############################################################## +splitServicesToContainers: true +artifactory: + primary: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/templates/_helpers.tpl b/charts/jfrog/artifactory-ha/templates/_helpers.tpl index c6ef87daf..0456a7b9a 100644 --- a/charts/jfrog/artifactory-ha/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-ha/templates/_helpers.tpl @@ -372,9 +372,6 @@ Resolve requiredServiceTypes value {{- if .Values.event.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} {{- end -}} -{{- if .Values.integration.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfint" -}} -{{- end -}} {{- if .Values.frontend.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} {{- end -}} @@ -402,20 +399,7 @@ nginx scheme (http/https) {{- end -}} {{/* -nginx command -*/}} -{{- define "nginx.command" -}} -{{- if .Values.nginx.customCommand }} -{{ toYaml .Values.nginx.customCommand }} -{{ else }} -- nginx -- -g -- 'daemon off;' -{{- end }} -{{- end -}} - -{{/* -nginx port (80/443) based on http/https enabled +nginx port (8080/8443) based on http/https enabled */}} {{- define "nginx.port" -}} {{- if .Values.nginx.http.enabled -}} @@ -496,14 +480,3 @@ nodeSelector: {{ toYaml .Values.nginx.nodeSelector | indent 2 }} {{- end -}} {{- end -}} - -{{/* -Resolve fsGroup and runAsGroup on cluster based -*/}} -{{- define "artifactory.isOpenshiftCompatible" -}} -{{- if (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} -{{- printf "%s" "true" -}} -{{- else -}} -{{- printf "%s" "false" -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/templates/artifactory-node-statefulset.yaml b/charts/jfrog/artifactory-ha/templates/artifactory-node-statefulset.yaml index a0f738f72..8fab72a32 100644 --- a/charts/jfrog/artifactory-ha/templates/artifactory-node-statefulset.yaml +++ b/charts/jfrog/artifactory-ha/templates/artifactory-node-statefulset.yaml @@ -71,11 +71,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} fsGroup: {{ .Values.artifactory.gid }} - {{- end }} {{- if .Values.artifactory.fsGroupChangePolicy }} fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} {{- end }} @@ -707,45 +704,7 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} - {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} - {{- end }} - {{- end }} - {{- if .Values.federation.enabled }} + {{- if and .Values.federation.enabled .Values.federation.embedded }} - name: {{ .Values.federation.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} @@ -911,8 +870,6 @@ spec: value: "false" - name : JF_JFCONNECT_SERVICE_ENABLED value: "false" - - name : JF_INTEGRATION_ENABLED - value: "false" {{- end }} {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} - name: SKIP_WAIT_FOR_EXTERNAL_DB diff --git a/charts/jfrog/artifactory-ha/templates/artifactory-primary-statefulset.yaml b/charts/jfrog/artifactory-ha/templates/artifactory-primary-statefulset.yaml index b13bf5cc6..19e04a29a 100644 --- a/charts/jfrog/artifactory-ha/templates/artifactory-primary-statefulset.yaml +++ b/charts/jfrog/artifactory-ha/templates/artifactory-primary-statefulset.yaml @@ -89,11 +89,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} fsGroup: {{ .Values.artifactory.gid }} - {{- end }} {{- if .Values.artifactory.fsGroupChangePolicy }} fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} {{- end }} @@ -797,45 +794,7 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} - image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} - {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} - {{- end }} - {{- end }} - {{- if .Values.federation.enabled }} + {{- if and .Values.federation.enabled .Values.federation.embedded }} - name: {{ .Values.federation.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} @@ -995,8 +954,6 @@ spec: value: "false" - name : JF_JFCONNECT_SERVICE_ENABLED value: "false" - - name : JF_INTEGRATION_ENABLED - value: "false" {{- end }} {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} - name: SKIP_WAIT_FOR_EXTERNAL_DB diff --git a/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml index 80e2def21..a086fe9f2 100644 --- a/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml +++ b/charts/jfrog/artifactory-ha/templates/nginx-deployment.yaml @@ -41,10 +41,13 @@ spec: component: {{ .Values.nginx.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} spec: - securityContext: - runAsUser: {{ .Values.nginx.uid }} - runAsGroup: {{ .Values.nginx.gid }} + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} serviceAccountName: {{ template "artifactory-ha.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} @@ -80,12 +83,9 @@ spec: - name: {{ .Values.nginx.name }} image: {{ include "artifactory-ha.getImageInfoByValue" (list . "nginx") }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - {{- with .Values.nginx.securityContext }} - securityContext: -{{ toYaml . | indent 10 }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} - command: -{{- tpl (include "nginx.command" .) . | indent 10 }} ports: {{ if .Values.nginx.customPorts }} {{ toYaml .Values.nginx.customPorts | indent 8 }} @@ -211,4 +211,4 @@ spec: secretName: {{ template "artifactory-ha.fullname" . }}-nginx-certificate {{- end }} {{- end }} -{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/jfrog/artifactory-ha/values-large.yaml b/charts/jfrog/artifactory-ha/values-large.yaml deleted file mode 100644 index 2d0ee5789..000000000 --- a/charts/jfrog/artifactory-ha/values-large.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 300 - primary: - replicaCount: 4 - resources: - requests: - memory: "6Gi" - cpu: "2" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "8g" - xmx: "10g" -access: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 100 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 150 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-ha/values-medium.yaml b/charts/jfrog/artifactory-ha/values-medium.yaml deleted file mode 100644 index c2d26ee38..000000000 --- a/charts/jfrog/artifactory-ha/values-medium.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 200 - primary: - replicaCount: 3 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "6g" - xmx: "8g" -access: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 100 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-ha/values-small.yaml b/charts/jfrog/artifactory-ha/values-small.yaml deleted file mode 100644 index aa97312a1..000000000 --- a/charts/jfrog/artifactory-ha/values-small.yaml +++ /dev/null @@ -1,82 +0,0 @@ -artifactory: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 200 - primary: - replicaCount: 2 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "6g" -access: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 80 - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-ha/values.yaml b/charts/jfrog/artifactory-ha/values.yaml index 34b9c53dd..e36b3600e 100644 --- a/charts/jfrog/artifactory-ha/values.yaml +++ b/charts/jfrog/artifactory-ha/values.yaml @@ -41,7 +41,7 @@ global: ## String to fully override artifactory-ha.fullname template ## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 +initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.3.1475 installer: type: platform: @@ -174,19 +174,12 @@ postgresql: enabled: true containerSecurityContext: enabled: true - runAsNonRoot: true - allowPrivilegeEscalation: false - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL - # requests: - # memory: "512Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "500m" + # requests: + # memory: "512Mi" + # cpu: "100m" + # limits: + # memory: "1Gi" + # cpu: "500m" ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false), ## you MUST specify custom database details here or Artifactory will NOT start database: @@ -214,7 +207,7 @@ logger: image: registry: releases-docker.jfrog.io repository: ubi9/ubi-minimal - tag: 9.2.750.1697534106 + tag: 9.3.1475 ## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName ## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` aws: @@ -239,7 +232,7 @@ router: image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.81.0 + tag: 7.91.0 imagePullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled @@ -787,6 +780,7 @@ artifactory: {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} federation: enabled: true + embedded: {{ .Values.federation.embedded }} extraJavaOpts: {{ .Values.federation.extraJavaOpts }} port: {{ .Values.federation.internalPort }} rtfs: @@ -971,6 +965,8 @@ artifactory: port: useHttp: maxConnections: 50 + connectionTimeout: + socketTimeout: kmsServerSideEncryptionKeyId: kmsKeyRegion: kmsCryptoMode: @@ -1429,62 +1425,12 @@ jfconnect: failureThreshold: 90 periodSeconds: 5 timeoutSeconds: 5 -integration: - name: integration - enabled: true - internalPort: 8071 - ## Extra environment variables that can be used to tune integration to your needs. - ## Uncomment and set value as needed - extraEnvironmentVariables: - # - name: MY_ENV_VAR - # value: "" - resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for integration container - lifecycle: {} - # postStart: - # exec: - # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] - # preStop: - # exec: - # command: ["/bin/sh","-c","echo Hello from the preStop handler"] - - ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true - livenessProbe: - enabled: true - config: | - exec: - command: - - sh - - -c - - curl --fail --max-time 1 http://localhost:{{ .Values.integration.internalPort }}/api/v1/system/liveness - initialDelaySeconds: {{ if semverCompare "= 1.19.0-0" in chart.yaml + +## [107.66.0] - Jul 20, 2023 * Disabled federation services when splitServicesToContainers=true ## [107.45.0] - Aug 25, 2022 diff --git a/charts/jfrog/artifactory-jcr/Chart.yaml b/charts/jfrog/artifactory-jcr/Chart.yaml index f34c71ac9..f907a4ea5 100644 --- a/charts/jfrog/artifactory-jcr/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/Chart.yaml @@ -1,14 +1,14 @@ annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry - catalog.cattle.io/kube-version: '>= 1.14.0-0' + catalog.cattle.io/kube-version: '>= 1.19.0-0' catalog.cattle.io/release-name: artifactory-jcr apiVersion: v2 -appVersion: 7.71.11 +appVersion: 7.77.5 dependencies: - name: artifactory repository: file://./charts/artifactory - version: 107.71.11 + version: 107.77.5 description: JFrog Container Registry home: https://jfrog.com/container-registry/ icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png @@ -19,7 +19,7 @@ keywords: - registry - devops - jfrog-container-registry -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: helm@jfrog.com name: Chart Maintainers at JFrog @@ -27,4 +27,4 @@ name: artifactory-jcr sources: - https://github.com/jfrog/charts type: application -version: 107.71.11 +version: 107.77.5 diff --git a/charts/jfrog/artifactory-jcr/README.md b/charts/jfrog/artifactory-jcr/README.md index 7df9d9348..307a46b3a 100644 --- a/charts/jfrog/artifactory-jcr/README.md +++ b/charts/jfrog/artifactory-jcr/README.md @@ -6,7 +6,7 @@ JFrog Container Registry is a free Artifactory edition with Docker and Helm repo ## Prerequisites Details -* Kubernetes 1.14+ +* Kubernetes 1.19+ ## Chart Details This chart will do the following: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/.helmignore b/charts/jfrog/artifactory-jcr/charts/artifactory/.helmignore index c7eb1e274..b6e97f07f 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/.helmignore +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/.helmignore @@ -19,4 +19,6 @@ .project .idea/ *.tmproj -OWNERS \ No newline at end of file +OWNERS + +tests/ \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md index 67a048985..45a70356b 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/CHANGELOG.md @@ -1,9 +1,29 @@ # JFrog Artifactory Chart Changelog All changes to this chart will be documented in this file. -## [107.71.11] - Oct 31, 2023 +## [107.77.5] - Jan 16, 2024 +* Removed integration service +* Added recommended postgresql sizing configurations under sizing directory +* Updated artifactory-federation (probes, port, embedded mode) +* Fixed - Removed duplicate keys of the sizing yaml file + +## [107.76.0] - Dec 13, 2023 +* Added connectionTimeout and socketTimeout paramaters under AWSS3 binarystore section +* Reduced nginx startupProbe initialDelaySeconds + +## [107.74.0] - Nov 30, 2023 +* Added recommended sizing configurations under sizing directory, please refer [here](README.md/#apply-sizing-configurations-to-the-chart) +* **IMPORTANT** +* Added min kubeVersion ">= 1.19.0-0" in chart.yaml + +## [107.70.0] - Nov 30, 2023 * Fixed - StatefulSet pod annotations changed from range to toYaml [GH-1828](https://github.com/jfrog/charts/issues/1828) * Fixed - Invalid format for awsS3V3 `multiPartLimit,multipartElementSize` in binarystore.xml. +* Fixed - SecurityContext with runAsGroup in artifactory [GH-1838](https://github.com/jfrog/charts/issues/1838) +* Added support for custom labels in the Nginx pods [GH-1836](https://github.com/jfrog/charts/pull/1836) +* Added podSecurityContext and containerSecurityContext for nginx +* Added support for nginx on openshift, set `podSecurityContext` and `containerSecurityContext` to false +* Renamed nginx internalPort 80,443 to 8080,8443 to support openshift ## [107.69.0] - Sep 18, 2023 * Adjust rtfs context diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml index 753e010e1..90b1dea4c 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 7.71.11 +appVersion: 7.77.5 dependencies: - condition: postgresql.enabled name: postgresql @@ -13,7 +13,7 @@ keywords: - artifactory - jfrog - devops -kubeVersion: '>= 1.14.0-0' +kubeVersion: '>= 1.19.0-0' maintainers: - email: installers@jfrog.com name: Chart Maintainers at JFrog @@ -21,4 +21,4 @@ name: artifactory sources: - https://github.com/jfrog/charts type: application -version: 107.71.11 +version: 107.77.5 diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/README.md b/charts/jfrog/artifactory-jcr/charts/artifactory/README.md index b77f68437..27dddac45 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/README.md +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/README.md @@ -3,7 +3,7 @@ **IMPORTANT!** Our Helm Chart docs have moved to our main documentation site. Below you will find the basic instructions for installing, uninstalling, and deleting Artifactory. For all other information, refer to [Installing Artifactory](https://www.jfrog.com/confluence/display/JFROG/Installing+Artifactory#InstallingArtifactory-HelmInstallation). ## Prerequisites -* Kubernetes 1.14+ +* Kubernetes 1.19+ * Artifactory Pro trial license [get one from here](https://www.jfrog.com/artifactory/free-trial/) ## Chart Details @@ -31,6 +31,13 @@ To install the chart with the release name `artifactory`: helm upgrade --install artifactory --namespace artifactory jfrog/artifactory ``` +### Apply Sizing configurations to the Chart +To apply the chart with recommended sizing configurations : +For small configurations : +```bash +helm upgrade --install artifactory --namespace artifactory jfrog/artifactory -f sizing/artifactory-small-extra-config.yaml -f sizing/artifactory-small.yaml +``` + ## Uninstalling Artifactory Uninstall is supported only on Helm v3 and on. diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/large-values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/large-values.yaml index a832906df..94a485d6f 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/large-values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/large-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/medium-values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/medium-values.yaml index 979b7c3da..35044dc36 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/medium-values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/medium-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml index 52861f86e..a81162f0d 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values-access-tls-values.yaml @@ -95,14 +95,6 @@ event: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values.yaml index 5c2e4b366..5306e00e0 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/rtsplit-values.yaml @@ -151,22 +151,6 @@ event: exec: command: ["/bin/sh", "-c", "echo Hello from the event postStart handler >> /tmp/message"] -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - preStop: - exec: - command: ["/bin/sh", "-c", "echo Hello from the integration postStart handler >> /tmp/message"] - observability: resources: requests: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/small-values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/small-values.yaml index 1abc64e67..70d77790a 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/ci/small-values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/ci/small-values.yaml @@ -72,14 +72,6 @@ jfconnect: limits: memory: "1Gi" cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" observability: resources: requests: diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml b/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml index 43dd1cd95..4ecdf50fe 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/files/binarystore.xml @@ -247,6 +247,12 @@ {{- with .maxConnections }} {{ . }} {{- end }} + {{- with .connectionTimeout }} + {{ . }} + {{- end }} + {{- with .socketTimeout }} + {{ . }} + {{- end }} {{- with .kmsServerSideEncryptionKeyId }} {{ . }} {{- end }} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge-extra-config.yaml new file mode 100644 index 000000000..7eb8729d6 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge-extra-config.yaml @@ -0,0 +1,38 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=200 + -Dartifactory.async.poolMaxQueueSize=100000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=200 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 800 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 200 + +access: + tomcat: + connector: + maxThreads: 200 + + database: + maxOpenConnections: 200 + +metadata: + database: + maxOpenConnections: 200 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge.yaml new file mode 100644 index 000000000..a4e0f9505 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-2xlarge.yaml @@ -0,0 +1,117 @@ +############################################################## +# The 2xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 6 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "4" + memory: 20Gi + limits: + # cpu: "20" + memory: 24Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: "1" + memory: 1Gi + limits: + # cpu: "6" + memory: 2Gi + +frontend: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 1Gi + +metadata: + resources: + requests: + cpu: "1" + memory: 500Mi + limits: + # cpu: "5" + memory: 2Gi + +event: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +observability: + resources: + requests: + cpu: 200m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +jfconnect: + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + # cpu: "1" + memory: 250Mi + +nginx: + replicaCount: 3 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "6Gi" + limits: + # cpu: "14" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2500" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 256Gi + cpu: "64" + limits: + memory: 256Gi + # cpu: "128" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large-extra-config.yaml new file mode 100644 index 000000000..4714acb38 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large-extra-config.yaml @@ -0,0 +1,38 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=80 + -Dartifactory.async.poolMaxQueueSize=20000 + -Dartifactory.http.client.max.total.connections=100 + -Dartifactory.http.client.max.connections.per.route=100 + -Dartifactory.access.client.max.connections=125 + -Dartifactory.metadata.event.operator.threads=4 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=524288 + -XX:MaxDirectMemorySize=512m + tomcat: + connector: + maxThreads: 500 + extraConfig: 'acceptCount="800" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 100 + +access: + tomcat: + connector: + maxThreads: 125 + + database: + maxOpenConnections: 100 + +metadata: + database: + maxOpenConnections: 100 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large.yaml new file mode 100644 index 000000000..7212ba52a --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-large.yaml @@ -0,0 +1,117 @@ +############################################################## +# The large sizing +# This size is intended for large organizations. It can be increased with adding replicas or moving to the xlarge sizing +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 3 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 10Gi + limits: + # cpu: "14" + memory: 12Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "8" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 400Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "1" + memory: "500Mi" + limits: + # cpu: "4" + memory: "1Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "1000" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 64Gi + cpu: "16" + limits: + memory: 64Gi + # cpu: "32" diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium-extra-config.yaml new file mode 100644 index 000000000..6e0f72cb7 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium-extra-config.yaml @@ -0,0 +1,38 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium.yaml new file mode 100644 index 000000000..c32007fc3 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-medium.yaml @@ -0,0 +1,117 @@ +############################################################## +# The medium sizing +# This size is just 2 replicas of the small size. Vertical sizing of all services is not changed +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 2 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "350" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 32Gi + cpu: "8" + limits: + memory: 32Gi + # cpu: "16" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small-extra-config.yaml new file mode 100644 index 000000000..6e0f72cb7 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small-extra-config.yaml @@ -0,0 +1,38 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=40 + -Dartifactory.async.poolMaxQueueSize=10000 + -Dartifactory.http.client.max.total.connections=50 + -Dartifactory.http.client.max.connections.per.route=50 + -Dartifactory.access.client.max.connections=75 + -Dartifactory.metadata.event.operator.threads=3 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=262144 + -XX:MaxDirectMemorySize=256m + tomcat: + connector: + maxThreads: 300 + extraConfig: 'acceptCount="600" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 50 + +access: + tomcat: + connector: + maxThreads: 75 + + database: + maxOpenConnections: 50 + +metadata: + database: + maxOpenConnections: 50 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small.yaml new file mode 100644 index 000000000..5640049d7 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-small.yaml @@ -0,0 +1,117 @@ +############################################################## +# The small sizing +# This is the size recommended for running Artifactory for small teams +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 4Gi + limits: + # cpu: "10" + memory: 5Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 100m + memory: 250Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 100m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 100m + memory: 200Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "100m" + memory: "100Mi" + limits: + # cpu: "2" + memory: "500Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "350" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 16Gi + cpu: "4" + limits: + memory: 16Gi + # cpu: "10" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge-extra-config.yaml new file mode 100644 index 000000000..9589afc24 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge-extra-config.yaml @@ -0,0 +1,38 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=65 + -Dartifactory.async.corePoolSize=160 + -Dartifactory.async.poolMaxQueueSize=50000 + -Dartifactory.http.client.max.total.connections=150 + -Dartifactory.http.client.max.connections.per.route=150 + -Dartifactory.access.client.max.connections=150 + -Dartifactory.metadata.event.operator.threads=5 + -XX:MaxMetaspaceSize=512m + -Djdk.nio.maxCachedBufferSize=1048576 + -XX:MaxDirectMemorySize=1024m + tomcat: + connector: + maxThreads: 600 + extraConfig: 'acceptCount="1200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 150 + +access: + tomcat: + connector: + maxThreads: 150 + + database: + maxOpenConnections: 150 + +metadata: + database: + maxOpenConnections: 150 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge.yaml new file mode 100644 index 000000000..002d9891c --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xlarge.yaml @@ -0,0 +1,117 @@ +############################################################## +# The xlarge sizing +# This size is intended for very large organizations. It can be increased with adding replicas +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 4 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "2" + memory: 14Gi + limits: + # cpu: "14" + memory: 16Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "16" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 200m + memory: 500Mi + limits: + # cpu: "4" + memory: 1Gi + +frontend: + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + # cpu: "3" + memory: 1Gi + +metadata: + resources: + requests: + cpu: 200m + memory: 200Mi + limits: + # cpu: "4" + memory: 1Gi + +event: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 100m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 2 + disableProxyBuffering: true + resources: + requests: + cpu: "4" + memory: "4Gi" + limits: + # cpu: "12" + memory: "8Gi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "2500" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 128Gi + cpu: "32" + limits: + memory: 128Gi + # cpu: "64" \ No newline at end of file diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall-extra-config.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall-extra-config.yaml new file mode 100644 index 000000000..874ee8391 --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall-extra-config.yaml @@ -0,0 +1,39 @@ +#################################################################################### +# [WARNING] The configuration mentioned in this file are taken inside system.yaml +# hence this configuration will be overridden when enabling systemYamlOverride +#################################################################################### +artifactory: + javaOpts: + other: > + -XX:InitialRAMPercentage=40 + -XX:MaxRAMPercentage=70 + -Dartifactory.async.corePoolSize=10 + -Dartifactory.async.poolMaxQueueSize=2000 + -Dartifactory.http.client.max.total.connections=20 + -Dartifactory.http.client.max.connections.per.route=20 + -Dartifactory.access.client.max.connections=15 + -Dartifactory.metadata.event.operator.threads=2 + -XX:MaxMetaspaceSize=400m + -XX:CompressedClassSpaceSize=96m + -Djdk.nio.maxCachedBufferSize=131072 + -XX:MaxDirectMemorySize=128m + tomcat: + connector: + maxThreads: 50 + extraConfig: 'acceptCount="200" acceptorThreadCount="2" compression="off" connectionLinger="-1" connectionTimeout="120000" enableLookups="false"' + + database: + maxOpenConnections: 15 + +access: + tomcat: + connector: + maxThreads: 15 + + database: + maxOpenConnections: 15 + +metadata: + database: + maxOpenConnections: 15 + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall.yaml new file mode 100644 index 000000000..213cbb42c --- /dev/null +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/sizing/artifactory-xsmall.yaml @@ -0,0 +1,118 @@ +############################################################## +# The xsmall sizing +# This is the minimum size recommended for running Artifactory +############################################################## +splitServicesToContainers: true +artifactory: + # Enterprise and above licenses are required for setting replicaCount greater than 1. + # Count should be equal or above the total number of licenses available for artifactory. + replicaCount: 1 + + # Require multiple Artifactory pods to run on separate nodes + podAntiAffinity: + type: "hard" + + resources: + requests: + cpu: "1" + memory: 3Gi + limits: + # cpu: "10" + memory: 4Gi + + extraEnvironmentVariables: + - name: MALLOC_ARENA_MAX + value: "2" + - name : JF_SHARED_NODE_HAENABLED + value: "true" + - name: SKIP_WAIT_FOR_EXTERNAL_DB + value: "true" + +router: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "1" + memory: 500Mi + +frontend: + resources: + requests: + cpu: 50m + memory: 150Mi + limits: + # cpu: "2" + memory: 250Mi + +metadata: + resources: + requests: + cpu: 50m + memory: 100Mi + limits: + # cpu: "2" + memory: 1Gi + +event: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +observability: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +jfconnect: + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + # cpu: 500m + memory: 250Mi + +nginx: + replicaCount: 1 + disableProxyBuffering: true + resources: + requests: + cpu: "50m" + memory: "50Mi" + limits: + # cpu: "1" + memory: "250Mi" + +postgresql: + postgresqlExtendedConf: + maxConnections: "100" + primary: + affinity: + # Require PostgreSQL pod to run on a different node than Artifactory pods + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - artifactory + topologyKey: kubernetes.io/hostname + resources: + requests: + memory: 8Gi + cpu: "2" + limits: + memory: 8Gi + # cpu: "8" + diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl index a28776f87..33df663a1 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/_helpers.tpl @@ -320,9 +320,6 @@ Resolve requiredServiceTypes value {{- if .Values.event.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfevt" -}} {{- end -}} -{{- if .Values.integration.enabled -}} - {{- $requiredTypes = printf "%s,%s" $requiredTypes "jfint" -}} -{{- end -}} {{- if .Values.frontend.enabled -}} {{- $requiredTypes = printf "%s,%s" $requiredTypes "jffe" -}} {{- end -}} @@ -372,20 +369,7 @@ nginx scheme (http/https) {{- end -}} {{/* -nginx command -*/}} -{{- define "nginx.command" -}} -{{- if .Values.nginx.customCommand }} -{{ toYaml .Values.nginx.customCommand }} -{{ else }} -- nginx -- -g -- 'daemon off;' -{{- end }} -{{- end -}} - -{{/* -nginx port (80/443) based on http/https enabled +nginx port (8080/8443) based on http/https enabled */}} {{- define "nginx.port" -}} {{- if .Values.nginx.http.enabled -}} @@ -476,14 +460,3 @@ if the volume exists in customVolume then an extra volume with the same name wil {{- printf "%s" "false" -}} {{- end -}} {{- end -}} - -{{/* -Resolve fsGroup and runAsGroup on cluster based -*/}} -{{- define "artifactory.isOpenshiftCompatible" -}} -{{- if (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") -}} -{{- printf "%s" "true" -}} -{{- else -}} -{{- printf "%s" "false" -}} -{{- end -}} -{{- end -}} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml index 5a63f9c46..bfbc58698 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/artifactory-statefulset.yaml @@ -91,11 +91,8 @@ spec: securityContext: runAsNonRoot: true runAsUser: {{ .Values.artifactory.uid }} - {{ if eq (include "artifactory.isOpenshiftCompatible" .) "true" }} runAsGroup: {{ .Values.artifactory.gid }} - {{ else if eq (include "artifactory.isOpenshiftCompatible" .) "false" }} fsGroup: {{ .Values.artifactory.gid }} - {{- end }} {{- if .Values.artifactory.fsGroupChangePolicy }} fsGroupChangePolicy: {{ .Values.artifactory.fsGroupChangePolicy }} {{- end }} @@ -771,45 +768,7 @@ spec: {{ tpl .Values.jfconnect.livenessProbe.config . | indent 10 }} {{- end }} {{- end }} - {{- if .Values.integration.enabled }} - - name: {{ .Values.integration.name }} - image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} - imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} - {{- if .Values.containerSecurityContext.enabled }} - securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }} - {{- end }} - command: - - '/bin/bash' - - '-c' - - > - exec /opt/jfrog/artifactory/app/integration/bin/jf-integration start - {{- with .Values.integration.lifecycle }} - lifecycle: -{{ toYaml . | indent 10 }} - {{- end }} - env: - - name: JF_SHARED_NODE_ID - valueFrom: - fieldRef: - fieldPath: metadata.name -{{- with .Values.integration.extraEnvironmentVariables }} -{{ tpl (toYaml .) $ | indent 8 }} -{{- end }} - volumeMounts: - - name: artifactory-volume - mountPath: {{ .Values.artifactory.persistence.mountPath | quote }} - resources: -{{ toYaml .Values.integration.resources | indent 10 }} - {{- if .Values.integration.startupProbe.enabled }} - startupProbe: -{{ tpl .Values.integration.startupProbe.config . | indent 10 }} - {{- end }} - {{- if .Values.integration.livenessProbe.enabled }} - livenessProbe: -{{ tpl .Values.integration.livenessProbe.config . | indent 10 }} - {{- end }} - {{- end }} - {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} + {{- if and .Values.federation.enabled .Values.federation.embedded (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} - name: {{ .Values.federation.name }} image: {{ include "artifactory.getImageInfoByValue" (list . "artifactory") }} imagePullPolicy: {{ .Values.artifactory.image.pullPolicy }} @@ -973,8 +932,6 @@ spec: value: "false" - name : JF_JFCONNECT_SERVICE_ENABLED value: "false" - - name : JF_INTEGRATION_ENABLED - value: "false" {{- end}} {{- if and (not .Values.waitForDatabase) (not .Values.postgresql.enabled) }} - name: SKIP_WAIT_FOR_EXTERNAL_DB diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml index ff7c78c5d..ec0b8fa6e 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/templates/nginx-deployment.yaml @@ -44,10 +44,13 @@ spec: component: {{ .Values.nginx.name }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} +{{- if .Values.nginx.labels }} +{{ toYaml .Values.nginx.labels | indent 8 }} +{{- end }} spec: - securityContext: - runAsUser: {{ .Values.nginx.uid }} - runAsGroup: {{ .Values.nginx.gid }} + {{- if .Values.nginx.podSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} serviceAccountName: {{ template "artifactory.serviceAccountName" . }} terminationGracePeriodSeconds: {{ .Values.nginx.terminationGracePeriodSeconds }} {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} @@ -83,12 +86,9 @@ spec: - name: {{ .Values.nginx.name }} image: {{ include "artifactory.getImageInfoByValue" (list . "nginx") }} imagePullPolicy: {{ .Values.nginx.image.pullPolicy }} - {{- with .Values.nginx.securityContext }} - securityContext: -{{ toYaml . | indent 10 }} + {{- if .Values.nginx.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.nginx.containerSecurityContext "enabled" | toYaml | nindent 10 }} {{- end }} - command: -{{- tpl (include "nginx.command" .) . | indent 10 }} ports: {{ if .Values.nginx.customPorts }} {{ toYaml .Values.nginx.customPorts | indent 8 }} diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/values-large.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/values-large.yaml deleted file mode 100644 index 43b1b53e4..000000000 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/values-large.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 300 - resources: - requests: - memory: "6Gi" - cpu: "2" - limits: - memory: "10Gi" - cpu: "8" - javaOpts: - xms: "8g" - xmx: "10g" -access: - database: - maxOpenConnections: 150 - tomcat: - connector: - maxThreads: 100 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 150 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/values-medium.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/values-medium.yaml deleted file mode 100644 index 48970ef65..000000000 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/values-medium.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 200 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "8Gi" - cpu: "6" - javaOpts: - xms: "6g" - xmx: "8g" -access: - database: - maxOpenConnections: 100 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 100 - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "200Mi" - cpu: "200m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/values-small.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/values-small.yaml deleted file mode 100644 index 898119539..000000000 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/values-small.yaml +++ /dev/null @@ -1,80 +0,0 @@ -artifactory: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 200 - resources: - requests: - memory: "4Gi" - cpu: "2" - limits: - memory: "6Gi" - cpu: "4" - javaOpts: - xms: "4g" - xmx: "6g" -access: - database: - maxOpenConnections: 80 - tomcat: - connector: - maxThreads: 50 -router: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -frontend: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -metadata: - database: - maxOpenConnections: 80 - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -event: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -jfconnect: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -integration: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" -observability: - resources: - requests: - memory: "100Mi" - cpu: "100m" - limits: - memory: "1Gi" - cpu: "1" diff --git a/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml b/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml index 02311d737..ab7c1d12c 100644 --- a/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml +++ b/charts/jfrog/artifactory-jcr/charts/artifactory/values.yaml @@ -42,7 +42,7 @@ global: ## String to fully override artifactory.fullname template ## # fullnameOverride: -initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.2.750.1697534106 +initContainerImage: releases-docker.jfrog.io/ubi9/ubi-minimal:9.3.1475 # Init containers initContainers: resources: @@ -162,7 +162,7 @@ logger: image: registry: releases-docker.jfrog.io repository: ubi9/ubi-minimal - tag: 9.2.750.1697534106 + tag: 9.3.1475 ## You can use a pre-existing secret with keys license_token and iam_role by specifying licenseConfigSecretName ## Example : Create a generic secret using `kubectl create secret generic --from-literal=license_token=${TOKEN} --from-literal=iam_role=${ROLE_ARN}` aws: @@ -187,7 +187,7 @@ router: image: registry: releases-docker.jfrog.io repository: jfrog/router - tag: 7.81.0 + tag: 7.91.0 imagePullPolicy: IfNotPresent serviceRegistry: ## Service registry (Access) TLS verification skipped if enabled @@ -737,6 +737,7 @@ artifactory: {{- if and .Values.federation.enabled (not (regexMatch "^.*(oss|cpp-ce|jcr).*$" .Values.artifactory.image.repository)) }} federation: enabled: true + embedded: {{ .Values.federation.embedded }} extraJavaOpts: {{ .Values.federation.extraJavaOpts }} port: {{ .Values.federation.internalPort }} rtfs: @@ -980,6 +981,8 @@ artifactory: port: useHttp: maxConnections: 50 + connectionTimeout: + socketTimeout: kmsServerSideEncryptionKeyId: kmsKeyRegion: kmsCryptoMode: @@ -1291,62 +1294,12 @@ jfconnect: failureThreshold: 90 periodSeconds: 5 timeoutSeconds: {{ .Values.probes.timeoutSeconds }} -integration: - name: integration - enabled: true - internalPort: 8071 - ## Extra environment variables that can be used to tune integration to your needs. - ## Uncomment and set value as needed - extraEnvironmentVariables: - # - name: MY_ENV_VAR - # value: "" - resources: {} - # requests: - # memory: "100Mi" - # cpu: "100m" - # limits: - # memory: "1Gi" - # cpu: "1" - - # Add lifecycle hooks for integration container - lifecycle: {} - # postStart: - # exec: - # command: ["/bin/sh", "-c", "echo Hello from the postStart handler"] - # preStop: - # exec: - # command: ["/bin/sh","-c","echo Hello from the preStop handler"] - - ## The following settings are to configure the frequency of the liveness and startup probes when splitServicesToContainers set to true - livenessProbe: - enabled: true - config: | - exec: - command: - - sh - - -c - - curl --fail --max-time {{ .Values.probes.timeoutSeconds }} http://localhost:{{ .Values.integration.internalPort }}/api/v1/system/liveness - initialDelaySeconds: {{ if semverCompare "= 1.17.0-0' catalog.cattle.io/release-name: k10 apiVersion: v2 -appVersion: 6.5.2 +appVersion: 6.5.3 dependencies: - condition: grafana.enabled name: grafana @@ -21,4 +21,4 @@ maintainers: - email: contact@kasten.io name: kastenIO name: k10 -version: 6.5.201 +version: 6.5.301 diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl index 86cca2607..827b6ee9f 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/_helpers.tpl @@ -41,34 +41,14 @@ helm.sh/chart: {{ include "alertmanager.chart" . }} app.kubernetes.io/version: {{ . | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/name: {{ include "alertmanager.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Selector labels - -K10 NOTE: - - The selector labels here (`app` and `component`) are divergent from the - selector labels set by the upstream chart. This is intentional since a - Deployment's `spec.selector` is immutable and K10 has already been shipped - with these values. However, we have always shipped with alertmanager disabled. - - If a customer had explicitly enabled alertmanager, a change to these selector - labels will mean that all customers must manually delete the Deployment before - upgrading, which is a situation we don't want for our customers. - - Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels - are included in the `alertmanager.labels` block above. - */}} {{- define "alertmanager.selectorLabels" -}} -{{/*app.kubernetes.io/name: {{ include "alertmanager.name" . }}*/}} -{{/*app.kubernetes.io/instance: {{ .Release.Name }}*/}} -app: prometheus -component: alertmanager -release: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "alertmanager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml index 8b0af0633..25d81a921 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/templates/statefulset.yaml @@ -230,24 +230,18 @@ spec: name: storage spec: accessModes: - {{- toYaml .Values.persistence.accessModes | nindent 10 }} + {{- toYaml .Values.persistence.accessModes | nindent 10 }} resources: requests: storage: {{ .Values.persistence.size }} - {{- if .Values.persistence.storageClass }} - {{- if (eq "-" .Values.persistence.storageClass) }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: {{ .Values.persistence.storageClass }} - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} - {{- end }} - {{- else }} - - name: storage - emptyDir: { } - {{- end }} + {{- end }} + {{- end }} + {{- else }} + - name: storage + emptyDir: {} + {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml index 5dcbfc1bd..fa3b355a5 100644 --- a/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/alertmanager/values.yaml @@ -1,10 +1,3 @@ -# Added by Kasten -# -# The K10 Chart `prometheus.alertmanager.enabled` default value has been moved here -# as part of its deprecation from the K10 Chart. The alertmanager chart has to be -# deleted when we remove support for `prometheus.alertmanager.enabled`. -enabled: false - # yaml-language-server: $schema=values.schema.json # Default values for alertmanager. # This is a YAML-formatted file. @@ -43,11 +36,7 @@ automountServiceAccountToken: true serviceAccount: # Specifies whether a service account should be created - # - # Modified by Kasten - # The K10 Chart `prometheus.alertmanager.serviceAccount.create` default value - # has been moved here as part of its deprecation from the K10 Chart - create: false + create: true # Annotations to add to the service account annotations: {} # The name of the service account to use. diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl index b67bc0e84..84552fe47 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -49,34 +49,14 @@ app.kubernetes.io/version: {{ . | quote }} {{- if .Values.releaseLabel }} release: {{ .Release.Name }} {{- end }} -app.kubernetes.io/name: {{ include "prometheus-node-exporter.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Selector labels - -K10 NOTE: - - The selector labels here (`app` and `release`) are divergent from the - selector labels set by the upstream chart. This is intentional since a - Deployment's `spec.selector` is immutable and K10 has already been shipped - with these values. However, we have always shipped with node-exporter disabled. - - If a customer had explicitly enabled node-experter, a change to these selector - labels will mean that all customers must manually delete the Daemonset before - upgrading, which is a situation we don't want for our customers. - - Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels - are included in the `prometheus-node-exporter.labels` block above. - */}} {{- define "prometheus-node-exporter.selectorLabels" -}} -{{/*app.kubernetes.io/name: {{ include "prometheus-node-exporter.name" . }}*/}} -{{/*app.kubernetes.io/instance: {{ .Release.Name }}*/}} -app: prometheus -component: node-exporter -release: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "prometheus-node-exporter.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml index db0972040..6e4665c13 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-node-exporter/values.yaml @@ -1,10 +1,3 @@ -# Added by Kasten -# -# The K10 Chart `prometheus.prometheus-node-exporter.enabled` default value has been moved here -# as part of its deprecation from the K10 Chart. The prometheus-node-exporter chart has to be -# deleted when we remove support for `prometheus.prometheus-node-exporter.enabled`. -enabled: false - # Default values for prometheus-node-exporter. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -268,11 +261,7 @@ resources: {} serviceAccount: # Specifies whether a ServiceAccount should be created - # - # Modified by Kasten - # The K10 Chart `prometheus.prometheus-node-exporter.serviceAccount.create` default value - # has been moved here as part of its deprecation from the K10 Chart - create: false + create: true # The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template name: diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl index 2fcc6781e..b56a2dadd 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl @@ -66,34 +66,14 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- with .Values.podLabels }} {{ toYaml . }} {{- end }} -app.kubernetes.io/name: {{ include "prometheus-pushgateway.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* Selector labels - -K10 NOTE: - - The selector labels here (`app` and `release`) are divergent from the - selector labels set by the upstream chart. This is intentional since a - Deployment's `spec.selector` is immutable and K10 has already been shipped - with these values. However, we have always shipped with pushgateway disabled. - - If a customer had explicitly enabled node-experter, a change to these selector - labels will mean that all customers must manually delete the Statefulset - before upgrading, which is a situation we don't want for our customers. - - Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels - are included in the `prometheus-pushgateway.defaultLabels` block above. - */}} {{- define "prometheus-pushgateway.selectorLabels" -}} -{{/*app.kubernetes.io/name: {{ include "prometheus-pushgateway.name" . }}*/}} -{{/*app.kubernetes.io/instance: {{ .Release.Name }}*/}} -app: prometheus -component: pushgateway -release: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "prometheus-pushgateway.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} {{/* diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml index cfad8760f..d2a85f424 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml @@ -17,17 +17,11 @@ spec: accessModes: {{- toYaml .Values.persistentVolume.accessModes | nindent 4 }} {{- if .Values.persistentVolume.storageClass }} - {{- if (eq "-" .Values.persistentVolume.storageClass) }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.persistentVolume.storageClass }}" - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} + {{- end }} {{- end }} resources: requests: diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml index 431c15748..8d486a306 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml @@ -25,31 +25,25 @@ spec: {{- if .Values.persistentVolume.enabled }} volumeClaimTemplates: - metadata: - {{- with .Values.persistentVolume.annotations }} + {{- with .Values.persistentVolume.annotations }} annotations: - {{- toYaml . | nindent 10 }} - {{- end }} + {{- toYaml . | nindent 10 }} + {{- end }} labels: - {{- include "prometheus-pushgateway.defaultLabels" . | nindent 10 }} + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 10 }} name: storage-volume spec: accessModes: - {{ toYaml .Values.persistentVolume.accessModes }} - {{- if .Values.persistentVolume.storageClass }} - {{- if (eq "-" .Values.persistentVolume.storageClass) }} + {{ toYaml .Values.persistentVolume.accessModes }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} + {{- else }} storageClassName: "{{ .Values.persistentVolume.storageClass }}" - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} - {{- end }} + {{- end }} + {{- end }} resources: requests: storage: "{{ .Values.persistentVolume.size }}" - {{- end }} {{- end }} +{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml index 7b75b7880..02e5c0bfd 100644 --- a/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml +++ b/charts/kasten/k10/charts/prometheus/charts/prometheus-pushgateway/values.yaml @@ -1,10 +1,3 @@ -# Added by Kasten -# -# The K10 Chart `prometheus.prometheus-pushgateway.enabled` default value has been moved here -# as part of its deprecation from the K10 Chart. The prometheus-pushgateway chart has to be -# deleted when we remove support for `prometheus.prometheus-pushgateway.enabled`. -enabled: false - # Default values for prometheus-pushgateway. # This is a YAML-formatted file. # Declare variables to be passed into your templates. @@ -126,11 +119,7 @@ readiness: serviceAccount: # Specifies whether a ServiceAccount should be created - # - # Modified by Kasten - # The K10 Chart `prometheus.pushgateway.serviceAccount.create` default value - # has been moved here as part of its deprecation from the K10 Chart - create: false + create: true # The name of the ServiceAccount to use. # If not set and create is true, a name is generated using the fullname template name: diff --git a/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl b/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl index 0436fa9e4..0810e3c04 100644 --- a/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl +++ b/charts/kasten/k10/charts/prometheus/templates/_helpers.tpl @@ -15,27 +15,10 @@ Create chart name and version as used by the chart label. {{/* Create labels for prometheus - -K10 NOTE: - - The selector labels here (`app` and `release`) are divergent from the - selector labels set by the upstream chart. This is intentional since a - Deployment's `spec.selector` is immutable and K10 has already been shipped - with these values. - - A change to these selector labels will mean that all customers must manually - delete the Prometheus Deployment before upgrading, which is a situation we don't - want for our customers. - - Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels - are included in the `prometheus.common.metaLabels` block below. - */}} {{- define "prometheus.common.matchLabels" -}} -{{/*app.kubernetes.io/name: {{ include "prometheus.name" . }}*/}} -{{/*app.kubernetes.io/instance: {{ .Release.Name }}*/}} -app: {{ template "prometheus.name" . }} -release: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "prometheus.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} {{- end -}} {{/* @@ -46,8 +29,6 @@ app.kubernetes.io/version: {{ .Chart.AppVersion }} helm.sh/chart: {{ include "prometheus.chart" . }} app.kubernetes.io/managed-by: {{ .Release.Service }} app.kubernetes.io/part-of: {{ include "prometheus.name" . }} -app.kubernetes.io/name: {{ include "prometheus.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} {{- with .Values.commonMetaLabels}} {{ toYaml . }} {{- end }} @@ -56,30 +37,10 @@ app.kubernetes.io/instance: {{ .Release.Name }} {{- define "prometheus.server.labels" -}} {{ include "prometheus.server.matchLabels" . }} {{ include "prometheus.common.metaLabels" . }} -app.kubernetes.io/component: {{ .Values.server.name }} {{- end -}} -{{/* -Selector labels - -K10 NOTE: - - The selector label here (`component`) is divergent from the - selector label set by the upstream chart. This is intentional since a - Deployment's `spec.selector` is immutable and K10 has already been - shipped with this value. - - A change to this selector label will mean that all customers must manually - delete the Prometheus Deployment before upgrading, which is a situation we don't - want for our customers. - - Instead, the `app.kubernetes.io/component` labels is included in the - `prometheus.server.labels` block above. - -*/}} {{- define "prometheus.server.matchLabels" -}} -{{/*app.kubernetes.io/component: {{ .Values.server.name }}*/}} -component: {{ .Values.server.name | quote }} +app.kubernetes.io/component: {{ .Values.server.name }} {{ include "prometheus.common.matchLabels" . }} {{- end -}} @@ -271,82 +232,3 @@ Define prometheus.server.remoteRead producing a list of remoteRead configuration {{ toYaml $remoteReads }} {{- end -}} -{{/* ==================================================================== */}} -{{/* ================ Kasten added code lives below here ================ */}} -{{/* ==================================================================== */}} - -{{/* - Get the ConfigMap Reload image -*/}} -{{- define "get.cmreloadimage" }} - {{- (get .Values.global.images (include "prometheus.cmreloadImageName" .)) | default (include "prometheus.cmreloadImage" .) }} -{{- end }} - -{{- define "prometheus.cmreloadImage" }} - {{- printf "%s:%s" (include "prometheus.cmreloadImageRepo" .) (include "prometheus.cmreloadImageTag" .) }} -{{- end -}} - -{{- define "prometheus.cmreloadImageRepo" -}} - {{- if .Values.global.airgapped.repository }} - {{- printf "%s/%s" .Values.global.airgapped.repository (include "prometheus.cmreloadImageName" .) }} - {{- else }} - {{- printf "%s/%s" .Values.global.image.registry (include "prometheus.cmreloadImageName" .) }} - {{- end }} -{{- end -}} - -{{- define "prometheus.cmreloadImageName" -}} - {{- printf "configmap-reload" }} -{{- end -}} - -{{- define "prometheus.cmreloadImageTag" -}} - {{- include "get.k10ImageTag" . }} -{{- end -}} - -{{/* - Get the Prometheus image -*/}} - -{{- define "get.serverimage" }} - {{- (get .Values.global.images (include "prometheus.prometheusImageName" .)) | default (include "prometheus.prometheusImage" .) }} -{{- end -}} - -{{- define "prometheus.prometheusImage" }} - {{- printf "%s:%s" (include "prometheus.prometheusImageRepo" .) (include "prometheus.prometheusImageTag" .) }} -{{- end -}} - -{{- define "prometheus.prometheusImageRepo" -}} - {{- if .Values.global.airgapped.repository }} - {{- printf "%s/%s" .Values.global.airgapped.repository (include "prometheus.prometheusImageName" .) }} - {{- else }} - {{- printf "%s/%s" .Values.global.image.registry (include "prometheus.prometheusImageName" .) }} - {{- end }} -{{- end -}} - -{{- define "prometheus.prometheusImageName" -}} - {{- printf "prometheus" }} -{{- end -}} - -{{- define "prometheus.prometheusImageTag" -}} - {{- include "get.k10ImageTag" . }} -{{- end -}} - -{{/* -Create a fully qualified Prometheus server clusterrole name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.server.clusterrolefullname" -}} - {{- if .Values.server.clusterRoleNameOverride -}} - {{- .Values.server.clusterRoleNameOverride | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- if .Values.server.fullnameOverride -}} - {{- printf "%s-%s" .Release.Name .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- $name := default .Chart.Name .Values.nameOverride -}} - {{- if contains $name .Release.Name -}} - {{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} - {{- else -}} - {{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} - {{- end -}} - {{- end -}} - {{- end -}} -{{- end -}} diff --git a/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml b/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml index e17438810..25e3cec45 100644 --- a/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/clusterrole.yaml @@ -4,7 +4,7 @@ kind: ClusterRole metadata: labels: {{- include "prometheus.server.labels" . | nindent 4 }} - name: {{ template "prometheus.server.clusterrolefullname" . }} + name: {{ include "prometheus.clusterRoleName" . }} rules: {{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} - apiGroups: diff --git a/charts/kasten/k10/charts/prometheus/templates/clusterrolebinding.yaml b/charts/kasten/k10/charts/prometheus/templates/clusterrolebinding.yaml index 82814c305..28f4bda77 100644 --- a/charts/kasten/k10/charts/prometheus/templates/clusterrolebinding.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/clusterrolebinding.yaml @@ -4,7 +4,7 @@ kind: ClusterRoleBinding metadata: labels: {{- include "prometheus.server.labels" . | nindent 4 }} - name: {{ template "prometheus.server.clusterrolefullname" . }} + name: {{ include "prometheus.clusterRoleName" . }} subjects: - kind: ServiceAccount name: {{ template "prometheus.serviceAccountName.server" . }} @@ -12,5 +12,5 @@ subjects: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "prometheus.server.clusterrolefullname" . }} + name: {{ include "prometheus.clusterRoleName" . }} {{- end }} diff --git a/charts/kasten/k10/charts/prometheus/templates/deploy.yaml b/charts/kasten/k10/charts/prometheus/templates/deploy.yaml index 59790a8f0..93f93c44c 100644 --- a/charts/kasten/k10/charts/prometheus/templates/deploy.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/deploy.yaml @@ -57,7 +57,11 @@ spec: containers: {{- if .Values.configmapReload.prometheus.enabled }} - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} - image: "{{ include "get.cmreloadimage" .}}" + {{- if .Values.configmapReload.prometheus.image.digest }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}@{{ .Values.configmapReload.prometheus.image.digest }}" + {{- else }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" {{- with .Values.configmapReload.prometheus.containerSecurityContext }} securityContext: @@ -104,7 +108,11 @@ spec: {{- end }} - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} - image: "{{ include "get.serverimage" .}}" + {{- if .Values.server.image.digest }} + image: "{{ .Values.server.image.repository }}@{{ .Values.server.image.digest }}" + {{- else }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion}}" + {{- end }} imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" {{- with .Values.server.command }} command: @@ -264,14 +272,9 @@ spec: {{- else }} dnsPolicy: {{ .Values.server.dnsPolicy }} {{- end }} - {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + {{- if .Values.imagePullSecrets }} imagePullSecrets: - {{- if .Values.global.imagePullSecret }} - - name: {{ .Values.global.imagePullSecret }} - {{- end }} - {{- if .Values.imagePullSecrets }} {{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} {{- end }} {{- if .Values.server.nodeSelector }} nodeSelector: diff --git a/charts/kasten/k10/charts/prometheus/templates/pvc.yaml b/charts/kasten/k10/charts/prometheus/templates/pvc.yaml index a91114cc7..a9dc4fce0 100644 --- a/charts/kasten/k10/charts/prometheus/templates/pvc.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/pvc.yaml @@ -19,17 +19,11 @@ spec: accessModes: {{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} {{- if .Values.server.persistentVolume.storageClass }} - {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} +{{- if (eq "-" .Values.server.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} +{{- else }} storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" - {{- end }} -{{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} +{{- end }} {{- end }} {{- if .Values.server.persistentVolume.volumeBindingMode }} volumeBindingMode: "{{ .Values.server.persistentVolume.volumeBindingMode }}" diff --git a/charts/kasten/k10/charts/prometheus/templates/sts.yaml b/charts/kasten/k10/charts/prometheus/templates/sts.yaml index 61099ffde..63851c4db 100644 --- a/charts/kasten/k10/charts/prometheus/templates/sts.yaml +++ b/charts/kasten/k10/charts/prometheus/templates/sts.yaml @@ -62,7 +62,11 @@ spec: containers: {{- if .Values.configmapReload.prometheus.enabled }} - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} - image: "{{ include "get.cmreloadimage" .}}" + {{- if .Values.configmapReload.prometheus.image.digest }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}@{{ .Values.configmapReload.prometheus.image.digest }}" + {{- else }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + {{- end }} imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" {{- with .Values.configmapReload.prometheus.containerSecurityContext }} securityContext: @@ -106,7 +110,11 @@ spec: {{- end }} - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} - image: "{{ include "get.serverimage" .}}" + {{- if .Values.server.image.digest }} + image: "{{ .Values.server.image.repository }}@{{ .Values.server.image.digest }}" + {{- else }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}" + {{- end }} imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" {{- with .Values.server.command }} command: @@ -264,14 +272,9 @@ spec: {{- if .Values.server.dnsPolicy }} dnsPolicy: {{ .Values.server.dnsPolicy }} {{- end }} - {{- if (or .Values.global.imagePullSecret .Values.imagePullSecrets) }} + {{- if .Values.imagePullSecrets }} imagePullSecrets: - {{- if .Values.global.imagePullSecrets }} - - name: {{ .Values.global.imagePullSecret }} - {{- end }} - {{- if .Values.imagePullSecrets }} {{ toYaml .Values.imagePullSecrets | indent 8 }} - {{- end }} {{- end }} {{- if .Values.server.nodeSelector }} nodeSelector: @@ -359,30 +362,24 @@ spec: {{- end }} spec: accessModes: - {{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} resources: requests: storage: "{{ .Values.server.persistentVolume.size }}" - {{- if .Values.server.persistentVolume.storageClass }} - {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" - {{- end }} - {{- else if .Values.global.persistence.storageClass }} - {{- if (eq "-" .Values.global.persistence.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.global.persistence.storageClass }}" - {{- end }} - {{- end }} {{- else }} - - name: storage-volume - emptyDir: - {{- if .Values.server.emptyDir.sizeLimit }} - sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} - {{- else }} - { } - {{- end -}} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" {{- end }} {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/charts/prometheus/values.yaml b/charts/kasten/k10/charts/prometheus/values.yaml index 535de34e4..9ae23251d 100644 --- a/charts/kasten/k10/charts/prometheus/values.yaml +++ b/charts/kasten/k10/charts/prometheus/values.yaml @@ -16,7 +16,7 @@ imagePullSecrets: [] ## serviceAccounts: server: - create: true # K10 expects this to be true + create: true name: "" annotations: {} @@ -315,8 +315,7 @@ server: ## Defining configMapOverrideName will cause templates/server-configmap.yaml ## to NOT generate a ConfigMap resource ## - ## Customized by Kasten. K10 expects this name - configMapOverrideName: "k10-prometheus-config" + configMapOverrideName: "" ## Extra labels for Prometheus server ConfigMap (ConfigMap that holds serverFiles) extraConfigmapLabels: {} @@ -422,7 +421,7 @@ server: ## If true, Prometheus server will create/use a Persistent Volume Claim ## If false, use emptyDir ## - enabled: true # K10 requires this to be true + enabled: true ## If set it will override the name of the created persistent volume claim ## generated by the stateful set. @@ -1184,7 +1183,7 @@ alertRelabelConfigs: {} networkPolicy: ## Enable creation of NetworkPolicy resources. ## - ## Customized by Kasten for K10 + ## Customized for K10 enabled: true # Force namespace of namespaced resources @@ -1209,6 +1208,7 @@ extraManifests: [] alertmanager: ## If false, alertmanager will not be installed ## + ## Customized for K10 enabled: false persistence: @@ -1226,6 +1226,7 @@ alertmanager: kube-state-metrics: ## If false, kube-state-metrics sub-chart will not be installed ## + ## Customized for K10 enabled: false ## prometheus-node-exporter sub-chart configurable values @@ -1234,6 +1235,7 @@ kube-state-metrics: prometheus-node-exporter: ## If false, node-exporter will not be installed ## + ## Customized for K10 enabled: false rbac: @@ -1248,6 +1250,7 @@ prometheus-node-exporter: prometheus-pushgateway: ## If false, pushgateway will not be installed ## + ## Customized for K10 enabled: false # Optional service annotations diff --git a/charts/kasten/k10/templates/NOTES.txt b/charts/kasten/k10/templates/NOTES.txt index a5acbf846..4f8db38bd 100644 --- a/charts/kasten/k10/templates/NOTES.txt +++ b/charts/kasten/k10/templates/NOTES.txt @@ -39,7 +39,7 @@ In addition, To establish a connection to it use the following `kubectl` command: -`kubectl --namespace {{ .Release.Namespace }} port-forward service/gateway 8080:{{ .Values.service.externalPort }}` +`kubectl --namespace {{ .Release.Namespace }} port-forward service/gateway 8080:{{ .Values.gateway.service.externalPort }}` The Kasten dashboard will be available at: `http{{ if or (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}s{{ end }}://127.0.0.1:8080/{{ .Release.Name }}/#/` {{ if and ( .Values.metering.awsManagedLicense ) ( not .Values.metering.licenseConfigSecretName ) }} diff --git a/charts/kasten/k10/templates/_definitions.tpl b/charts/kasten/k10/templates/_definitions.tpl index d9b94c36a..73b49030b 100644 --- a/charts/kasten/k10/templates/_definitions.tpl +++ b/charts/kasten/k10/templates/_definitions.tpl @@ -35,8 +35,8 @@ crypto: dashboardbff: - vbrintegrationapi state: -- admin - events +- admin {{- end -}} {{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}} {{- define "k10.configAPIs" -}}config{{- end -}} @@ -212,8 +212,9 @@ state-svc: {{- define "k10.aggAuditPolicyFile" -}}agg-audit-policy.yaml{{- end -}} {{- define "k10.siemAuditLogFilePath" -}}-{{- end -}} {{- define "k10.siemAuditLogFileSize" -}}100{{- end -}} -{{- define "k10.kanisterToolsImageTag" -}}0.104.0{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.105.0{{- end -}} {{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}} {{- define "k10.gatewayPrefixVarName" -}}GATEWAY_PREFIX{{- end -}} {{- define "k10.gatewayRequestHeadersVarName" -}}GATEWAY_REQUEST_HEADERS{{- end -}} {{- define "k10.gatewayAuthHeadersVarName" -}}GATEWAY_AUTH_HEADERS{{- end -}} +{{- define "k10.gatewayPortVarName" -}}GATEWAY_PORT{{- end -}} diff --git a/charts/kasten/k10/templates/_helpers.tpl b/charts/kasten/k10/templates/_helpers.tpl index 7263237b3..7cbfc28ff 100644 --- a/charts/kasten/k10/templates/_helpers.tpl +++ b/charts/kasten/k10/templates/_helpers.tpl @@ -9,10 +9,6 @@ {{- end -}} {{- end -}} - {{- if not .Values.gateway.next_gen -}} - {{- $disabledServices = append $disabledServices "gateway" -}} - {{- end -}} - {{- $disabledServices | join " " -}} {{- end -}} @@ -1002,15 +998,15 @@ running in the same cluster. {{- fail (printf "Unsupported image format: %q (%s)" .image .path) -}} {{- end -}} - {{- $hash := $split_repo_tag_and_hash | rest | first -}} + {{- $digest := $split_repo_tag_and_hash | rest | first -}} {{- $tag := $split_repo_and_tag | rest | first -}} {{- $sha := "" -}} - {{- if $hash -}} - {{- if not ($hash | hasPrefix "sha256:") -}} + {{- if $digest -}} + {{- if not ($digest | hasPrefix "sha256:") -}} {{- fail (printf "Unsupported image ...@hash type: %q (%s)" .image .path) -}} {{- end -}} - {{- $sha = $hash | trimPrefix "sha256:" }} + {{- $sha = $digest | trimPrefix "sha256:" }} {{- end -}} {{- /* Split out the registry if the first component of the repo contains a "." */ -}} @@ -1027,6 +1023,7 @@ running in the same cluster. "registry" $registry "repository" $repo "tag" ($tag | default "") + "digest" ($digest | default "") "sha" ($sha | default "") ) | toJson -}} diff --git a/charts/kasten/k10/templates/_k10_container.tpl b/charts/kasten/k10/templates/_k10_container.tpl index 707c60e85..e9401da6e 100644 --- a/charts/kasten/k10/templates/_k10_container.tpl +++ b/charts/kasten/k10/templates/_k10_container.tpl @@ -630,12 +630,12 @@ stating that types are not same for the equality check - name: K10_GRAFANA_ENABLED value: {{ .Values.grafana.enabled | quote }} {{- end }} -{{- if eq $service "gateway" }} - envFrom: - - configMapRef: - name: k10-gateway +{{- if eq $service "dashboardbff" }} + {{- with .Values.global.persistence.diskSpaceAlertPercent }} + - name: K10_DISK_SPACE_ALERT_PERCENT + value: {{ . | quote }} + {{- end -}} {{- end -}} - {{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} volumeMounts: {{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} @@ -712,7 +712,6 @@ stating that types are not same for the equality check - name: kanister-sidecar image: {{ include "get.kanisterToolsImage" .}} imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} -{{- $podName := (printf "%s-svc" $service) }} {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} volumeMounts: - name: {{ $service }}-persistent-storage @@ -780,6 +779,7 @@ stating that types are not same for the equality check {{- define "k10-init-container" }} {{- $pod := .k10_pod }} +{{- $podName := (printf "%s-svc" $pod) }} {{- with .main }} {{- $main_context := . }} {{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} @@ -795,6 +795,7 @@ stating that types are not same for the equality check - --new-config-path=/dex-config/config.yaml - --secret-field=bindPW {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "dex-init" | include "k10.resource.request" | indent 8}} volumeMounts: - mountPath: /etc/dex/cfg name: config @@ -814,6 +815,7 @@ stating that types are not same for the equality check allowPrivilegeEscalation: false {{- dict "main" $main_context "k10_service" "upgrade" | include "serviceImage" | indent 8 }} imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "upgrade-init" | include "k10.resource.request" | indent 8}} env: - name: MODEL_STORE_DIR valueFrom: @@ -827,6 +829,7 @@ stating that types are not same for the equality check - name: schema-upgrade-check {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "schema-upgrade-check" | include "k10.resource.request" | indent 8}} env: {{- if $main_context.Values.clusterName }} - name: CLUSTER_NAME diff --git a/charts/kasten/k10/templates/_k10_image_tag.tpl b/charts/kasten/k10/templates/_k10_image_tag.tpl index 594504dce..958200d79 100644 --- a/charts/kasten/k10/templates/_k10_image_tag.tpl +++ b/charts/kasten/k10/templates/_k10_image_tag.tpl @@ -1 +1 @@ -{{- define "k10.imageTag" -}}6.5.2{{- end -}} \ No newline at end of file +{{- define "k10.imageTag" -}}6.5.3{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/templates/_k10_metering.tpl b/charts/kasten/k10/templates/_k10_metering.tpl index d40c47412..95243c022 100644 --- a/charts/kasten/k10/templates/_k10_metering.tpl +++ b/charts/kasten/k10/templates/_k10_metering.tpl @@ -4,6 +4,7 @@ we have to start using .Values.reportingSecret instead of correct version .Values.metering.reportingSecret */}} {{- define "k10-metering" }} {{ $service := .k10_service }} +{{- $podName := (printf "%s-svc" $service) }} {{ $main := .main }} {{- with .main }} {{- $servicePort := .Values.service.externalPort -}} @@ -140,6 +141,7 @@ spec: allowPrivilegeEscalation: false {{- dict "main" . "k10_service" "upgrade" | include "serviceImage" | indent 8 }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} + {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "upgrade-init" | include "k10.resource.request" | indent 8}} env: - name: MODEL_STORE_DIR value: /var/reports/ @@ -151,7 +153,6 @@ spec: - name: {{ $service }}-svc {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} imagePullPolicy: {{ .Values.global.image.pullPolicy }} -{{- $podName := (printf "%s-svc" $service) }} {{- $containerName := (printf "%s-svc" $service) }} {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} ports: diff --git a/charts/kasten/k10/templates/_prometheus.tpl b/charts/kasten/k10/templates/_prometheus.tpl new file mode 100644 index 000000000..a49a8363f --- /dev/null +++ b/charts/kasten/k10/templates/_prometheus.tpl @@ -0,0 +1,29 @@ +{{/*** MATCH LABELS *** + NOTE: The match labels here (`app` and `release`) are divergent from + the match labels set by the upstream chart. This is intentional since a + Deployment's `spec.selector` is immutable and K10 has already been shipped + with these values. + + A change to these selector labels will mean that all customers must manually + delete the Prometheus Deployment before upgrading, which is a situation we don't + want for our customers. + + Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels + are included in the `prometheus.commonMetaLabels` in: + `helm/k10/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl`. +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ include "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +app.kubernetes.io/component: {{ .Values.server.name }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} diff --git a/charts/kasten/k10/templates/deployments.yaml b/charts/kasten/k10/templates/deployments.yaml index a6eb8ac25..b0a8ab9a2 100644 --- a/charts/kasten/k10/templates/deployments.yaml +++ b/charts/kasten/k10/templates/deployments.yaml @@ -25,6 +25,7 @@ Generate deployment specs for additional services. These are stateless and have 1 replica. */}} {{- range $skip, $k10_service := concat (include "get.enabledServices" . | splitList " ") (include "get.enabledAdditionalServices" . | splitList " ") }} + {{- if eq $k10_service "gateway" -}}{{- continue -}}{{- end -}} {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" false "replicas" 1 }} {{- include "k10-default" $tmp_contx -}} {{- end }} diff --git a/charts/kasten/k10/templates/gateway.yaml b/charts/kasten/k10/templates/gateway.yaml index 07107fa28..1dd2f9d31 100644 --- a/charts/kasten/k10/templates/gateway.yaml +++ b/charts/kasten/k10/templates/gateway.yaml @@ -1,6 +1,5 @@ -{{- if not $.Values.gateway.next_gen }} -{{- $container_port := .Values.service.internalPort -}} -{{- $service_port := .Values.service.externalPort -}} +{{- $container_port := .Values.gateway.service.internalPort | default 8000 -}} +{{- $service_port := .Values.gateway.service.externalPort -}} {{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} --- apiVersion: v1 @@ -11,6 +10,7 @@ metadata: service: gateway {{ include "helm.labels" . | indent 4 }} name: gateway + {{- if not $.Values.gateway.next_gen }} annotations: getambassador.io/config: | --- @@ -30,13 +30,13 @@ metadata: name: ambassadorhost hostname: "*" ambassador_id: [ {{ include "k10.ambassadorId" . }} ] -{{- if .Values.secrets.tlsSecret }} + {{- if .Values.secrets.tlsSecret }} tlsSecret: name: {{ .Values.secrets.tlsSecret }} -{{- else if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + {{- else if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} tlsSecret: name: gateway-certs -{{- end }} + {{- end }} requestPolicy: insecure: action: Route @@ -52,27 +52,28 @@ metadata: from: SELF ambassador_id: [ {{ include "k10.ambassadorId" . }} ] --- -{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} apiVersion: getambassador.io/v3alpha1 kind: KubernetesEndpointResolver name: endpoint ambassador_id: [ {{ include "k10.ambassadorId" . }} ] --- -{{- end }} + {{- end }} apiVersion: getambassador.io/v3alpha1 kind: Module name: ambassador config: service_port: {{ $container_port }} -{{- if .Values.global.network.enable_ipv6 }} + {{- if .Values.global.network.enable_ipv6 }} enable_ipv6: true -{{- end }} + {{- end }} ambassador_id: [ {{ include "k10.ambassadorId" . }} ] -{{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} resolver: endpoint load_balancer: policy: round_robin -{{- end }} + {{- end }} + {{- end }} spec: ports: - name: http @@ -81,6 +82,7 @@ spec: selector: service: gateway --- +{{- if not $.Values.gateway.next_gen }} {{- if .Values.gateway.exposeAdminPort }} apiVersion: v1 kind: Service @@ -99,6 +101,7 @@ spec: service: gateway --- {{- end }} +{{- end }} apiVersion: apps/v1 kind: Deployment metadata: @@ -121,6 +124,53 @@ spec: service: gateway component: gateway {{ include "helm.labels" . | indent 8 }} +{{- if $.Values.gateway.next_gen }} + spec: + serviceAccountName: {{ template "serviceAccountName" . }} + {{- include "k10.imagePullSecrets" . | indent 6 }} + containers: + - name: gateway + {{- dict "main" . "k10_service" "gateway" | include "serviceImage" | indent 8 }} + resources: + limits: + cpu: {{ .Values.gateway.resources.limits.cpu | quote }} + memory: {{ .Values.gateway.resources.limits.memory | quote }} + requests: + cpu: {{ .Values.gateway.resources.requests.cpu | quote }} + memory: {{ .Values.gateway.resources.requests.memory | quote }} + env: + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + {{- with $capabilities := include "k10.capabilities" . }} + - name: K10_CAPABILITIES + value: {{ $capabilities | quote }} + {{- end }} + {{- with $capabilities_mask := include "k10.capabilities_mask" . }} + - name: K10_CAPABILITIES_MASK + value: {{ $capabilities_mask | quote }} + {{- end }} + envFrom: + - configMapRef: + name: k10-gateway + livenessProbe: + httpGet: + path: /healthz + port: {{ $container_port }} + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: /healthz + port: {{ $container_port }} + restartPolicy: Always +{{- else }} spec: serviceAccountName: {{ template "serviceAccountName" . }} {{- include "k10.imagePullSecrets" . | indent 6 }} diff --git a/charts/kasten/k10/templates/ingress.yaml b/charts/kasten/k10/templates/ingress.yaml index 48efc0530..9cc2e7d77 100644 --- a/charts/kasten/k10/templates/ingress.yaml +++ b/charts/kasten/k10/templates/ingress.yaml @@ -1,5 +1,5 @@ {{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} -{{- $service_port := .Values.service.externalPort -}} +{{- $service_port := .Values.gateway.service.externalPort -}} {{ if .Values.ingress.create }} {{ include "authEnabled.check" . }} apiVersion: {{ template "ingress.apiVersion" . }} diff --git a/charts/kasten/k10/templates/k10-config.yaml b/charts/kasten/k10/templates/k10-config.yaml index b8a4953ba..2b8d386f7 100644 --- a/charts/kasten/k10/templates/k10-config.yaml +++ b/charts/kasten/k10/templates/k10-config.yaml @@ -273,4 +273,8 @@ data: {{- if .Values.gateway.authHeaders }} {{ include "k10.gatewayAuthHeadersVarName" .}}: {{ (.Values.gateway.authHeaders | default list) | join " " }} {{- end }} + + {{- if .Values.gateway.service.internalPort }} + {{ include "k10.gatewayPortVarName" .}}: {{ .Values.gateway.service.internalPort | quote }} + {{- end }} {{ end }} diff --git a/charts/kasten/k10/templates/networkpolicy.yaml b/charts/kasten/k10/templates/networkpolicy.yaml index f775255b0..1467c54b8 100644 --- a/charts/kasten/k10/templates/networkpolicy.yaml +++ b/charts/kasten/k10/templates/networkpolicy.yaml @@ -31,7 +31,7 @@ spec: access-k10-services: allowed ports: - protocol: TCP - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 @@ -51,7 +51,7 @@ spec: release: {{ .Release.Name }} ports: - protocol: TCP - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} --- {{/* TODO: Consider a flag to turn this off. */}} kind: NetworkPolicy @@ -116,7 +116,7 @@ spec: - from: [] ports: - protocol: TCP - port: 8000 + port: {{ .Values.gateway.service.internalPort | default 8000 }} --- kind: NetworkPolicy apiVersion: networking.k8s.io/v1 @@ -181,7 +181,7 @@ spec: createdBy: kanister ports: - protocol: TCP - port: {{ .Values.service.externalPort }} + port: {{ .Values.service.internalPort }} {{- end -}} {{- if .Values.injectKanisterSidecar.enabled }} --- diff --git a/charts/kasten/k10/templates/rhmarketplace.tpl b/charts/kasten/k10/templates/rhmarketplace.tpl new file mode 100644 index 000000000..e64022641 --- /dev/null +++ b/charts/kasten/k10/templates/rhmarketplace.tpl @@ -0,0 +1,8 @@ +{{/* +This file is used to fail the helm deployment if certain values are set which are +not compatible with an Operator deployment. +*/}} + +{{- if and (.Values.global.rhMarketPlace) (.Values.reporting.pdfReports) -}} + {{- fail "reporting.pdfReports cannot be enabled for the K10 Red Hat Marketplace Operator" -}} +{{- end -}} diff --git a/charts/kasten/k10/templates/v0services.yaml b/charts/kasten/k10/templates/v0services.yaml index 8b35acf7d..5135e58f2 100644 --- a/charts/kasten/k10/templates/v0services.yaml +++ b/charts/kasten/k10/templates/v0services.yaml @@ -125,6 +125,7 @@ spec: {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} {{ end -}}{{/* range append (include "get.enabledRestServices" . | splitList " ") "frontend" */}} {{- range append (include "get.enabledServices" . | splitList " ") "kanister" }} +{{- if eq . "gateway" -}}{{- continue -}}{{- end -}} apiVersion: v1 kind: Service metadata: diff --git a/charts/kasten/k10/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl b/charts/kasten/k10/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl new file mode 100644 index 000000000..8715f98d9 --- /dev/null +++ b/charts/kasten/k10/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl @@ -0,0 +1,156 @@ +{{/* + With some of K10's features being provided by external Helm charts, those Helm + charts need to be configured to work with K10. + + Unfortunately, some of the values needed to configure the subcharts aren't + accessible to the subcharts (only global.* and chart_name.* are accessible). + + This means the values need to be duplicated, making the configuration of K10 + quite cumbersome for users (the same setting has to be provided in multiple + places, making it easy to misconfigure one thing or another). + + Alternatively, the subchart's templates could be customized to read global.* + values instead. However, this means upgrading the subchart is quite burdensome + since the customizations have to be re-applied to the upgraded chart. This is + even less tenable with the frequency with which chart updates are needed. + + With this in mind, this template was specially crafted to be able to read K10 + values and update the values that will be passed to the subchart. + + --- + + To accomplish this, Helm's template parsing and rendering order is exploited. + + Helm allows parent charts to override templates in subcharts. This is done by + parsing templates with lower precedence first (templates that are more deeply + nested than others). This allows templates with higher precedence to redefine + templates with lower precedence. + + Helm also renders templates in this same order. This template exploits this + ordering in order to set subchart values before the subchart's templates are + rendered, having the same effect as the user setting the values. + + WARNING: The name and directory structure of this template was carefully + selected to ensure that it is rendered before other templates! +*/}} + +{{- if .Values.prometheus.server.enabled }} +{{- $prometheus_scoped_values := (dict "Chart" (dict "Name" "prometheus") "Release" .Release "Values" .Values.prometheus) -}} + +{{- $prometheus_name := (include "prometheus.name" $prometheus_scoped_values) -}} +{{- $prometheus_prefix := "/k10/prometheus/" -}} +{{- $release_name := .Release.Name -}} + +{{- /*** PROMETHEUS LABELS ***/ -}} +{{- $_ := mergeOverwrite .Values.prometheus + (dict + "commonMetaLabels" (dict + "app.kubernetes.io/name" $prometheus_name + "app.kubernetes.io/instance" $release_name + ) + ) +-}} + +{{- /*** PROMETHEUS SERVER OVERRIDES ***/ -}} +{{- $fullnameOverride := .Values.prometheus.server.fullnameOverride | default "prometheus-server" -}} +{{- $clusterRoleNameOverride := .Values.prometheus.server.clusterRoleNameOverride | default (printf "%s-%s" .Release.Name $fullnameOverride) -}} +{{- $_ := mergeOverwrite .Values.prometheus.server + (dict + "baseURL" (.Values.prometheus.server.baseURL | default $prometheus_prefix) + "prefixURL" (.Values.prometheus.server.prefixURL | default $prometheus_prefix | trimSuffix "/") + + "clusterRoleNameOverride" $clusterRoleNameOverride + "configMapOverrideName" "k10-prometheus-config" + "fullnameOverride" $fullnameOverride + ) +-}} + +{{- /*** K10 PROMETHEUS CONFIGMAP-RELOAD IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.configmap-reload +*/ -}} +{{- $prometheus_configmap_reload_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "configmap-reload" + "tag" (include "get.k10ImageTag" $) +) -}} +{{- if (index .Values.global.images "configmap-reload") -}} + {{- $prometheus_configmap_reload_image = ( + include "k10.splitImage" (dict + "image" (index .Values.global.images "configmap-reload") + "path" "global.images.configmap-reload" + ) + ) | fromJson + -}} +{{- end -}} + +{{- $_ := mergeOverwrite .Values.prometheus.configmapReload.prometheus.image + (dict + "repository" (list $prometheus_configmap_reload_image.registry $prometheus_configmap_reload_image.repository | compact | join "/") + "tag" $prometheus_configmap_reload_image.tag + "digest" $prometheus_configmap_reload_image.digest + ) +-}} + +{{- /*** K10 PROMETHEUS SERVER IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.prometheus +*/ -}} +{{- $prometheus_server_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "prometheus" + "tag" (include "get.k10ImageTag" $) +) -}} +{{- if .Values.global.images.prometheus -}} + {{- $prometheus_server_image = ( + include "k10.splitImage" (dict + "image" .Values.global.images.prometheus + "path" "global.images.prometheus" + ) + ) | fromJson + -}} +{{- end -}} + +{{- $_ := mergeOverwrite .Values.prometheus.server.image + (dict + "repository" (list $prometheus_server_image.registry $prometheus_server_image.repository | compact | join "/") + "tag" $prometheus_server_image.tag + "digest" $prometheus_server_image.digest + ) +-}} + +{{- /*** K10 IMAGE PULL SECRETS *** + - secrets.dockerConfig + - secrets.dockerConfigPath + - global.imagePullSecret +*/ -}} +{{- $image_pull_secret_names := list -}} +{{- if .Values.global.imagePullSecret -}} + {{- $image_pull_secret_names = append $image_pull_secret_names .Values.global.imagePullSecret -}} +{{- end -}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) -}} + {{ $image_pull_secret_names = append $image_pull_secret_names "k10-ecr" -}} +{{- end -}} +{{- $image_pull_secret_names = $image_pull_secret_names | compact | uniq -}} + +{{- if $image_pull_secret_names -}} + {{- $image_pull_secrets := .Values.prometheus.imagePullSecrets | default list -}} + {{- range $name := $image_pull_secret_names -}} + {{- $image_pull_secrets = append $image_pull_secrets (dict "name" $name) -}} + {{- end -}} + {{- $_ := set .Values.prometheus "imagePullSecrets" $image_pull_secrets -}} +{{- end -}} + +{{- /*** K10 PERSISTENCE *** + - global.persistence.storageClass +*/ -}} +{{- $_ := mergeOverwrite .Values.prometheus.server.persistentVolume + (dict + "storageClass" (.Values.prometheus.server.persistentVolume.storageClass | default .Values.global.persistence.storageClass) + ) +-}} +{{- end }} diff --git a/charts/kasten/k10/values.schema.json b/charts/kasten/k10/values.schema.json index 7ffd9e819..59c2d7fa1 100644 --- a/charts/kasten/k10/values.schema.json +++ b/charts/kasten/k10/values.schema.json @@ -2108,6 +2108,18 @@ "title": "Expose Admin port", "description": "Whether to expose Admin port for gateway service" }, + "service": { + "type": "object", + "title": "gateway service config", + "properties": { + "externalPort": { + "type": "integer", + "default": 80, + "title": "externalPort for the gateway service", + "description": "Override default 80 externalPort for the gateway service" + } + } + }, "resources": { "type": "object", "title": "Gateway pod resource config", diff --git a/charts/kasten/k10/values.yaml b/charts/kasten/k10/values.yaml index 43ac83d4a..1fe6ae477 100644 --- a/charts/kasten/k10/values.yaml +++ b/charts/kasten/k10/values.yaml @@ -404,6 +404,8 @@ limiter: gateway: insecureDisableSSLVerify: false exposeAdminPort: true + service: + externalPort: 80 resources: requests: memory: 300Mi diff --git a/charts/kong/kong/CHANGELOG.md b/charts/kong/kong/CHANGELOG.md index 1db82392b..bce8df9c0 100644 --- a/charts/kong/kong/CHANGELOG.md +++ b/charts/kong/kong/CHANGELOG.md @@ -4,6 +4,26 @@ Nothing yet. +## 2.35.1 + +### Fixed + +* The plugin helper no longer sets the plugin list when not in use. + [#1002](https://github.com/Kong/charts/pull/1002) + +## 2.35.0 + +### Added + +* Added controller's RBAC rules for `KongVault` CRD (installed only when KIC + version >= 3.1.0). + [#992](https://github.com/Kong/charts/pull/992) + +### Fixed + +* Added a missing `envFrom` render in the main Kong proxy container. + [#994](https://github.com/Kong/charts/pull/994) + ## 2.34.0 ### Added diff --git a/charts/kong/kong/Chart.yaml b/charts/kong/kong/Chart.yaml index 740598e2c..574750ae3 100644 --- a/charts/kong/kong/Chart.yaml +++ b/charts/kong/kong/Chart.yaml @@ -18,4 +18,4 @@ maintainers: name: kong sources: - https://github.com/Kong/charts/tree/main/charts/kong -version: 2.34.0 +version: 2.35.1 diff --git a/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap index 632ec8342..e4a642bdf 100644 --- a/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap +++ b/charts/kong/kong/ci/__snapshots__/admin-api-service-clusterip-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -60,8 +60,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -179,8 +177,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -279,7 +275,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -291,7 +287,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-admin namespace: default spec: @@ -314,7 +310,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -342,7 +338,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -369,7 +365,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap index 8e7ca98c6..48a17cc2a 100644 --- a/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap +++ b/charts/kong/kong/ci/__snapshots__/custom-labels-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -85,7 +85,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -109,7 +109,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -158,6 +158,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -207,8 +210,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -321,8 +322,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -410,7 +409,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -659,7 +658,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -679,7 +678,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -744,7 +743,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -768,7 +767,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -785,7 +784,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -799,7 +798,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -828,7 +827,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -856,7 +855,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -872,7 +871,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -883,7 +882,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/default-values.snap b/charts/kong/kong/ci/__snapshots__/default-values.snap index d4ad6f81b..4a3009ad5 100644 --- a/charts/kong/kong/ci/__snapshots__/default-values.snap +++ b/charts/kong/kong/ci/__snapshots__/default-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -157,6 +157,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -208,8 +211,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -324,8 +325,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -412,7 +411,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -660,7 +659,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -679,7 +678,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -743,7 +742,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -766,7 +765,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -782,7 +781,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -795,7 +794,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -823,7 +822,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -850,7 +849,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -865,7 +864,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -875,7 +874,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap index e7116c127..7ffab2b24 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-1-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -155,6 +155,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -204,8 +207,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -318,8 +319,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -406,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -432,7 +431,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -680,7 +679,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -699,7 +698,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -763,7 +762,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -786,7 +785,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -802,7 +801,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -824,7 +823,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -852,7 +851,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -879,7 +878,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -894,7 +893,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -904,7 +903,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap index abecc1a2c..80ae7822f 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-2-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -155,6 +155,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -204,8 +207,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -318,8 +319,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -406,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -434,7 +433,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -682,7 +681,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -701,7 +700,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -765,7 +764,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -788,7 +787,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -804,7 +803,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -826,7 +825,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -854,7 +853,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -881,7 +880,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -896,7 +895,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -906,7 +905,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap index 4553dcf6a..f3cc17157 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-3-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -155,6 +155,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -204,8 +207,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -318,8 +319,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -406,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -430,7 +429,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -678,7 +677,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -697,7 +696,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -761,7 +760,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -784,7 +783,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -800,7 +799,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -813,7 +812,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -841,7 +840,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -868,7 +867,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -883,7 +882,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -893,7 +892,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap index 0ccaf3766..cadb9ee98 100644 --- a/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap +++ b/charts/kong/kong/ci/__snapshots__/kong-ingress-4-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -155,6 +155,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -204,8 +207,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -318,8 +319,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -406,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -465,7 +464,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -713,7 +712,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -732,7 +731,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -796,7 +795,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -819,7 +818,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -835,7 +834,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -866,7 +865,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -894,7 +893,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -921,7 +920,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -936,7 +935,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -946,7 +945,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/service-account.snap b/charts/kong/kong/ci/__snapshots__/service-account.snap index 0f47778a8..17b345ed2 100644 --- a/charts/kong/kong/ci/__snapshots__/service-account.snap +++ b/charts/kong/kong/ci/__snapshots__/service-account.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -155,6 +155,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -204,8 +207,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -318,8 +319,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -406,7 +405,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -654,7 +653,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -673,7 +672,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -737,7 +736,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -760,7 +759,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -776,7 +775,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -789,7 +788,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -817,7 +816,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -844,7 +843,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -859,7 +858,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -869,7 +868,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: my-kong-sa namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap index 29857465e..8ff4201e6 100644 --- a/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap +++ b/charts/kong/kong/ci/__snapshots__/single-image-default-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -157,6 +157,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -208,8 +211,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -324,8 +325,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -412,7 +411,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -660,7 +659,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -679,7 +678,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -743,7 +742,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -766,7 +765,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -782,7 +781,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -795,7 +794,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -823,7 +822,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -850,7 +849,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -865,7 +864,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -875,7 +874,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap index 3acef92f5..a954f812e 100644 --- a/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test-enterprise-version-3.4.0.0-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -33,7 +33,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -57,8 +57,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -169,8 +167,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -254,7 +250,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -282,7 +278,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -309,7 +305,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test1-values.snap b/charts/kong/kong/ci/__snapshots__/test1-values.snap index c714105a3..4e3848904 100644 --- a/charts/kong/kong/ci/__snapshots__/test1-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test1-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -106,7 +106,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" environment: test - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -159,6 +159,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -219,8 +222,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -341,8 +342,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -449,7 +448,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -475,7 +474,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -499,7 +498,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -747,7 +746,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -766,7 +765,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -830,7 +829,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -853,7 +852,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -869,7 +868,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -882,7 +881,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -910,7 +909,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -937,7 +936,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -952,7 +951,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: ServiceAccount @@ -962,7 +961,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test2-values.snap b/charts/kong/kong/ci/__snapshots__/test2-values.snap index ae0195d80..4e4688cbc 100644 --- a/charts/kong/kong/ci/__snapshots__/test2-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test2-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -84,7 +84,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -112,7 +112,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -170,6 +170,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -234,8 +237,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -266,6 +267,9 @@ SnapShot = """ value: 0.0.0.0:9000, [::]:9000, 0.0.0.0:9001 ssl, [::]:9001 ssl - name: KONG_NGINX_DAEMON value: \"off\" + envFrom: + - configMapRef: + name: env-config image: kong:3.5 imagePullPolicy: IfNotPresent lifecycle: @@ -369,8 +373,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -474,8 +476,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -725,7 +725,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-init-migrations namespace: default spec: @@ -741,7 +741,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-init-migrations spec: automountServiceAccountToken: false @@ -786,8 +786,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -893,8 +891,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -982,7 +978,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-post-upgrade-migrations namespace: default spec: @@ -998,7 +994,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-post-upgrade-migrations spec: automountServiceAccountToken: false @@ -1043,8 +1039,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1150,8 +1144,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1241,7 +1233,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-pre-upgrade-migrations namespace: default spec: @@ -1257,7 +1249,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-pre-upgrade-migrations spec: automountServiceAccountToken: false @@ -1302,8 +1294,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1409,8 +1399,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1494,7 +1482,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -1518,7 +1506,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -1561,7 +1549,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -1580,7 +1568,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -1644,7 +1632,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-default namespace: default rules: @@ -1862,7 +1850,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -1882,7 +1870,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-default namespace: default roleRef: @@ -1908,7 +1896,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-bash-wait-for-postgres namespace: default - object: @@ -1930,7 +1918,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -1946,7 +1934,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -1974,7 +1962,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -2002,7 +1990,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -2037,7 +2025,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -2052,7 +2040,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: Service @@ -2112,7 +2100,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test3-values.snap b/charts/kong/kong/ci/__snapshots__/test3-values.snap index e61683608..19e84fa6c 100644 --- a/charts/kong/kong/ci/__snapshots__/test3-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test3-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -62,8 +62,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -182,8 +180,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -300,7 +296,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -312,7 +308,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -340,7 +336,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -367,7 +363,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test4-values.snap b/charts/kong/kong/ci/__snapshots__/test4-values.snap index 49e0a1a6a..496dc250e 100644 --- a/charts/kong/kong/ci/__snapshots__/test4-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test4-values.snap @@ -10,7 +10,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -34,7 +34,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -62,8 +62,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -186,8 +184,6 @@ SnapShot = """ value: /opt/?.lua;/opt/?/init.lua;; - name: KONG_NGINX_WORKER_PROCESSES value: \"2\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -276,7 +272,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -309,7 +305,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-custom-dbless-config namespace: default - object: @@ -321,7 +317,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -349,7 +345,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -384,7 +380,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/ci/__snapshots__/test5-values.snap b/charts/kong/kong/ci/__snapshots__/test5-values.snap index 48c83a7a6..020e83507 100644 --- a/charts/kong/kong/ci/__snapshots__/test5-values.snap +++ b/charts/kong/kong/ci/__snapshots__/test5-values.snap @@ -9,7 +9,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validations namespace: default webhooks: @@ -83,7 +83,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default spec: @@ -111,7 +111,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 version: \"3.5\" spec: automountServiceAccountToken: false @@ -162,6 +162,9 @@ SnapShot = """ - containerPort: 10255 name: cmetrics protocol: TCP + - containerPort: 10254 + name: status + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -228,8 +231,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -359,8 +360,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -450,8 +449,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -698,7 +695,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-init-migrations namespace: default spec: @@ -714,7 +711,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-init-migrations spec: automountServiceAccountToken: false @@ -761,8 +758,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -854,8 +849,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -940,7 +933,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-post-upgrade-migrations namespace: default spec: @@ -956,7 +949,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-post-upgrade-migrations spec: automountServiceAccountToken: false @@ -1003,8 +996,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1096,8 +1087,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1184,7 +1173,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-pre-upgrade-migrations namespace: default spec: @@ -1200,7 +1189,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: kong-pre-upgrade-migrations spec: automountServiceAccountToken: false @@ -1247,8 +1236,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1340,8 +1327,6 @@ SnapShot = """ name: chartsnap-postgresql - name: KONG_PG_PORT value: \"5432\" - - name: KONG_PLUGINS - value: bundled - name: KONG_PORTAL_API_ACCESS_LOG value: /dev/stdout - name: KONG_PORTAL_API_ERROR_LOG @@ -1422,7 +1407,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -1446,7 +1431,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong rules: - apiGroups: @@ -1694,7 +1679,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong roleRef: apiGroup: rbac.authorization.k8s.io @@ -1713,7 +1698,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default rules: @@ -1777,7 +1762,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default roleRef: @@ -1803,7 +1788,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-bash-wait-for-postgres namespace: default - object: @@ -1818,7 +1803,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-ca-keypair namespace: default type: kubernetes.io/tls @@ -1834,7 +1819,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook-keypair namespace: default type: kubernetes.io/tls @@ -1862,7 +1847,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-manager namespace: default spec: @@ -1890,7 +1875,7 @@ SnapShot = """ app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" enable-metrics: \"true\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-proxy namespace: default spec: @@ -1917,7 +1902,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong-validation-webhook namespace: default spec: @@ -1932,7 +1917,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 - object: apiVersion: v1 kind: Service @@ -1992,7 +1977,7 @@ SnapShot = """ app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: kong app.kubernetes.io/version: \"3.5\" - helm.sh/chart: kong-2.34.0 + helm.sh/chart: kong-2.35.1 name: chartsnap-kong namespace: default """ diff --git a/charts/kong/kong/templates/_helpers.tpl b/charts/kong/kong/templates/_helpers.tpl index f5abde2ee..e47933627 100644 --- a/charts/kong/kong/templates/_helpers.tpl +++ b/charts/kong/kong/templates/_helpers.tpl @@ -890,6 +890,9 @@ The name of the Service which will be used by the controller to update the Ingre containerPort: 10255 protocol: TCP {{- end }} + - name: status + containerPort: 10254 + protocol: TCP env: - name: POD_NAME valueFrom: @@ -1155,7 +1158,9 @@ the template that it itself is using form the above sections. {{- end }} {{- end }} +{{- if (.Values.plugins) }} {{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}} +{{- end }} {{/* ====== USER-SET ENVIRONMENT VARIABLES ====== @@ -1644,6 +1649,24 @@ of a Role or ClusterRole) that provide the ingress controller access to the Kubernetes Cluster-scoped resources it uses to build Kong configuration. */}} {{- define "kong.kubernetesRBACClusterRules" -}} +{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +{{- end }} - apiGroups: - configuration.konghq.com resources: diff --git a/charts/kong/kong/templates/deployment.yaml b/charts/kong/kong/templates/deployment.yaml index 70da44590..6e9bba8d3 100644 --- a/charts/kong/kong/templates/deployment.yaml +++ b/charts/kong/kong/templates/deployment.yaml @@ -137,6 +137,7 @@ spec: {{ toYaml .Values.containerSecurityContext | nindent 10 }} env: {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} lifecycle: {{- toYaml .Values.lifecycle | nindent 10 }} ports: diff --git a/charts/kubecost/cost-analyzer/Chart.yaml b/charts/kubecost/cost-analyzer/Chart.yaml index 87f687beb..f2908fc2f 100644 --- a/charts/kubecost/cost-analyzer/Chart.yaml +++ b/charts/kubecost/cost-analyzer/Chart.yaml @@ -7,22 +7,9 @@ annotations: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 -appVersion: 1.108.1 -dependencies: -- condition: global.grafana.enabled - name: grafana - repository: file://./charts/grafana - version: ~1.17.2 -- condition: global.prometheus.enabled - name: prometheus - repository: file://./charts/prometheus - version: ~11.0.2 -- condition: global.thanos.enabled - name: thanos - repository: file://./charts/thanos - version: ~0.29.0 +appVersion: 2.0.2 description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer -version: 1.108.1 +version: 2.0.2 diff --git a/charts/kubecost/cost-analyzer/README.md b/charts/kubecost/cost-analyzer/README.md index feedbbf3e..3674e10a5 100644 --- a/charts/kubecost/cost-analyzer/README.md +++ b/charts/kubecost/cost-analyzer/README.md @@ -35,8 +35,6 @@ The following table lists commonly used configuration parameters for the Kubecos | Parameter | Description | Default | |------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------| | `global.prometheus.enabled` | If false, use an existing Prometheus install. [More info](http://docs.kubecost.com/custom-prom). | `true` | -| `prometheus.kube-state-metrics.disabled` | If false, deploy [kube-state-metrics](https://github.com/kubernetes/kube-state-metrics) for Kubernetes metrics | `false` | -| `prometheus.kube-state-metrics.resources` | Set kube-state-metrics resource requests and limits. | `{}` | | `prometheus.server.persistentVolume.enabled` | If true, Prometheus server will create a Persistent Volume Claim. | `true` | | `prometheus.server.persistentVolume.size` | Prometheus server data Persistent Volume size. Default set to retain ~6000 samples per second for 15 days. | `32Gi` | | `prometheus.server.retention` | Determines when to remove old data. | `15d` | @@ -114,42 +112,3 @@ kind create cluster --image kindest/node:v1.25.11@sha256:227fa11ce74ea76a0474eee ct install --chart-dirs="." --charts="." ``` -- perform ct StatefulSet execution - -```shell -# create multiple nodes kind config -cat > kind-config.yaml < etlBucketConfigSecret.yaml <= 5.0.0`) | `5.3.1` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.port` | Kubernetes port where service is exposed | `80` | -| `service.annotations` | Service annotations | `{}` | -| `service.labels` | Custom labels | `{}` | -| `ingress.enabled` | Enables Ingress | `false` | -| `ingress.annotations` | Ingress annotations | `{}` | -| `ingress.labels` | Custom labels | `{}` | -| `ingress.hosts` | Ingress accepted hostnames | `[]` | -| `ingress.tls` | Ingress TLS configuration | `[]` | -| `resources` | CPU/Memory resource requests/limits | `{}` | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `tolerations` | Toleration labels for pod assignment | `[]` | -| `affinity` | Affinity settings for pod assignment | `{}` | -| `persistence.enabled` | Use persistent volume to store data | `false` | -| `persistence.size` | Size of persistent volume claim | `10Gi` | -| `persistence.existingClaim` | Use an existing PVC to persist data | `nil` | -| `persistence.storageClassName` | Type of persistent volume claim | `nil` | -| `persistence.accessModes` | Persistence access modes | `[]` | -| `persistence.subPath` | Mount a sub dir of the persistent volume | `""` | -| `schedulerName` | Alternate scheduler name | `nil` | -| `env` | Extra environment variables passed to pods | `{}` | -| `envFromSecret` | Name of a Kubenretes secret (must be manually created in the same namespace) containing values to be added to the environment | `""` | -| `extraSecretMounts` | Additional grafana server secret mounts | `[]` | -| `plugins` | Plugins to be loaded along with Grafana | `[]` | -| `datasources` | Configure grafana datasources | `{}` | -| `dashboardProviders` | Configure grafana dashboard providers | `{}` | -| `dashboards` | Dashboards to import | `{}` | -| `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | -| `grafana.ini` | Grafana's primary configuration | `{}` | -| `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | -| `ldap.config ` | Grafana's LDAP configuration | `""` | -| `annotations` | Deployment annotations | `{}` | -| `podAnnotations` | Pod annotations | `{}` | -| `sidecar.dashboards.enabled` | Enabled the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | -| `sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `false` | -| `sidecar.datasources.enabled` | Enabled the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | -| `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `false` | -| `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials, this must have the keys `user` and `password`. | `""` | - -## Sidecar for dashboards - -If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana pod. This container watches all config maps in the cluster and filters out the ones with a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported dashboards are deleted/updated. A recommendation is to use one configmap per dashboard, as an reduction of multiple dashboards inside one configmap is currently not properly mirrored in grafana. -Example dashboard config: -``` -apiVersion: v1 -kind: ConfigMap -metadata: - name: sample-grafana-dashboard - labels: - grafana_dashboard: 1 -data: - k8s-dashboard.json: |- - [...] -``` - -## Sidecar for datasources - -If the parameter `sidecar.datasource.enabled` is set, a sidecar container is deployed in the grafana pod. This container watches all config maps in the cluster and filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in those configmaps are written to a folder and accessed by grafana on startup. Using these yaml files, the data sources in grafana can be modified. - -Example datasource config adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): -``` -apiVersion: v1 -kind: ConfigMap -metadata: - name: sample-grafana-datasource - labels: - grafana_datasource: 1 -data: - datasource.yaml: |- - # config file version - apiVersion: 1 - - # list of datasources that should be deleted from the database - deleteDatasources: - - name: Graphite - orgId: 1 - - # list of datasources to insert/update depending - # whats available in the database - datasources: - # name of the datasource. Required - - name: Graphite - # datasource type. Required - type: graphite - # access mode. proxy or direct (Server or Browser in the UI). Required - access: proxy - # org id. will default to orgId 1 if not specified - orgId: 1 - # url - url: http://localhost:8080 - # database password, if used - password: - # database user, if used - user: - # database name, if used - database: - # enable/disable basic auth - basicAuth: - # basic auth username - basicAuthUser: - # basic auth password - basicAuthPassword: - # enable/disable with credentials headers - withCredentials: - # mark as default datasource. Max one per org - isDefault: - # fields that will be converted to json and stored in json_data - jsonData: - graphiteVersion: "1.1" - tlsAuth: true - tlsAuthWithCACert: true - # json object of data that will be encrypted. - secureJsonData: - tlsCACert: "..." - tlsClientCert: "..." - tlsClientKey: "..." - version: 1 - # allow users to edit datasources from the UI. - editable: false - -``` diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/NOTES.txt b/charts/kubecost/cost-analyzer/charts/grafana/templates/NOTES.txt deleted file mode 100644 index 57e84cd69..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/NOTES.txt +++ /dev/null @@ -1,37 +0,0 @@ -1. Get your '{{ .Values.adminUser }}' user password by running: - - kubectl get secret --namespace {{ .Release.Namespace }} {{ template "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo - -2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: - - {{ template "grafana.fullname" . }}.{{ .Release.Namespace }}.svc -{{ if .Values.ingress.enabled }} - From outside the cluster, the server URL(s) are: -{{- range .Values.ingress.hosts }} - http://{{ . }} -{{- end }} -{{ else }} - Get the Grafana URL to visit by running these commands in the same shell: -{{ if contains "NodePort" .Values.service.type -}} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{ else if contains "LoadBalancer" .Values.service.type -}} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "grafana.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - http://$SERVICE_IP:{{ .Values.service.port -}} -{{ else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "grafana.fullname" . }},component={{ .Values.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 3000 -{{- end }} -{{- end }} - -3. Login with the password from step 1 and the username: {{ .Values.adminUser }} - -{{- if not .Values.persistence.enabled }} -################################################################################# -###### WARNING: Persistence is disabled!!! You will lose your data when ##### -###### the Grafana pod is terminated. ##### -################################################################################# -{{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/charts/grafana/templates/_helpers.tpl deleted file mode 100644 index 3a3ebd3ec..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/_helpers.tpl +++ /dev/null @@ -1,43 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "grafana.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "grafana.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "grafana.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create the name of the service account -*/}} -{{- define "grafana.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/ingress.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/ingress.yaml deleted file mode 100644 index 1c65e2113..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/ingress.yaml +++ /dev/null @@ -1,63 +0,0 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "grafana.fullname" . -}} -{{- $servicePort := .Values.service.port -}} -{{- $ingressPath := .Values.ingress.path -}} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ $fullName }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.ingress.labels }} -{{ toYaml .Values.ingress.labels | indent 4 }} -{{- end }} -{{- with .Values.ingress.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $ingressPath }} - pathType: {{ $.Values.ingress.pathType }} - backend: - service: - name: {{ $fullName }} - port: - number: {{ $servicePort }} - {{- else }} - - path: {{ $ingressPath }} - backend: - serviceName: {{ $fullName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/podsecuritypolicy.yaml deleted file mode 100644 index 9a392c606..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.rbac.pspEnabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "grafana.fullname" . }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' - seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - {{- if .Values.rbac.pspUseAppArmor }} - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - {{- end}} - -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - - 'persistentVolumeClaim' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml deleted file mode 100644 index 4a0abd518..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/role.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{ if and .Values.global.grafana.enabled .Values.rbac.create .Values.rbac.pspEnabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: [{{ template "grafana.fullname" . }}] -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml deleted file mode 100644 index 4f11d6904..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/rolebinding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if and .Values.global.grafana.enabled .Values.rbac.create .Values.rbac.pspEnabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "grafana.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "grafana.serviceAccountName" . }} -{{ end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/service.yaml b/charts/kubecost/cost-analyzer/charts/grafana/templates/service.yaml deleted file mode 100644 index a8059e066..000000000 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/service.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{ if .Values.global.grafana.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "grafana.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.labels }} -{{ toYaml .Values.service.labels | indent 4 }} -{{- end }} -{{- with .Values.service.annotations }} - annotations: -{{ toYaml . | indent 4 }} -{{- end }} -spec: -{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} - type: ClusterIP - {{- if .Values.service.clusterIP }} - clusterIP: {{ .Values.service.clusterIP }} - {{end}} -{{- else if eq .Values.service.type "LoadBalancer" }} - type: {{ .Values.service.type }} - {{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- if .Values.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: -{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} - {{- end -}} -{{- else }} - type: {{ .Values.service.type }} -{{- end }} -{{- if .Values.service.externalIPs }} - externalIPs: -{{ toYaml .Values.service.externalIPs | indent 4 }} -{{- end }} - ports: - - name: tcp-service - port: {{ .Values.service.port }} - protocol: TCP - targetPort: 3000 -{{ if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} - nodePort: {{.Values.service.nodePort}} -{{ end }} - selector: - app: {{ template "grafana.name" . }} - release: {{ .Release.Name }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/Chart.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/Chart.yaml deleted file mode 100644 index dd81a9c69..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -appVersion: 2.17.2 -description: Prometheus is a monitoring system and time series database. -home: https://prometheus.io/ -icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png -maintainers: -- email: gianrubio@gmail.com - name: gianrubio -- email: zanhsieh@gmail.com - name: zanhsieh -name: prometheus -sources: -- https://github.com/prometheus/alertmanager -- https://github.com/prometheus/prometheus -- https://github.com/prometheus/pushgateway -- https://github.com/prometheus/node_exporter -- https://github.com/kubernetes/kube-state-metrics -version: 11.0.2 diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/README.md b/charts/kubecost/cost-analyzer/charts/prometheus/README.md deleted file mode 100644 index bb8fded41..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/README.md +++ /dev/null @@ -1,475 +0,0 @@ -# Prometheus - -[Prometheus](https://prometheus.io/), a [Cloud Native Computing Foundation](https://cncf.io/) project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. - -## TL;DR; - -```console -$ helm install stable/prometheus -``` - -## Introduction - -This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. - -## Prerequisites - -- Kubernetes 1.3+ with Beta APIs enabled - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```console -$ helm install --name my-release stable/prometheus -``` - -The command deploys Prometheus on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation. - -> **Tip**: List all releases using `helm list` - -## Uninstalling the Chart - -To uninstall/delete the `my-release` deployment: - -```console -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Prometheus 2.x - -Prometheus version 2.x has made changes to alertmanager, storage and recording rules. Check out the migration guide [here](https://prometheus.io/docs/prometheus/2.0/migration/) - -Users of this chart will need to update their alerting rules to the new format before they can upgrade. - -## Upgrading from previous chart versions. - -Version 9.0 adds a new option to enable or disable the Prometheus Server. -This supports the use case of running a Prometheus server in one k8s cluster and scraping exporters in another cluster while using the same chart for each deployment. -To install the server `server.enabled` must be set to `true`. - -As of version 5.0, this chart uses Prometheus 2.x. This version of prometheus introduces a new data format and is not compatible with prometheus 1.x. It is recommended to install this as a new release, as updating existing releases will not work. See the [prometheus docs](https://prometheus.io/docs/prometheus/latest/migration/#storage) for instructions on retaining your old data. - -### Example migration - -Assuming you have an existing release of the prometheus chart, named `prometheus-old`. In order to update to prometheus 2.x while keeping your old data do the following: - -1. Update the `prometheus-old` release. Disable scraping on every component besides the prometheus server, similar to the configuration below: - - ``` - alertmanager: - enabled: false - alertmanagerFiles: - alertmanager.yml: "" - kube-state-metrics: - disabled: true - nodeExporter: - enabled: false - pushgateway: - enabled: false - server: - extraArgs: - storage.local.retention: 720h - serverFiles: - alerts: "" - prometheus.yml: "" - rules: "" - ``` - -1. Deploy a new release of the chart with version 5.0+ using prometheus 2.x. In the values.yaml set the scrape config as usual, and also add the `prometheus-old` instance as a remote-read target. - - ``` - prometheus.yml: - ... - remote_read: - - url: http://prometheus-old/api/v1/read - ... - ``` - - Old data will be available when you query the new prometheus instance. - -## Scraping Pod Metrics via Annotations - -This chart uses a default configuration that causes prometheus -to scrape a variety of kubernetes resource types, provided they have the correct annotations. -In this section we describe how to configure pods to be scraped; -for information on how other resource types can be scraped you can -do a `helm template` to get the kubernetes resource definitions, -and then reference the prometheus configuration in the ConfigMap against the prometheus documentation -for [relabel_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) -and [kubernetes_sd_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). - -In order to get prometheus to scrape pods, you must add annotations to the the pods as below: - -``` -metadata: - annotations: - prometheus.io/scrape: "true" - prometheus.io/path: /metrics - prometheus.io/port: "8080" -spec: -... -``` - -You should adjust `prometheus.io/path` based on the URL that your pod serves metrics from. -`prometheus.io/port` should be set to the port that your pod serves metrics from. -Note that the values for `prometheus.io/scrape` and `prometheus.io/port` must be -enclosed in double quotes. - -## Configuration - -The following table lists the configurable parameters of the Prometheus chart and their default values. - -Parameter | Description | Default ---------- | ----------- | ------- -`alertmanager.enabled` | If true, create alertmanager | `true` -`alertmanager.name` | alertmanager container name | `alertmanager` -`alertmanager.image.repository` | alertmanager container image repository | `prom/alertmanager` -`alertmanager.image.tag` | alertmanager container image tag | `v0.20.0` -`alertmanager.image.pullPolicy` | alertmanager container image pull policy | `IfNotPresent` -`alertmanager.prefixURL` | The prefix slug at which the server can be accessed | `` -`alertmanager.baseURL` | The external url at which the server can be accessed | `"http://localhost:9093"` -`alertmanager.extraArgs` | Additional alertmanager container arguments | `{}` -`alertmanager.extraSecretMounts` | Additional alertmanager Secret mounts | `[]` -`alertmanager.configMapOverrideName` | Prometheus alertmanager ConfigMap override where full-name is `{{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}}` and setting this value will prevent the default alertmanager ConfigMap from being generated | `""` -`alertmanager.configFromSecret` | The name of a secret in the same kubernetes namespace which contains the Alertmanager config, setting this value will prevent the default alertmanager ConfigMap from being generated | `""` -`alertmanager.configFileName` | The configuration file name to be loaded to alertmanager. Must match the key within configuration loaded from ConfigMap/Secret. | `alertmanager.yml` -`alertmanager.ingress.enabled` | If true, alertmanager Ingress will be created | `false` -`alertmanager.ingress.annotations` | alertmanager Ingress annotations | `{}` -`alertmanager.ingress.extraLabels` | alertmanager Ingress additional labels | `{}` -`alertmanager.ingress.hosts` | alertmanager Ingress hostnames | `[]` -`alertmanager.ingress.extraPaths` | Ingress extra paths to prepend to every alertmanager host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions) | `[]` -`alertmanager.ingress.tls` | alertmanager Ingress TLS configuration (YAML) | `[]` -`alertmanager.nodeSelector` | node labels for alertmanager pod assignment | `{}` -`alertmanager.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`alertmanager.affinity` | pod affinity | `{}` -`alertmanager.podDisruptionBudget.enabled` | If true, create a PodDisruptionBudget | `false` -`alertmanager.podDisruptionBudget.maxUnavailable` | Maximum unavailable instances in PDB | `1` -`alertmanager.schedulerName` | alertmanager alternate scheduler name | `nil` -`alertmanager.persistentVolume.enabled` | If true, alertmanager will create a Persistent Volume Claim | `true` -`alertmanager.persistentVolume.accessModes` | alertmanager data Persistent Volume access modes | `[ReadWriteOnce]` -`alertmanager.persistentVolume.annotations` | Annotations for alertmanager Persistent Volume Claim | `{}` -`alertmanager.persistentVolume.existingClaim` | alertmanager data Persistent Volume existing claim name | `""` -`alertmanager.persistentVolume.mountPath` | alertmanager data Persistent Volume mount root path | `/data` -`alertmanager.persistentVolume.size` | alertmanager data Persistent Volume size | `2Gi` -`alertmanager.persistentVolume.storageClass` | alertmanager data Persistent Volume Storage Class | `unset` -`alertmanager.persistentVolume.volumeBindingMode` | alertmanager data Persistent Volume Binding Mode | `unset` -`alertmanager.persistentVolume.subPath` | Subdirectory of alertmanager data Persistent Volume to mount | `""` -`alertmanager.podAnnotations` | annotations to be added to alertmanager pods | `{}` -`alertmanager.podLabels` | labels to be added to Prometheus AlertManager pods | `{}` -`alertmanager.podSecurityPolicy.annotations` | Specify pod annotations in the pod security policy | `{}` | -`alertmanager.replicaCount` | desired number of alertmanager pods | `1` -`alertmanager.statefulSet.enabled` | If true, use a statefulset instead of a deployment for pod management | `false` -`alertmanager.statefulSet.podManagementPolicy` | podManagementPolicy of alertmanager pods | `OrderedReady` -`alertmanager.statefulSet.headless.annotations` | annotations for alertmanager headless service | `{}` -`alertmanager.statefulSet.headless.labels` | labels for alertmanager headless service | `{}` -`alertmanager.statefulSet.headless.enableMeshPeer` | If true, enable the mesh peer endpoint for the headless service | `{}` -`alertmanager.statefulSet.headless.servicePort` | alertmanager headless service port | `80` -`alertmanager.priorityClassName` | alertmanager priorityClassName | `nil` -`alertmanager.resources` | alertmanager pod resource requests & limits | `{}` -`alertmanager.securityContext` | Custom [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for Alert Manager containers | `{}` -`alertmanager.service.annotations` | annotations for alertmanager service | `{}` -`alertmanager.service.clusterIP` | internal alertmanager cluster service IP | `""` -`alertmanager.service.externalIPs` | alertmanager service external IP addresses | `[]` -`alertmanager.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`alertmanager.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`alertmanager.service.servicePort` | alertmanager service port | `80` -`alertmanager.service.sessionAffinity` | Session Affinity for alertmanager service, can be `None` or `ClientIP` | `None` -`alertmanager.service.type` | type of alertmanager service to create | `ClusterIP` -`alertmanager.strategy` | Deployment strategy | `{ "type": "RollingUpdate" }` -`alertmanagerFiles.alertmanager.yml` | Prometheus alertmanager configuration | example configuration -`configmapReload.prometheus.enabled` | If false, the configmap-reload container for Prometheus will not be deployed | `true` -`configmapReload.prometheus.containerSecurityContext` | securityContext for container | `{}` -`configmapReload.prometheus.name` | configmap-reload container name | `configmap-reload` -`configmapReload.prometheus.image.repository` | configmap-reload container image repository | `quay.io/prometheus-operator/prometheus-config-reloader` -`configmapReload.prometheus.image.tag` | configmap-reload container image tag | `v0.68.0` -`configmapReload.prometheus.image.pullPolicy` | configmap-reload container image pull policy | `IfNotPresent` -`configmapReload.prometheus.extraArgs` | Additional configmap-reload container arguments | `{}` -`configmapReload.prometheus.extraVolumeDirs` | Additional configmap-reload volume directories | `{}` -`configmapReload.prometheus.extraConfigmapMounts` | Additional configmap-reload configMap mounts | `[]` -`configmapReload.prometheus.resources` | configmap-reload pod resource requests & limits | `{}` -`configmapReload.alertmanager.enabled` | If false, the configmap-reload container for AlertManager will not be deployed | `true` -`configmapReload.alertmanager.name` | configmap-reload container name | `configmap-reload` -`configmapReload.alertmanager.image.repository` | configmap-reload container image repository | `quay.io/prometheus-operator/prometheus-config-reloader` -`configmapReload.alertmanager.image.tag` | configmap-reload container image tag | `v0.68.0` -`configmapReload.alertmanager.image.pullPolicy` | configmap-reload container image pull policy | `IfNotPresent` -`configmapReload.alertmanager.extraArgs` | Additional configmap-reload container arguments | `{}` -`configmapReload.alertmanager.extraVolumeDirs` | Additional configmap-reload volume directories | `{}` -`configmapReload.alertmanager.extraConfigmapMounts` | Additional configmap-reload configMap mounts | `[]` -`configmapReload.alertmanager.resources` | configmap-reload pod resource requests & limits | `{}` -`initChownData.enabled` | If false, don't reset data ownership at startup | true -`initChownData.name` | init-chown-data container name | `init-chown-data` -`initChownData.image.repository` | init-chown-data container image repository | `busybox` -`initChownData.image.tag` | init-chown-data container image tag | `latest` -`initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` -`initChownData.resources` | init-chown-data pod resource requests & limits | `{}` -`kube-state-metrics.disabled` | If false, create kube-state-metrics sub-chart, see the [kube-state-metrics chart for configuration options](https://github.com/helm/charts/tree/master/stable/kube-state-metrics) | `false` -`nodeExporter.enabled` | If true, create node-exporter | `true` -`nodeExporter.dnsPolicy` | node-exporter dns policy | `ClusterFirstWithHostNet` -`nodeExporter.name` | node-exporter container name | `node-exporter` -`nodeExporter.image.repository` | node-exporter container image repository| `prom/node-exporter` -`nodeExporter.image.tag` | node-exporter container image tag | `v0.18.1` -`nodeExporter.image.pullPolicy` | node-exporter container image pull policy | `IfNotPresent` -`nodeExporter.extraArgs` | Additional node-exporter container arguments | `{}` -`nodeExporter.extraHostPathMounts` | Additional node-exporter hostPath mounts | `[]` -`nodeExporter.extraConfigmapMounts` | Additional node-exporter configMap mounts | `[]` -`nodeExporter.hostNetwork` | If true, node-exporter pods share the host network namespace | `true` -`nodeExporter.hostPID` | If true, node-exporter pods share the host PID namespace | `true` -`nodeExporter.nodeSelector` | node labels for node-exporter pod assignment | `{}` -`nodeExporter.podAnnotations` | annotations to be added to node-exporter pods | `{}` -`nodeExporter.pod.labels` | labels to be added to node-exporter pods | `{}` -`nodeExporter.podDisruptionBudget.enabled` | If true, create a PodDisruptionBudget | `false` -`nodeExporter.podDisruptionBudget.maxUnavailable` | Maximum unavailable instances in PDB | `1` -`nodeExporter.podSecurityPolicy.annotations` | Specify pod annotations in the pod security policy | `{}` | -`nodeExporter.podSecurityPolicy.enabled` | Specify if a Pod Security Policy for node-exporter must be created | `false` -`nodeExporter.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`nodeExporter.priorityClassName` | node-exporter priorityClassName | `nil` -`nodeExporter.resources` | node-exporter resource requests and limits (YAML) | `{}` -`nodeExporter.securityContext` | securityContext for containers in pod | `{}` -`nodeExporter.service.annotations` | annotations for node-exporter service | `{prometheus.io/scrape: "true"}` -`nodeExporter.service.clusterIP` | internal node-exporter cluster service IP | `None` -`nodeExporter.service.externalIPs` | node-exporter service external IP addresses | `[]` -`nodeExporter.service.hostPort` | node-exporter service host port | `9100` -`nodeExporter.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`nodeExporter.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`nodeExporter.service.servicePort` | node-exporter service port | `9100` -`nodeExporter.service.type` | type of node-exporter service to create | `ClusterIP` -`podSecurityPolicy.enabled` | If true, create & use pod security policies resources | `false` -`pushgateway.enabled` | If true, create pushgateway | `true` -`pushgateway.name` | pushgateway container name | `pushgateway` -`pushgateway.image.repository` | pushgateway container image repository | `prom/pushgateway` -`pushgateway.image.tag` | pushgateway container image tag | `v1.0.1` -`pushgateway.image.pullPolicy` | pushgateway container image pull policy | `IfNotPresent` -`pushgateway.extraArgs` | Additional pushgateway container arguments | `{}` -`pushgateway.ingress.enabled` | If true, pushgateway Ingress will be created | `false` -`pushgateway.ingress.annotations` | pushgateway Ingress annotations | `{}` -`pushgateway.ingress.hosts` | pushgateway Ingress hostnames | `[]` -`pushgateway.ingress.extraPaths` | Ingress extra paths to prepend to every pushgateway host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions) | `[]` -`pushgateway.ingress.tls` | pushgateway Ingress TLS configuration (YAML) | `[]` -`pushgateway.nodeSelector` | node labels for pushgateway pod assignment | `{}` -`pushgateway.podAnnotations` | annotations to be added to pushgateway pods | `{}` -`pushgateway.podSecurityPolicy.annotations` | Specify pod annotations in the pod security policy | `{}` | -`pushgateway.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`pushgateway.replicaCount` | desired number of pushgateway pods | `1` -`pushgateway.podDisruptionBudget.enabled` | If true, create a PodDisruptionBudget | `false` -`pushgateway.podDisruptionBudget.maxUnavailable` | Maximum unavailable instances in PDB | `1` -`pushgateway.schedulerName` | pushgateway alternate scheduler name | `nil` -`pushgateway.persistentVolume.enabled` | If true, Prometheus pushgateway will create a Persistent Volume Claim | `false` -`pushgateway.persistentVolume.accessModes` | Prometheus pushgateway data Persistent Volume access modes | `[ReadWriteOnce]` -`pushgateway.persistentVolume.annotations` | Prometheus pushgateway data Persistent Volume annotations | `{}` -`pushgateway.persistentVolume.existingClaim` | Prometheus pushgateway data Persistent Volume existing claim name | `""` -`pushgateway.persistentVolume.mountPath` | Prometheus pushgateway data Persistent Volume mount root path | `/data` -`pushgateway.persistentVolume.size` | Prometheus pushgateway data Persistent Volume size | `2Gi` -`pushgateway.persistentVolume.storageClass` | Prometheus pushgateway data Persistent Volume Storage Class | `unset` -`pushgateway.persistentVolume.volumeBindingMode` | Prometheus pushgateway data Persistent Volume Binding Mode | `unset` -`pushgateway.persistentVolume.subPath` | Subdirectory of Prometheus server data Persistent Volume to mount | `""` -`pushgateway.priorityClassName` | pushgateway priorityClassName | `nil` -`pushgateway.resources` | pushgateway pod resource requests & limits | `{}` -`pushgateway.service.annotations` | annotations for pushgateway service | `{}` -`pushgateway.service.clusterIP` | internal pushgateway cluster service IP | `""` -`pushgateway.service.externalIPs` | pushgateway service external IP addresses | `[]` -`pushgateway.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`pushgateway.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`pushgateway.service.servicePort` | pushgateway service port | `9091` -`pushgateway.service.type` | type of pushgateway service to create | `ClusterIP` -`pushgateway.strategy` | Deployment strategy | `{ "type": "RollingUpdate" }` -`rbac.create` | If true, create & use RBAC resources | `true` -`server.enabled` | If false, Prometheus server will not be created | `true` -`server.name` | Prometheus server container name | `server` -`server.image.repository` | Prometheus server container image repository | `prom/prometheus` -`server.image.tag` | Prometheus server container image tag | `v2.16.0` -`server.image.pullPolicy` | Prometheus server container image pull policy | `IfNotPresent` -`server.configPath` | Path to a prometheus server config file on the container FS | `/etc/config/prometheus.yml` -`server.global.scrape_interval` | How frequently to scrape targets by default | `1m` -`server.global.scrape_timeout` | How long until a scrape request times out | `10s` -`server.global.evaluation_interval` | How frequently to evaluate rules | `1m` -`server.remoteWrite` | The remote write feature of Prometheus allow transparently sending samples. | `{}` -`server.remoteRead` | The remote read feature of Prometheus allow transparently receiving samples. | `{}` -`server.extraArgs` | Additional Prometheus server container arguments | `{}` -`server.extraFlags` | Additional Prometheus server container flags | `["web.enable-lifecycle"]` -`server.extraInitContainers` | Init containers to launch alongside the server | `[]` -`server.prefixURL` | The prefix slug at which the server can be accessed | `` -`server.baseURL` | The external url at which the server can be accessed | `` -`server.env` | Prometheus server environment variables | `[]` -`server.extraHostPathMounts` | Additional Prometheus server hostPath mounts | `[]` -`server.extraConfigmapMounts` | Additional Prometheus server configMap mounts | `[]` -`server.extraSecretMounts` | Additional Prometheus server Secret mounts | `[]` -`server.extraVolumeMounts` | Additional Prometheus server Volume mounts | `[]` -`server.extraVolumes` | Additional Prometheus server Volumes | `[]` -`server.configMapOverrideName` | Prometheus server ConfigMap override where full-name is `{{.Release.Name}}-{{.Values.server.configMapOverrideName}}` and setting this value will prevent the default server ConfigMap from being generated | `""` -`server.ingress.enabled` | If true, Prometheus server Ingress will be created | `false` -`server.ingress.annotations` | Prometheus server Ingress annotations | `[]` -`server.ingress.extraLabels` | Prometheus server Ingress additional labels | `{}` -`server.ingress.hosts` | Prometheus server Ingress hostnames | `[]` -`server.ingress.extraPaths` | Ingress extra paths to prepend to every Prometheus server host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions) | `[]` -`server.ingress.tls` | Prometheus server Ingress TLS configuration (YAML) | `[]` -`server.nodeSelector` | node labels for Prometheus server pod assignment | `{}` -`server.tolerations` | node taints to tolerate (requires Kubernetes >=1.6) | `[]` -`server.affinity` | pod affinity | `{}` -`server.podDisruptionBudget.enabled` | If true, create a PodDisruptionBudget | `false` -`server.podDisruptionBudget.maxUnavailable` | Maximum unavailable instances in PDB | `1` -`server.priorityClassName` | Prometheus server priorityClassName | `nil` -`server.schedulerName` | Prometheus server alternate scheduler name | `nil` -`server.persistentVolume.enabled` | If true, Prometheus server will create a Persistent Volume Claim | `true` -`server.persistentVolume.accessModes` | Prometheus server data Persistent Volume access modes | `[ReadWriteOnce]` -`server.persistentVolume.annotations` | Prometheus server data Persistent Volume annotations | `{}` -`server.persistentVolume.existingClaim` | Prometheus server data Persistent Volume existing claim name | `""` -`server.persistentVolume.mountPath` | Prometheus server data Persistent Volume mount root path | `/data` -`server.persistentVolume.size` | Prometheus server data Persistent Volume size | `8Gi` -`server.persistentVolume.storageClass` | Prometheus server data Persistent Volume Storage Class | `unset` -`server.persistentVolume.volumeBindingMode` | Prometheus server data Persistent Volume Binding Mode | `unset` -`server.persistentVolume.subPath` | Subdirectory of Prometheus server data Persistent Volume to mount | `""` -`server.containerSecurityContext` | securityContext for container | `{}` -`server.emptyDir.sizeLimit` | emptyDir sizeLimit if a Persistent Volume is not used | `""` -`server.podAnnotations` | annotations to be added to Prometheus server pods | `{}` -`server.podLabels` | labels to be added to Prometheus server pods | `{}` -`server.alertmanagers` | Prometheus AlertManager configuration for the Prometheus server | `{}` -`server.deploymentAnnotations` | annotations to be added to Prometheus server deployment | `{}` -`server.podSecurityPolicy.annotations` | Specify pod annotations in the pod security policy | `{}` | -`server.replicaCount` | desired number of Prometheus server pods | `1` -`server.statefulSet.enabled` | If true, use a statefulset instead of a deployment for pod management | `false` -`server.statefulSet.annotations` | annotations to be added to Prometheus server stateful set | `{}` -`server.statefulSet.labels` | labels to be added to Prometheus server stateful set | `{}` -`server.statefulSet.podManagementPolicy` | podManagementPolicy of server pods | `OrderedReady` -`server.statefulSet.headless.annotations` | annotations for Prometheus server headless service | `{}` -`server.statefulSet.headless.labels` | labels for Prometheus server headless service | `{}` -`server.statefulSet.headless.servicePort` | Prometheus server headless service port | `80` -`server.resources` | Prometheus server resource requests and limits | `{}` -`server.verticalAutoscaler.enabled` | If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) | `false` -`server.securityContext` | Custom [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for server containers | `{}` -`server.service.annotations` | annotations for Prometheus server service | `{}` -`server.service.clusterIP` | internal Prometheus server cluster service IP | `""` -`server.service.externalIPs` | Prometheus server service external IP addresses | `[]` -`server.service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `""` -`server.service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to load balancer (if supported) | `[]` -`server.service.nodePort` | Port to be used as the service NodePort (ignored if `server.service.type` is not `NodePort`) | `0` -`server.service.servicePort` | Prometheus server service port | `80` -`server.service.sessionAffinity` | Session Affinity for server service, can be `None` or `ClientIP` | `None` -`server.service.type` | type of Prometheus server service to create | `ClusterIP` -`server.service.gRPC.enabled` | If true, open a second port on the service for gRPC | `false` -`server.service.gRPC.servicePort` | Prometheus service gRPC port, (ignored if `server.service.gRPC.enabled` is not `true`) | `10901` -`server.service.gRPC.nodePort` | Port to be used as gRPC nodePort in the prometheus service | `0` -`server.service.statefulsetReplica.enabled` | If true, send the traffic from the service to only one replica of the replicaset | `false` -`server.service.statefulsetReplica.replica` | Which replica to send the traffice to | `0` -`server.sidecarContainers` | array of snippets with your sidecar containers for prometheus server | `""` -`server.strategy` | Deployment strategy | `{ "type": "RollingUpdate" }` -`serviceAccounts.alertmanager.create` | If true, create the alertmanager service account | `true` -`serviceAccounts.alertmanager.name` | name of the alertmanager service account to use or create | `{{ prometheus.alertmanager.fullname }}` -`serviceAccounts.kubeStateMetrics.create` | If true, create the kubeStateMetrics service account | `true` -`serviceAccounts.kubeStateMetrics.name` | name of the kubeStateMetrics service account to use or create | `{{ prometheus.kubeStateMetrics.fullname }}` -`serviceAccounts.nodeExporter.create` | If true, create the nodeExporter service account | `true` -`serviceAccounts.nodeExporter.name` | name of the nodeExporter service account to use or create | `{{ prometheus.nodeExporter.fullname }}` -`serviceAccounts.pushgateway.create` | If true, create the pushgateway service account | `true` -`serviceAccounts.pushgateway.name` | name of the pushgateway service account to use or create | `{{ prometheus.pushgateway.fullname }}` -`serviceAccounts.server.create` | If true, create the server service account | `true` -`serviceAccounts.server.name` | name of the server service account to use or create | `{{ prometheus.server.fullname }}` -`serviceAccounts.server.annotations` | annotations for the server service account | `{}` -`server.terminationGracePeriodSeconds` | Prometheus server Pod termination grace period | `300` -`server.retention` | (optional) Prometheus data retention | `"15d"` -`serverFiles.alerts` | (Deprecated) Prometheus server alerts configuration | `{}` -`serverFiles.rules` | (Deprecated) Prometheus server rules configuration | `{}` -`serverFiles.alerting_rules.yml` | Prometheus server alerts configuration | `{}` -`serverFiles.recording_rules.yml` | Prometheus server rules configuration | `{}` -`serverFiles.prometheus.yml` | Prometheus server scrape configuration | example configuration -`extraScrapeConfigs` | Prometheus server additional scrape configuration | "" -`alertRelabelConfigs` | Prometheus server [alert relabeling configs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alert_relabel_configs) for H/A prometheus | "" -`networkPolicy.enabled` | Enable NetworkPolicy | `false` | - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, - -```console -$ helm install stable/prometheus --name my-release \ - --set server.terminationGracePeriodSeconds=360 -``` - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, - -```console -$ helm install stable/prometheus --name my-release -f values.yaml -``` - -> **Tip**: You can use the default [values.yaml](values.yaml) - -Note that you have multiple yaml files. This is particularly useful when you have alerts belonging to multiple services in the cluster. For example, - -```yaml -# values.yaml -# ... - -# service1-alert.yaml -serverFiles: - alerts: - service1: - - alert: anAlert - # ... - -# service2-alert.yaml -serverFiles: - alerts: - service2: - - alert: anAlert - # ... -``` - -```console -$ helm install stable/prometheus --name my-release -f values.yaml -f service1-alert.yaml -f service2-alert.yaml -``` - -### RBAC Configuration -Roles and RoleBindings resources will be created automatically for `server` and `kubeStateMetrics` services. - -To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.{{ component }}.create` to `false` and `serviceAccounts.{{ component }}.name` to the name of a pre-existing service account. - -> **Tip**: You can refer to the default `*-clusterrole.yaml` and `*-clusterrolebinding.yaml` files in [templates](templates/) to customize your own. - -### ConfigMap Files -AlertManager is configured through [alertmanager.yml](https://prometheus.io/docs/alerting/configuration/). This file (and any others listed in `alertmanagerFiles`) will be mounted into the `alertmanager` pod. - -Prometheus is configured through [prometheus.yml](https://prometheus.io/docs/operating/configuration/). This file (and any others listed in `serverFiles`) will be mounted into the `server` pod. - -### Ingress TLS -If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [kube-lego](https://github.com/jetstack/kube-lego)), please refer to the documentation for that mechanism. - -To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: - -```console -kubectl create secret tls prometheus-server-tls --cert=path/to/tls.cert --key=path/to/tls.key -``` - -Include the secret's name, along with the desired hostnames, in the alertmanager/server Ingress TLS section of your custom `values.yaml` file: - -```yaml -server: - ingress: - ## If true, Prometheus server Ingress will be created - ## - enabled: true - - ## Prometheus server Ingress hostnames - ## Must be provided if Ingress is enabled - ## - hosts: - - prometheus.domain.com - - ## Prometheus server Ingress TLS configuration - ## Secrets must be manually created in the namespace - ## - tls: - - secretName: prometheus-server-tls - hosts: - - prometheus.domain.com -``` - -### NetworkPolicy - -Enabling Network Policy for Prometheus will secure connections to Alert Manager -and Kube State Metrics by only accepting connections from Prometheus Server. -All inbound connections to Prometheus Server are still allowed. - -To enable network policy for Prometheus, install a networking plugin that -implements the Kubernetes NetworkPolicy spec, and set `networkPolicy.enabled` to true. - -If NetworkPolicy is enabled for Prometheus' scrape targets, you may also need -to manually create a networkpolicy which allows it. diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/Chart.yaml deleted file mode 100644 index 7752ccb44..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/Chart.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -appVersion: 1.9.5 -description: Install kube-state-metrics to generate and expose cluster-level metrics -home: https://github.com/kubernetes/kube-state-metrics/ -keywords: -- metric -- monitoring -- prometheus -- kubernetes -maintainers: -- email: jose@armesto.net - name: fiunchinho -- email: tariq.ibrahim@mulesoft.com - name: tariq1890 -- email: manuel@rueg.eu - name: mrueg -name: kube-state-metrics -sources: -- https://github.com/kubernetes/kube-state-metrics/ -version: 2.7.2 diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/OWNERS b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/OWNERS deleted file mode 100644 index 6ffd97d74..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -approvers: -- fiunchinho -- tariq1890 -- mrueg -reviewers: -- fiunchinho -- tariq1890 -- mrueg diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/README.md b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/README.md deleted file mode 100644 index 5c6456983..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# kube-state-metrics Helm Chart - -* Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). - -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install stable/kube-state-metrics -``` - -## Configuration - -| Parameter | Description | Default | -|:---------------------------------------------|:--------------------------------------------------------------------------------------|:-------------------------------------------| -| `image.repository` | The image repository to pull from | quay.io/coreos/kube-state-metrics | -| `image.tag` | The image tag to pull from | `v1.9.5` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicas` | Number of replicas | `1` | -| `autosharding.enabled` | Set to `true` to automatically shard data across `replicas` pods. EXPERIMENTAL | `false` | -| `service.port` | The port of the container | `8080` | -| `service.annotations` | Annotations to be added to the service | `{}` | -| `customLabels` | Custom labels to apply to service, deployment and pods | `{}` | -| `hostNetwork` | Whether or not to use the host network | `false` | -| `prometheusScrape` | Whether or not enable prom scrape | `true` | -| `rbac.create` | If true, create & use RBAC resources | `true` | -| `serviceAccount.create` | If true, create & use serviceAccount | `true` | -| `serviceAccount.name` | If not set & create is true, use template fullname | | -| `serviceAccount.imagePullSecrets` | Specify image pull secrets field | `[]` | -| `podSecurityPolicy.enabled` | If true, create & use PodSecurityPolicy resources | `false` | -| `podSecurityPolicy.annotations` | Specify pod annotations in the pod security policy | {} | -| `securityContext.enabled` | Enable security context | `true` | -| `securityContext.fsGroup` | Group ID for the container | `65534` | -| `securityContext.runAsUser` | User ID for the container | `65534` | -| `priorityClassName` | Name of Priority Class to assign pods | `nil` | -| `nodeSelector` | Node labels for pod assignment | {} | -| `affinity` | Affinity settings for pod assignment | {} | -| `tolerations` | Tolerations for pod assignment | [] | -| `podAnnotations` | Annotations to be added to the pod | {} | -| `resources` | kube-state-metrics resource requests and limits | {} | -| `collectors.certificatesigningrequests` | Enable the certificatesigningrequests collector. | `true` | -| `collectors.configmaps` | Enable the configmaps collector. | `true` | -| `collectors.cronjobs` | Enable the cronjobs collector. | `true` | -| `collectors.daemonsets` | Enable the daemonsets collector. | `true` | -| `collectors.deployments` | Enable the deployments collector. | `true` | -| `collectors.endpoints` | Enable the endpoints collector. | `true` | -| `collectors.horizontalpodautoscalers` | Enable the horizontalpodautoscalers collector. | `true` | -| `collectors.ingresses` | Enable the ingresses collector. | `true` | -| `collectors.jobs` | Enable the jobs collector. | `true` | -| `collectors.limitranges` | Enable the limitranges collector. | `true` | -| `collectors.mutatingwebhookconfigurations` | Enable the mutatingwebhookconfigurations collector. | `false` | -| `collectors.namespaces` | Enable the namespaces collector. | `true` | -| `collectors.nodes` | Enable the nodes collector. | `true` | -| `collectors.persistentvolumeclaims` | Enable the persistentvolumeclaims collector. | `true` | -| `collectors.persistentvolumes` | Enable the persistentvolumes collector. | `true` | -| `collectors.poddisruptionbudgets` | Enable the poddisruptionbudgets collector. | `true` | -| `collectors.pods` | Enable the pods collector. | `true` | -| `collectors.replicasets` | Enable the replicasets collector. | `true` | -| `collectors.replicationcontrollers` | Enable the replicationcontrollers collector. | `true` | -| `collectors.resourcequotas` | Enable the resourcequotas collector. | `true` | -| `collectors.secrets` | Enable the secrets collector. | `true` | -| `collectors.services` | Enable the services collector. | `true` | -| `collectors.statefulsets` | Enable the statefulsets collector. | `true` | -| `collectors.storageclasses` | Enable the storageclasses collector. | `true` | -| `collectors.validatingwebhookconfigurations` | Enable the validatingwebhookconfigurations collector. | `false` | -| `collectors.verticalpodautoscalers` | Enable the verticalpodautoscalers collector. | `false` | -| `collectors.volumeattachments` | Enable the volumeattachments collector. | `false` | -| `prometheus.monitor.enabled` | Set this to `true` to create ServiceMonitor for Prometheus operator | `false` | -| `prometheus.monitor.additionalLabels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | -| `prometheus.monitor.namespace` | Namespace where servicemonitor resource should be created | `the same namespace as kube-state-metrics` | -| `prometheus.monitor.honorLabels` | Honor metric labels | `false` | -| `namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) | diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt deleted file mode 100644 index 5a646e0cc..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt +++ /dev/null @@ -1,10 +0,0 @@ -kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. -The exposed metrics can be found here: -https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics - -The metrics are exported on the HTTP endpoint /metrics on the listening port. -In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-state-metrics.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/metrics - -They are served either as plaintext or protobuf depending on the Accept header. -They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. - diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl deleted file mode 100644 index 6ae0e647f..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl +++ /dev/null @@ -1,47 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "kube-state-metrics.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "kube-state-metrics.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "kube-state-metrics.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "kube-state-metrics.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Allow the release namespace to be overridden for multi-namespace deployments in combined charts -*/}} -{{- define "kube-state-metrics.namespace" -}} - {{- if .Values.namespaceOverride -}} - {{- .Values.namespaceOverride -}} - {{- else -}} - {{- .Release.Namespace -}} - {{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrole.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrole.yaml deleted file mode 100644 index 79045edf4..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrole.yaml +++ /dev/null @@ -1,182 +0,0 @@ -{{ if not .Values.disabled }} -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: {{ template "kube-state-metrics.fullname" . }} -rules: -{{ if .Values.collectors.certificatesigningrequests }} -- apiGroups: ["certificates.k8s.io"] - resources: - - certificatesigningrequests - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.configmaps }} -- apiGroups: [""] - resources: - - configmaps - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.cronjobs }} -- apiGroups: ["batch"] - resources: - - cronjobs - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.daemonsets }} -- apiGroups: ["extensions", "apps"] - resources: - - daemonsets - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.deployments }} -- apiGroups: ["extensions", "apps"] - resources: - - deployments - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.endpoints }} -- apiGroups: [""] - resources: - - endpoints - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.horizontalpodautoscalers }} -- apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.ingresses }} -- apiGroups: ["extensions", "networking.k8s.io"] - resources: - - ingresses - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.jobs }} -- apiGroups: ["batch"] - resources: - - jobs - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.limitranges }} -- apiGroups: [""] - resources: - - limitranges - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.mutatingwebhookconfigurations }} -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - mutatingwebhookconfigurations - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.namespaces }} -- apiGroups: [""] - resources: - - namespaces - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.networkpolicies }} -- apiGroups: ["networking.k8s.io"] - resources: - - networkpolicies - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.nodes }} -- apiGroups: [""] - resources: - - nodes - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.persistentvolumeclaims }} -- apiGroups: [""] - resources: - - persistentvolumeclaims - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.persistentvolumes }} -- apiGroups: [""] - resources: - - persistentvolumes - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.poddisruptionbudgets }} -- apiGroups: ["policy"] - resources: - - poddisruptionbudgets - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.pods }} -- apiGroups: [""] - resources: - - pods - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.replicasets }} -- apiGroups: ["extensions", "apps"] - resources: - - replicasets - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.replicationcontrollers }} -- apiGroups: [""] - resources: - - replicationcontrollers - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.resourcequotas }} -- apiGroups: [""] - resources: - - resourcequotas - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.secrets }} -- apiGroups: [""] - resources: - - secrets - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.services }} -- apiGroups: [""] - resources: - - services - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.statefulsets }} -- apiGroups: ["apps"] - resources: - - statefulsets - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.storageclasses }} -- apiGroups: ["storage.k8s.io"] - resources: - - storageclasses - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.validatingwebhookconfigurations }} -- apiGroups: ["admissionregistration.k8s.io"] - resources: - - validatingwebhookconfigurations - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.volumeattachments }} -- apiGroups: ["storage.k8s.io"] - resources: - - volumeattachments - verbs: ["list", "watch"] -{{ end -}} -{{ if .Values.collectors.verticalpodautoscalers }} -- apiGroups: ["autoscaling.k8s.io"] - resources: - - verticalpodautoscalers - verbs: ["list", "watch"] -{{ end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml deleted file mode 100644 index 8518fd2cc..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if not .Values.disabled }} -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: {{ template "kube-state-metrics.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "kube-state-metrics.fullname" . }} -subjects: -- kind: ServiceAccount - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml deleted file mode 100644 index f78e48e62..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml +++ /dev/null @@ -1,192 +0,0 @@ -{{ if not .Values.disabled }} -apiVersion: apps/v1 -{{- if .Values.autosharding.enabled }} -kind: StatefulSet -{{- else }} -kind: Deployment -{{- end }} -metadata: - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/managed-by: "{{ .Release.Service }}" -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | indent 4 }} -{{- end }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - replicas: {{ .Values.replicas }} -{{- if .Values.autosharding.enabled }} - serviceName: {{ template "kube-state-metrics.fullname" . }} - volumeClaimTemplates: [] -{{- end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - app.kubernetes.io/instance: "{{ .Release.Name }}" -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | indent 8 }} -{{- end }} -{{- if .Values.podAnnotations }} - annotations: -{{ toYaml .Values.podAnnotations | indent 8 }} -{{- end }} - spec: -{{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} -{{- end }} - hostNetwork: {{ .Values.hostNetwork }} - serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }} - {{- if .Values.securityContext.enabled }} - securityContext: - fsGroup: {{ .Values.securityContext.fsGroup }} - runAsUser: {{ .Values.securityContext.runAsUser }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - containers: - - name: {{ .Chart.Name }} -{{- if .Values.autosharding.enabled }} - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace -{{- end }} - args: -{{ if .Values.collectors.certificatesigningrequests }} - - --collectors=certificatesigningrequests -{{ end }} -{{ if .Values.collectors.configmaps }} - - --collectors=configmaps -{{ end }} -{{ if .Values.collectors.cronjobs }} - - --collectors=cronjobs -{{ end }} -{{ if .Values.collectors.daemonsets }} - - --collectors=daemonsets -{{ end }} -{{ if .Values.collectors.deployments }} - - --collectors=deployments -{{ end }} -{{ if .Values.collectors.endpoints }} - - --collectors=endpoints -{{ end }} -{{ if .Values.collectors.horizontalpodautoscalers }} - - --collectors=horizontalpodautoscalers -{{ end }} -{{ if .Values.collectors.ingresses }} - - --collectors=ingresses -{{ end }} -{{ if .Values.collectors.jobs }} - - --collectors=jobs -{{ end }} -{{ if .Values.collectors.limitranges }} - - --collectors=limitranges -{{ end }} -{{ if .Values.collectors.mutatingwebhookconfigurations }} - - --collectors=mutatingwebhookconfigurations -{{ end }} -{{ if .Values.collectors.namespaces }} - - --collectors=namespaces -{{ end }} -{{ if .Values.collectors.networkpolicies }} - - --collectors=networkpolicies -{{ end }} -{{ if .Values.collectors.nodes }} - - --collectors=nodes -{{ end }} -{{ if .Values.collectors.persistentvolumeclaims }} - - --collectors=persistentvolumeclaims -{{ end }} -{{ if .Values.collectors.persistentvolumes }} - - --collectors=persistentvolumes -{{ end }} -{{ if .Values.collectors.poddisruptionbudgets }} - - --collectors=poddisruptionbudgets -{{ end }} -{{ if .Values.collectors.pods }} - - --collectors=pods -{{ end }} -{{ if .Values.collectors.replicasets }} - - --collectors=replicasets -{{ end }} -{{ if .Values.collectors.replicationcontrollers }} - - --collectors=replicationcontrollers -{{ end }} -{{ if .Values.collectors.resourcequotas }} - - --collectors=resourcequotas -{{ end }} -{{ if .Values.collectors.secrets }} - - --collectors=secrets -{{ end }} -{{ if .Values.collectors.services }} - - --collectors=services -{{ end }} -{{ if .Values.collectors.statefulsets }} - - --collectors=statefulsets -{{ end }} -{{ if .Values.collectors.storageclasses }} - - --collectors=storageclasses -{{ end }} -{{ if .Values.collectors.validatingwebhookconfigurations }} - - --collectors=validatingwebhookconfigurations -{{ end }} -{{ if .Values.collectors.verticalpodautoscalers }} - - --collectors=verticalpodautoscalers -{{ end }} -{{ if .Values.collectors.volumeattachments }} - - --collectors=volumeattachments -{{ end }} -{{ if .Values.namespace }} - - --namespace={{ .Values.namespace }} -{{ end }} -{{ if .Values.autosharding.enabled }} - - --pod=$(POD_NAME) - - --pod-namespace=$(POD_NAMESPACE) -{{ end }} - imagePullPolicy: {{ .Values.image.pullPolicy }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - ports: - - containerPort: 8080 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 - readinessProbe: - httpGet: - path: / - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 5 -{{- if .Values.resources }} - resources: -{{ toYaml .Values.resources | indent 10 }} -{{- end }} -{{- if .Values.affinity }} - affinity: -{{ toYaml .Values.affinity | indent 8 }} -{{- end }} -{{- if .Values.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} -{{- if .Values.tolerations }} - tolerations: -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml deleted file mode 100644 index d1d01c64a..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{ if not .Values.disabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ template "kube-state-metrics.fullname" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{- if .Values.podSecurityPolicy.annotations }} - annotations: -{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -spec: - privileged: false - volumes: - - 'secret' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml deleted file mode 100644 index 1edb5afee..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml +++ /dev/null @@ -1,19 +0,0 @@ -{{ if not .Values.disabled }} -{{- if and .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: psp-{{ template "kube-state-metrics.fullname" . }} -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "kube-state-metrics.fullname" . }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml deleted file mode 100644 index 583db5388..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if not .Values.disabled }} -{{- if and .Values.podSecurityPolicy.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: psp-{{ template "kube-state-metrics.fullname" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: psp-{{ template "kube-state-metrics.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/service.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/service.yaml deleted file mode 100644 index 06c7bd484..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/service.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ if not .Values.disabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/managed-by: "{{ .Release.Service }}" -{{- if .Values.customLabels }} -{{ toYaml .Values.customLabels | indent 4 }} -{{- end }} - annotations: - {{- if .Values.prometheusScrape }} - prometheus.io/scrape: '{{ .Values.prometheusScrape }}' - {{- end }} - {{- if .Values.service.annotations }} - {{- toYaml .Values.service.annotations | nindent 4 }} - {{- end }} -spec: - type: "{{ .Values.service.type }}" - ports: - - name: "http" - protocol: TCP - port: {{ .Values.service.port }} - {{- if .Values.service.nodePort }} - nodePort: {{ .Values.service.nodePort }} - {{- end }} - targetPort: 8080 -{{- if .Values.service.loadBalancerIP }} - loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" -{{- end }} - selector: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml deleted file mode 100644 index 76bd1d1d6..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{ if not .Values.disabled }} -{{- if .Values.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} -imagePullSecrets: -{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml deleted file mode 100644 index c013f5265..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ if not .Values.disabled }} -{{- if .Values.prometheus.monitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - app.kubernetes.io/instance: "{{ .Release.Name }}" - app.kubernetes.io/managed-by: "{{ .Release.Service }}" - {{- if .Values.prometheus.monitor.additionalLabels }} -{{ toYaml .Values.prometheus.monitor.additionalLabels | indent 4 }} - {{- end }} -spec: - selector: - matchLabels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - endpoints: - - port: http - {{- if .Values.prometheus.monitor.honorLabels }} - honorLabels: true - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml deleted file mode 100644 index 95f237d7e..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml +++ /dev/null @@ -1,29 +0,0 @@ -{{ if not .Values.disabled }} -{{- if and .Values.autosharding.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get -- apiGroups: - - apps - resourceNames: - - kube-state-metrics - resources: - - statefulsets - verbs: - - get -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml deleted file mode 100644 index 49119520a..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{ if not .Values.disabled }} -{{- if and .Values.autosharding.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} - labels: - app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} - helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/instance: {{ .Release.Name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "kube-state-metrics.fullname" . }} - namespace: {{ template "kube-state-metrics.namespace" . }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/values.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/values.yaml deleted file mode 100644 index cc68f2a2c..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/values.yaml +++ /dev/null @@ -1,126 +0,0 @@ -# Default values for kube-state-metrics. -prometheusScrape: true -image: - repository: registry.k8s.io/kube-state-metrics/kube-state-metrics - tag: v1.9.8 - pullPolicy: IfNotPresent - -# If set to true, this will deploy kube-state-metrics as a StatefulSet and the data -# will be automatically sharded across <.Values.replicas> pods using the built-in -# autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding -# This is an experimental feature and there are no stability guarantees. -autosharding: - enabled: false - -replicas: 1 - -service: - port: 8080 - # Default to clusterIP for backward compatibility - type: ClusterIP - nodePort: 0 - loadBalancerIP: "" - annotations: {} - -customLabels: {} - -hostNetwork: false - -rbac: - # If true, create & use RBAC resources - create: true - -serviceAccount: - # Specifies whether a ServiceAccount should be created, require rbac true - create: true - # The name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template - name: - # Reference to one or more secrets to be used when pulling images - # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - imagePullSecrets: [] - -prometheus: - monitor: - enabled: false - additionalLabels: {} - namespace: "" - honorLabels: false - -## Specify if a Pod Security Policy for kube-state-metrics must be created -## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ -## -podSecurityPolicy: - enabled: false - annotations: {} - ## Specify pod annotations - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp - ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl - ## - # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' - # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' - - -securityContext: - enabled: true - runAsUser: 65534 - fsGroup: 65534 - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -nodeSelector: {} - -## Affinity settings for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ -affinity: {} - -## Tolerations for pod assignment -## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ -tolerations: [] - -# Annotations to be added to the pod -podAnnotations: {} - -## Assign a PriorityClassName to pods if set -# priorityClassName: "" - -# Available collectors for kube-state-metrics. By default all available -# collectors are enabled. -collectors: - certificatesigningrequests: false - configmaps: true - cronjobs: true - daemonsets: true - deployments: true - endpoints: true - horizontalpodautoscalers: true - ingresses: false - jobs: true - limitranges: true - mutatingwebhookconfigurations: false - namespaces: true - networkpolicies: false - nodes: true - persistentvolumeclaims: true - persistentvolumes: true - poddisruptionbudgets: true - pods: true - replicasets: true - replicationcontrollers: true - resourcequotas: true - secrets: false - services: true - statefulsets: true - storageclasses: true - validatingwebhookconfigurations: false - verticalpodautoscalers: false - volumeattachments: false - -# Namespace to be enabled for collecting resources. By default all namespaces are collected. -# namespace: "" - -## Override the deployment namespace -## -namespaceOverride: "" diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/requirements.lock b/charts/kubecost/cost-analyzer/charts/prometheus/requirements.lock deleted file mode 100644 index 4a4bde218..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/requirements.lock +++ /dev/null @@ -1,6 +0,0 @@ -dependencies: -- name: kube-state-metrics - repository: https://kubernetes-charts.storage.googleapis.com/ - version: 2.7.2 -digest: sha256:695d0dbc2db8bccf5672145697546891da60ff12fbdb4f1bfc02459f4b755e4c -generated: 2020-03-18T18:57:59.00056179Z diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/requirements.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/requirements.yaml deleted file mode 100644 index 6e079ae7d..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/requirements.yaml +++ /dev/null @@ -1,7 +0,0 @@ -dependencies: - - - name: kube-state-metrics - version: "2.7.*" - repository: https://kubernetes-charts.storage.googleapis.com/ - condition: kubeStateMetrics.enabled - diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/NOTES.txt b/charts/kubecost/cost-analyzer/charts/prometheus/templates/NOTES.txt deleted file mode 100644 index 0e8868f0b..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/NOTES.txt +++ /dev/null @@ -1,112 +0,0 @@ -{{- if .Values.server.enabled -}} -The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: -{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - -{{ if .Values.server.ingress.enabled -}} -From outside the cluster, the server URL(s) are: -{{- range .Values.server.ingress.hosts }} -http://{{ . }} -{{- end }} -{{- else }} -Get the Prometheus server URL by running these commands in the same shell: -{{- if contains "NodePort" .Values.server.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.server.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} -{{- else if contains "ClusterIP" .Values.server.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 -{{- end }} -{{- end }} - -{{- if .Values.server.persistentVolume.enabled }} -{{- else }} -################################################################################# -###### WARNING: Persistence is disabled!!! You will lose your data when ##### -###### the Server pod is terminated. ##### -################################################################################# -{{- end }} -{{- end }} - -{{ if .Values.alertmanager.enabled }} -The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster: -{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - -{{ if .Values.alertmanager.ingress.enabled -}} -From outside the cluster, the alertmanager URL(s) are: -{{- range .Values.alertmanager.ingress.hosts }} -http://{{ . }} -{{- end }} -{{- else }} -Get the Alertmanager URL by running these commands in the same shell: -{{- if contains "NodePort" .Values.alertmanager.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} -{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 -{{- end }} -{{- end }} - -{{- if .Values.alertmanager.persistentVolume.enabled }} -{{- else }} -################################################################################# -###### WARNING: Persistence is disabled!!! You will lose your data when ##### -###### the AlertManager pod is terminated. ##### -################################################################################# -{{- end }} -{{- end }} - -{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} -{{- else }} -################################################################################# -###### WARNING: Pod Security Policy has been moved to a global property. ##### -###### use .Values.podSecurityPolicy.enabled with pod-based ##### -###### annotations ##### -###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) ##### -################################################################################# -{{- end }} - -{{ if .Values.pushgateway.enabled }} -The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster: -{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - -{{ if .Values.pushgateway.ingress.enabled -}} -From outside the cluster, the pushgateway URL(s) are: -{{- range .Values.pushgateway.ingress.hosts }} -http://{{ . }} -{{- end }} -{{- else }} -Get the PushGateway URL by running these commands in the same shell: -{{- if contains "NodePort" .Values.pushgateway.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}' - - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') - echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }} -{{- else if contains "ClusterIP" .Values.pushgateway.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}") - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 -{{- end }} -{{- end }} -{{- end }} - -For more information on running Prometheus, visit: -https://prometheus.io/ diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/charts/prometheus/templates/_helpers.tpl deleted file mode 100644 index 295aa01c5..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/_helpers.tpl +++ /dev/null @@ -1,276 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "prometheus.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "prometheus.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create unified labels for prometheus components -*/}} -{{- define "prometheus.common.matchLabels" -}} -app: {{ template "prometheus.name" . }} -release: {{ .Release.Name }} -{{- end -}} - -{{- define "prometheus.common.metaLabels" -}} -chart: {{ template "prometheus.chart" . }} -heritage: {{ .Release.Service }} -{{- end -}} - -{{- define "prometheus.alertmanager.labels" -}} -{{ include "prometheus.alertmanager.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.alertmanager.matchLabels" -}} -component: {{ .Values.alertmanager.name | quote }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.kubeStateMetrics.labels" -}} -{{ include "prometheus.kubeStateMetrics.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.kubeStateMetrics.matchLabels" -}} -component: {{ .Values.kubeStateMetrics.name | quote }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.nodeExporter.labels" -}} -{{ include "prometheus.nodeExporter.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.nodeExporter.matchLabels" -}} -component: {{ .Values.nodeExporter.name | quote }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.pushgateway.labels" -}} -{{ include "prometheus.pushgateway.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.pushgateway.matchLabels" -}} -component: {{ .Values.pushgateway.name | quote }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{- define "prometheus.server.labels" -}} -{{ include "prometheus.server.matchLabels" . }} -{{ include "prometheus.common.metaLabels" . }} -{{- end -}} - -{{- define "prometheus.server.matchLabels" -}} -component: {{ .Values.server.name | quote }} -{{ include "prometheus.common.matchLabels" . }} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a fully qualified alertmanager name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} - -{{- define "prometheus.alertmanager.fullname" -}} -{{- if .Values.alertmanager.fullnameOverride -}} -{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a fully qualified kube-state-metrics name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.kubeStateMetrics.fullname" -}} -{{- if .Values.kubeStateMetrics.fullnameOverride -}} -{{- .Values.kubeStateMetrics.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.kubeStateMetrics.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.kubeStateMetrics.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a fully qualified node-exporter name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.nodeExporter.fullname" -}} -{{- if .Values.nodeExporter.fullnameOverride -}} -{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a fully qualified Prometheus server name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.server.fullname" -}} -{{- if .Values.server.fullnameOverride -}} -{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create a fully qualified pushgateway name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "prometheus.pushgateway.fullname" -}} -{{- if .Values.pushgateway.fullnameOverride -}} -{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for deployment. -*/}} -{{- define "prometheus.deployment.apiVersion" -}} -{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "prometheus.daemonset.apiVersion" -}} -{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "prometheus.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} -{{/* -Return the appropriate apiVersion for podsecuritypolicy. -*/}} -{{- define "prometheus.podSecurityPolicy.apiVersion" -}} -{{- if semverCompare ">=1.3-0, <1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy/v1beta1" -}} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the alertmanager component -*/}} -{{- define "prometheus.serviceAccountName.alertmanager" -}} -{{- if .Values.serviceAccounts.alertmanager.create -}} - {{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.alertmanager.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the kubeStateMetrics component -*/}} -{{- define "prometheus.serviceAccountName.kubeStateMetrics" -}} -{{- if .Values.serviceAccounts.kubeStateMetrics.create -}} - {{ default (include "prometheus.kubeStateMetrics.fullname" .) .Values.serviceAccounts.kubeStateMetrics.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.kubeStateMetrics.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the nodeExporter component -*/}} -{{- define "prometheus.serviceAccountName.nodeExporter" -}} -{{- if .Values.serviceAccounts.nodeExporter.create -}} - {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.nodeExporter.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the pushgateway component -*/}} -{{- define "prometheus.serviceAccountName.pushgateway" -}} -{{- if .Values.serviceAccounts.pushgateway.create -}} - {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.pushgateway.name }} -{{- end -}} -{{- end -}} - -{{/* -Create the name of the service account to use for the server component -*/}} -{{- define "prometheus.serviceAccountName.server" -}} -{{- if .Values.serviceAccounts.server.create -}} - {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} -{{- else -}} - {{ default "default" .Values.serviceAccounts.server.name }} -{{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrole.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrole.yaml deleted file mode 100644 index b68e9b6e5..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - name: {{ template "prometheus.alertmanager.fullname" . }} -rules: -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "prometheus.alertmanager.fullname" . }} -{{- else }} - [] -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrolebinding.yaml deleted file mode 100644 index a6edd94a1..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-clusterrolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - name: {{ template "prometheus.alertmanager.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "prometheus.serviceAccountName.alertmanager" . }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "prometheus.alertmanager.fullname" . }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml deleted file mode 100644 index 07f727573..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-deployment.yaml +++ /dev/null @@ -1,142 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}} -apiVersion: {{ template "prometheus.deployment.apiVersion" . }} -kind: Deployment -metadata: - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - name: {{ template "prometheus.alertmanager.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} - replicas: {{ .Values.alertmanager.replicaCount }} - {{- if .Values.alertmanager.strategy }} - strategy: -{{ toYaml .Values.alertmanager.strategy | indent 4 }} - {{- end }} - template: - metadata: - {{- if .Values.alertmanager.podAnnotations }} - annotations: -{{ toYaml .Values.alertmanager.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 8 }} - {{- if .Values.alertmanager.podLabels}} - {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} - {{- end}} - spec: -{{- if .Values.alertmanager.schedulerName }} - schedulerName: "{{ .Values.alertmanager.schedulerName }}" -{{- end }} - serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} -{{- if .Values.alertmanager.priorityClassName }} - priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} - image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" - imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" - env: - {{- range $key, $value := .Values.alertmanager.extraEnv }} - - name: {{ $key }} - value: {{ $value }} - {{- end }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - args: - - --config.file=/etc/config/{{ .Values.alertmanager.configFileName }} - - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} - - --cluster.advertise-address=$(POD_IP):6783 - {{- range $key, $value := .Values.alertmanager.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - {{- if .Values.alertmanager.baseURL }} - - --web.external-url={{ .Values.alertmanager.baseURL }} - {{- end }} - - ports: - - containerPort: 9093 - readinessProbe: - httpGet: - path: {{ .Values.alertmanager.prefixURL }}/-/ready - port: 9093 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: -{{ toYaml .Values.alertmanager.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" - subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" - {{- range .Values.alertmanager.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - - {{- if .Values.configmapReload.alertmanager.enabled }} - - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} - image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" - imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" - args: - - --watched-dir=/etc/config - - --reload-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload - resources: -{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.alertmanager.nodeSelector }} - nodeSelector: -{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.alertmanager.securityContext }} - securityContext: -{{ toYaml .Values.alertmanager.securityContext | indent 8 }} - {{- end }} - {{- if .Values.alertmanager.tolerations }} - tolerations: -{{ toYaml .Values.alertmanager.tolerations | indent 8 }} - {{- end }} - {{- if .Values.alertmanager.affinity }} - affinity: -{{ toYaml .Values.alertmanager.affinity | indent 8 }} - {{- end }} - volumes: - - name: config-volume - {{- if empty .Values.alertmanager.configFromSecret }} - configMap: - name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} - {{- else }} - secret: - secretName: {{ .Values.alertmanager.configFromSecret }} - {{- end }} - {{- range .Values.alertmanager.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} - - name: storage-volume - {{- if .Values.alertmanager.persistentVolume.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} - {{- else }} - emptyDir: {} - {{- end -}} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-podsecuritypolicy.yaml deleted file mode 100644 index 174c9255d..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-podsecuritypolicy.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.rbac.create }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "prometheus.alertmanager.fullname" . }} - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - annotations: -{{- if .Values.alertmanager.podSecurityPolicy.annotations }} -{{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'persistentVolumeClaim' - - 'emptyDir' - - 'secret' - allowedHostPaths: - - pathPrefix: /etc - readOnly: true - - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} - hostNetwork: false - hostPID: false - hostIPC: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: true -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pvc.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pvc.yaml deleted file mode 100644 index 71c9ce79e..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pvc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if not .Values.alertmanager.statefulSet.enabled -}} -{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} -{{- if not .Values.alertmanager.persistentVolume.existingClaim -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - {{- if .Values.alertmanager.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} - {{- end }} - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - name: {{ template "prometheus.alertmanager.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: -{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} -{{- if .Values.alertmanager.persistentVolume.storageClass }} -{{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" -{{- end }} -{{- end }} -{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} - volumeBindingModeName: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" -{{- end }} - resources: - requests: - storage: "{{ .Values.alertmanager.persistentVolume.size }}" -{{- end -}} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service.yaml deleted file mode 100644 index d6c19a9c1..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service.yaml +++ /dev/null @@ -1,55 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.alertmanager.enabled -}} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.alertmanager.service.annotations }} - annotations: -{{ toYaml .Values.alertmanager.service.annotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} -{{- if .Values.alertmanager.service.labels }} -{{ toYaml .Values.alertmanager.service.labels | indent 4 }} -{{- end }} - name: {{ template "prometheus.alertmanager.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: -{{- if .Values.alertmanager.service.clusterIP }} - clusterIP: {{ .Values.alertmanager.service.clusterIP }} -{{- end }} -{{- if .Values.alertmanager.service.externalIPs }} - externalIPs: -{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.alertmanager.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} -{{- end }} -{{- if .Values.alertmanager.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} -{{- end }} - ports: - - name: http - port: {{ .Values.alertmanager.service.servicePort }} - protocol: TCP - targetPort: 9093 - {{- if .Values.alertmanager.service.nodePort }} - nodePort: {{ .Values.alertmanager.service.nodePort }} - {{- end }} -{{- if .Values.alertmanager.service.enableMeshPeer }} - - name: meshpeer - port: 6783 - protocol: TCP - targetPort: 6783 -{{- end }} - selector: - {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} -{{- if .Values.alertmanager.service.sessionAffinity }} - sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} -{{- end }} - type: "{{ .Values.alertmanager.service.type }}" -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml deleted file mode 100644 index 5f191382c..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-statefulset.yaml +++ /dev/null @@ -1,155 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 4 }} - name: {{ template "prometheus.alertmanager.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless - selector: - matchLabels: - {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} - replicas: {{ .Values.alertmanager.replicaCount }} - podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }} - template: - metadata: - {{- if .Values.alertmanager.podAnnotations }} - annotations: -{{ toYaml .Values.alertmanager.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.alertmanager.labels" . | nindent 8 }} - spec: -{{- if .Values.alertmanager.affinity }} - affinity: -{{ toYaml .Values.alertmanager.affinity | indent 8 }} -{{- end }} -{{- if .Values.alertmanager.schedulerName }} - schedulerName: "{{ .Values.alertmanager.schedulerName }}" -{{- end }} - serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} -{{- if .Values.alertmanager.priorityClassName }} - priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} - image: "{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" - imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" - env: - {{- range $key, $value := .Values.alertmanager.extraEnv }} - - name: {{ $key }} - value: {{ $value }} - {{- end }} - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - args: - - --config.file=/etc/config/alertmanager.yml - - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} - - --cluster.advertise-address=$(POD_IP):6783 - {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} - - --cluster.listen-address=0.0.0.0:6783 - {{- range $n := until (.Values.alertmanager.replicaCount | int) }} - - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 - {{- end }} - {{- end }} - {{- range $key, $value := .Values.alertmanager.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - {{- if .Values.alertmanager.baseURL }} - - --web.external-url={{ .Values.alertmanager.baseURL }} - {{- end }} - - ports: - - containerPort: 9093 - readinessProbe: - httpGet: - path: {{ .Values.alertmanager.prefixURL }}/#/status - port: 9093 - initialDelaySeconds: 30 - timeoutSeconds: 30 - resources: -{{ toYaml .Values.alertmanager.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" - subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" - {{- range .Values.alertmanager.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.configmapReload.alertmanager.enabled }} - - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} - image: "{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" - imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" - args: - - --watched-dir=/etc/config - - --reload-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload - resources: -{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.alertmanager.nodeSelector }} - nodeSelector: -{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.alertmanager.securityContext }} - securityContext: -{{ toYaml .Values.alertmanager.securityContext | indent 8 }} - {{- end }} - {{- if .Values.alertmanager.tolerations }} - tolerations: -{{ toYaml .Values.alertmanager.tolerations | indent 8 }} - {{- end }} - volumes: - - name: config-volume - configMap: - name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} - {{- range .Values.alertmanager.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} -{{- if .Values.alertmanager.persistentVolume.enabled }} - volumeClaimTemplates: - - metadata: - name: storage-volume - {{- if .Values.alertmanager.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }} - {{- end }} - spec: - accessModes: -{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }} - resources: - requests: - storage: "{{ .Values.alertmanager.persistentVolume.size }}" - {{- if .Values.server.persistentVolume.storageClass }} - {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" - {{- end }} - {{- end }} -{{- else }} - - name: storage-volume - emptyDir: {} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-daemonset.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-daemonset.yaml deleted file mode 100644 index 0b01b6063..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-daemonset.yaml +++ /dev/null @@ -1,133 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.nodeExporter.enabled -}} -apiVersion: {{ template "prometheus.daemonset.apiVersion" . }} -kind: DaemonSet -metadata: -{{- if .Values.nodeExporter.deploymentAnnotations }} - annotations: -{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} - name: {{ template "prometheus.nodeExporter.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} - {{- if .Values.nodeExporter.updateStrategy }} - updateStrategy: -{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }} - {{- end }} - template: - metadata: - {{- if .Values.nodeExporter.podAnnotations }} - annotations: -{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} -{{- if .Values.nodeExporter.pod.labels }} -{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }} -{{- end }} - spec: -{{- if .Values.nodeExporter.affinity }} - affinity: -{{ toYaml .Values.nodeExporter.affinity | indent 8 }} -{{- end }} - serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} -{{- if .Values.nodeExporter.dnsPolicy }} - dnsPolicy: "{{ .Values.nodeExporter.dnsPolicy }}" -{{- end }} -{{- if .Values.nodeExporter.priorityClassName }} - priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }} - image: "{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}" - imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" - args: - - --path.procfs=/host/proc - - --path.sysfs=/host/sys - {{- if .Values.nodeExporter.hostNetwork }} - - --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }} - {{- end }} - {{- range $key, $value := .Values.nodeExporter.extraArgs }} - {{- if $value }} - - --{{ $key }}={{ $value }} - {{- else }} - - --{{ $key }} - {{- end }} - {{- end }} - ports: - - name: metrics - {{- if .Values.nodeExporter.hostNetwork }} - containerPort: {{ .Values.nodeExporter.service.hostPort }} - {{- else }} - containerPort: 9100 - {{- end }} - hostPort: {{ .Values.nodeExporter.service.hostPort }} - resources: -{{ toYaml .Values.nodeExporter.resources | indent 12 }} - volumeMounts: - - name: proc - mountPath: /host/proc - readOnly: true - - name: sys - mountPath: /host/sys - readOnly: true - {{- range .Values.nodeExporter.extraHostPathMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - readOnly: {{ .readOnly }} - {{- if .mountPropagation }} - mountPropagation: {{ .mountPropagation }} - {{- end }} - {{- end }} - {{- range .Values.nodeExporter.extraConfigmapMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.nodeExporter.hostNetwork }} - hostNetwork: true - {{- end }} - {{- if .Values.nodeExporter.hostPID }} - hostPID: true - {{- end }} - {{- if .Values.nodeExporter.tolerations }} - tolerations: -{{ toYaml .Values.nodeExporter.tolerations | indent 8 }} - {{- end }} - {{- if .Values.nodeExporter.nodeSelector }} - nodeSelector: -{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.nodeExporter.securityContext }} - securityContext: -{{ toYaml .Values.nodeExporter.securityContext | indent 8 }} - {{- end }} - volumes: - - name: proc - hostPath: - path: /proc - - name: sys - hostPath: - path: /sys - {{- range .Values.nodeExporter.extraHostPathMounts }} - - name: {{ .name }} - hostPath: - path: {{ .hostPath }} - {{- end }} - {{- range .Values.nodeExporter.extraConfigmapMounts }} - - name: {{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} - -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-podsecuritypolicy.yaml deleted file mode 100644 index a246b5881..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-podsecuritypolicy.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "prometheus.nodeExporter.fullname" . }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} - annotations: -{{- if .Values.nodeExporter.podSecurityPolicy.annotations }} -{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'configMap' - - 'hostPath' - - 'secret' - allowedHostPaths: - - pathPrefix: /proc - readOnly: true - - pathPrefix: /sys - readOnly: true - {{- range .Values.nodeExporter.extraHostPathMounts }} - - pathPrefix: {{ .hostPath }} - readOnly: {{ .readOnly }} - {{- end }} - hostNetwork: {{ .Values.nodeExporter.hostNetwork }} - hostPID: {{ .Values.nodeExporter.hostPID }} - hostIPC: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - hostPorts: - - min: 1 - max: 65535 -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-role.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-role.yaml deleted file mode 100644 index a037eaa84..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} -{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "prometheus.nodeExporter.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "prometheus.nodeExporter.fullname" . }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-rolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-rolebinding.yaml deleted file mode 100644 index fb39ab64f..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "prometheus.nodeExporter.fullname" . }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: Role - name: {{ template "prometheus.nodeExporter.fullname" . }} - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-service.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-service.yaml deleted file mode 100644 index ee823bfd9..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.nodeExporter.enabled -}} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.nodeExporter.service.annotations }} - annotations: -{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} -{{- if .Values.nodeExporter.service.labels }} -{{ toYaml .Values.nodeExporter.service.labels | indent 4 }} -{{- end }} - name: {{ template "prometheus.nodeExporter.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: -{{- if .Values.nodeExporter.service.clusterIP }} - clusterIP: {{ .Values.nodeExporter.service.clusterIP }} -{{- end }} -{{- if .Values.nodeExporter.service.externalIPs }} - externalIPs: -{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.nodeExporter.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} -{{- end }} -{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} -{{- end }} - ports: - - name: metrics - port: {{ .Values.nodeExporter.service.servicePort }} - protocol: TCP - {{- if .Values.nodeExporter.hostNetwork }} - targetPort: {{ .Values.nodeExporter.service.hostPort }} - {{- else }} - targetPort: 9100 - {{- end }} - selector: - {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} - type: "{{ .Values.nodeExporter.service.type }}" -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrole.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrole.yaml deleted file mode 100644 index de5f3f2be..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrole.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} - name: {{ template "prometheus.pushgateway.fullname" . }} -rules: -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "prometheus.pushgateway.fullname" . }} -{{- else }} - [] -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrolebinding.yaml deleted file mode 100644 index 1fc32369a..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-clusterrolebinding.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} - name: {{ template "prometheus.pushgateway.fullname" . }} -subjects: - - kind: ServiceAccount - name: {{ template "prometheus.serviceAccountName.pushgateway" . }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "prometheus.pushgateway.fullname" . }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-deployment.yaml deleted file mode 100644 index b680167be..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-deployment.yaml +++ /dev/null @@ -1,100 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.pushgateway.enabled -}} -apiVersion: {{ template "prometheus.deployment.apiVersion" . }} -kind: Deployment -metadata: - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} - name: {{ template "prometheus.pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" - {{- end }} - matchLabels: - {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} - replicas: {{ .Values.pushgateway.replicaCount }} - {{- if .Values.pushgateway.strategy }} - strategy: -{{ toYaml .Values.pushgateway.strategy | indent 4 }} - {{- end }} - template: - metadata: - {{- if .Values.pushgateway.podAnnotations }} - annotations: -{{ toYaml .Values.pushgateway.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 8 }} - spec: - serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} -{{- if .Values.pushgateway.priorityClassName }} - priorityClassName: "{{ .Values.pushgateway.priorityClassName }}" -{{- end }} - containers: - - name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }} - image: "{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}" - imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}" - args: - {{- range $key, $value := .Values.pushgateway.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - ports: - - containerPort: 9091 - livenessProbe: - httpGet: - {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} - path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy - {{- else }} - path: /-/healthy - {{- end }} - port: 9091 - initialDelaySeconds: 10 - timeoutSeconds: 10 - readinessProbe: - httpGet: - {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} - path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready - {{- else }} - path: /-/ready - {{- end }} - port: 9091 - initialDelaySeconds: 10 - timeoutSeconds: 10 - resources: -{{ toYaml .Values.pushgateway.resources | indent 12 }} - {{- if .Values.pushgateway.persistentVolume.enabled }} - volumeMounts: - - name: storage-volume - mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}" - subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}" - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.pushgateway.nodeSelector }} - nodeSelector: -{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.pushgateway.securityContext }} - securityContext: -{{ toYaml .Values.pushgateway.securityContext | indent 8 }} - {{- end }} - {{- if .Values.pushgateway.tolerations }} - tolerations: -{{ toYaml .Values.pushgateway.tolerations | indent 8 }} - {{- end }} - {{- if .Values.pushgateway.affinity }} - affinity: -{{ toYaml .Values.pushgateway.affinity | indent 8 }} - {{- end }} - {{- if .Values.pushgateway.persistentVolume.enabled }} - volumes: - - name: storage-volume - persistentVolumeClaim: - claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} - {{- end -}} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-podsecuritypolicy.yaml deleted file mode 100644 index 5078abbf9..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-podsecuritypolicy.yaml +++ /dev/null @@ -1,48 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.rbac.create }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "prometheus.pushgateway.fullname" . }} - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} - annotations: -{{- if .Values.pushgateway.podSecurityPolicy.annotations }} -{{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -spec: - privileged: false - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - volumes: - - 'persistentVolumeClaim' - - 'secret' - allowedHostPaths: - - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} - hostNetwork: false - hostPID: false - hostIPC: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: true -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pvc.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pvc.yaml deleted file mode 100644 index 89d14ec0b..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pvc.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.pushgateway.enabled -}} -{{- if .Values.pushgateway.persistentVolume.enabled -}} -{{- if not .Values.pushgateway.persistentVolume.existingClaim -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - {{- if .Values.pushgateway.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} - {{- end }} - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} - name: {{ template "prometheus.pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: -{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} -{{- if .Values.pushgateway.persistentVolume.storageClass }} -{{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" -{{- end }} -{{- end }} -{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} - volumeBindingModeName: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" -{{- end }} - resources: - requests: - storage: "{{ .Values.pushgateway.persistentVolume.size }}" -{{- end -}} -{{- end -}} -{{ end }} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-service.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-service.yaml deleted file mode 100644 index 864e0beb9..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-service.yaml +++ /dev/null @@ -1,43 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.pushgateway.enabled -}} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.pushgateway.service.annotations }} - annotations: -{{ toYaml .Values.pushgateway.service.annotations | indent 4}} -{{- end }} - labels: - {{- include "prometheus.pushgateway.labels" . | nindent 4 }} -{{- if .Values.pushgateway.service.labels }} -{{ toYaml .Values.pushgateway.service.labels | indent 4}} -{{- end }} - name: {{ template "prometheus.pushgateway.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: -{{- if .Values.pushgateway.service.clusterIP }} - clusterIP: {{ .Values.pushgateway.service.clusterIP }} -{{- end }} -{{- if .Values.pushgateway.service.externalIPs }} - externalIPs: -{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.pushgateway.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} -{{- end }} -{{- if .Values.pushgateway.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} -{{- end }} - ports: - - name: http - port: {{ .Values.pushgateway.service.servicePort }} - protocol: TCP - targetPort: 9091 - selector: - {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} - type: "{{ .Values.pushgateway.service.type }}" -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml deleted file mode 100644 index 9c6d2fa46..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-deployment.yaml +++ /dev/null @@ -1,256 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if not .Values.server.statefulSet.enabled -}} -apiVersion: {{ template "prometheus.deployment.apiVersion" . }} -kind: Deployment -metadata: -{{- if .Values.server.deploymentAnnotations }} - annotations: -{{ toYaml .Values.server.deploymentAnnotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} - name: {{ template "prometheus.server.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - selector: - matchLabels: - {{- include "prometheus.server.matchLabels" . | nindent 6 }} - replicas: {{ .Values.server.replicaCount }} - {{- if .Values.server.strategy }} - strategy: -{{ toYaml .Values.server.strategy | indent 4 }} - {{- end }} - template: - metadata: - {{- if .Values.server.podAnnotations }} - annotations: -{{ toYaml .Values.server.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 8 }} - {{- if .Values.server.podLabels}} - {{ toYaml .Values.server.podLabels | nindent 8 }} - {{- end}} - spec: -{{- if .Values.server.priorityClassName }} - priorityClassName: "{{ .Values.server.priorityClassName }}" -{{- end }} -{{- if .Values.server.schedulerName }} - schedulerName: "{{ .Values.server.schedulerName }}" -{{- end }} - serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} - {{- if .Values.server.extraInitContainers }} - initContainers: -{{ toYaml .Values.server.extraInitContainers | indent 8 }} - {{- end }} - containers: - {{- if .Values.configmapReload.prometheus.enabled }} - - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} - image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" - imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" - args: - - --watched-dir=/etc/config - - --reload-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload - {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} - - --watched-dir={{ . }} - {{- end }} - resources: - {{- toYaml .Values.configmapReload.prometheus.resources | nindent 12 }} - securityContext: - {{- if .Values.global.containerSecurityContext }} - {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} - {{- else if .Values.global.containerSecurityContext }} - {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} - {{- else }} - securityContext: - {{- toYaml .Values.configmapReload.prometheus.containerSecurityContext | nindent 12 }} - {{- end }} - volumeMounts: - {{- if .Values.selfsignedCertConfigMapName }} - - name: {{ .Values.selfsignedCertConfigMapName }} - mountPath: /etc/ssl/certs/my-cert.pem - subPath: my-cert.pem - readOnly: false - {{- end }} - - name: config-volume - mountPath: /etc/config - readOnly: true - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- end }} - - - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} - image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" - imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" - {{- if .Values.server.env }} - env: -{{ toYaml .Values.server.env | indent 12}} - {{- end }} - args: - {{- if .Values.server.retention }} - - --storage.tsdb.retention.time={{ .Values.server.retention }} - {{- end }} - {{- if .Values.server.retentionSize }} - - --storage.tsdb.retention.size={{ .Values.server.retentionSize }} - {{- end }} - - --config.file={{ .Values.server.configPath }} - - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - {{- range .Values.server.extraFlags }} - - --{{ . }} - {{- end }} - {{- if .Values.server.baseURL }} - - --web.external-url={{ .Values.server.baseURL }} - {{- end }} - - {{- range $key, $value := .Values.server.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: {{ .Values.server.prefixURL }}/-/ready - port: 9090 - initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} - timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} - failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} - successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} - livenessProbe: - httpGet: - path: {{ .Values.server.prefixURL }}/-/healthy - port: 9090 - initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} - timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} - failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} - successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} - resources: - {{- toYaml .Values.server.resources | nindent 12 }} - securityContext: - {{- if .Values.global.containerSecurityContext }} - {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} - {{- else }} - {{- toYaml .Values.server.prometheus.containerSecurityContext | nindent 12 }} - {{- end }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: {{ .Values.server.persistentVolume.mountPath }} - subPath: "{{ .Values.server.persistentVolume.subPath }}" - {{- range .Values.server.extraHostPathMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- range .Values.server.extraConfigmapMounts }} - - name: {{ $.Values.server.name }}-{{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- range .Values.server.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.server.extraVolumeMounts }} - {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.server.sidecarContainers }} - {{- toYaml .Values.server.sidecarContainers | nindent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 0 }} - {{- end }} - {{- if .Values.server.nodeSelector }} - nodeSelector: - {{- toYaml .Values.server.nodeSelector | nindent 8 }} - {{- end }} - {{- if .Values.server.securityContext }} - securityContext: - {{- if not .Values.server.securityContext.fsGroup }} - fsGroupChangePolicy: OnRootMismatch - fsGroup: 1001 - {{- end }} - {{- toYaml .Values.server.securityContext | nindent 8 }} - {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} - securityContext: - {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} - {{- else if .Values.global.securityContext }} - securityContext: - {{- toYaml .Values.global.securityContext | nindent 8 }} - {{- end }} - {{- if .Values.server.tolerations }} - tolerations: -{{ toYaml .Values.server.tolerations | indent 8 }} - {{- end }} - {{- if .Values.server.affinity }} - affinity: -{{ toYaml .Values.server.affinity | indent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - volumes: - {{- if .Values.selfsignedCertConfigMapName }} - - name: {{ .Values.selfsignedCertConfigMapName }} - configMap: - name: {{ .Values.selfsignedCertConfigMapName }} - {{- end }} - - name: config-volume - configMap: - name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} - - name: storage-volume - {{- if .Values.server.persistentVolume.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} - {{- else }} - emptyDir: - {{- if .Values.server.emptyDir.sizeLimit }} - sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} - {{- else }} - {} - {{- end -}} - {{- end -}} -{{- if .Values.server.extraVolumes }} -{{ toYaml .Values.server.extraVolumes | indent 8}} -{{- end }} - {{- range .Values.server.extraHostPathMounts }} - - name: {{ .name }} - hostPath: - path: {{ .hostPath }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} - {{- range .Values.server.extraConfigmapMounts }} - - name: {{ $.Values.server.name }}-{{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} - {{- range .Values.server.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ tpl .secretName $ }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-ingress.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-ingress.yaml deleted file mode 100644 index 5781b81c1..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-ingress.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.server.ingress.enabled -}} -{{- $releaseName := .Release.Name -}} -{{- $serviceName := include "prometheus.server.fullname" . }} -{{- $servicePort := .Values.server.service.servicePort -}} -{{- $extraPaths := .Values.server.ingress.extraPaths -}} -{{- $pathType := .Values.server.ingress.pathType -}} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: -{{- if .Values.server.ingress.annotations }} - annotations: -{{ toYaml .Values.server.ingress.annotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} -{{- range $key, $value := .Values.server.ingress.extraLabels }} - {{ $key }}: {{ $value }} -{{- end }} - name: {{ template "prometheus.server.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - rules: - {{- range .Values.server.ingress.hosts }} - {{- $url := splitList "/" . }} - - host: {{ first $url }} - http: - paths: -{{ if $extraPaths }} -{{ toYaml $extraPaths | indent 10 }} -{{- end }} - {{- if $apiV1 }} - - path: /{{ rest $url | join "/" }} - pathType: {{ $pathType }} - backend: - service: - name: {{ $serviceName }} - port: - number: {{ $servicePort }} - {{- else }} - - path: /{{ rest $url | join "/" }} - backend: - serviceName: {{ $serviceName }} - servicePort: {{ $servicePort }} - {{- end }} - {{- end -}} -{{- if .Values.server.ingress.tls }} - tls: -{{ toYaml .Values.server.ingress.tls | indent 4 }} - {{- end -}} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-podsecuritypolicy.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-podsecuritypolicy.yaml deleted file mode 100644 index f9fc538a4..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-podsecuritypolicy.yaml +++ /dev/null @@ -1,57 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.rbac.create }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "prometheus.server.fullname" . }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} - annotations: -{{- if .Values.server.podSecurityPolicy.annotations }} -{{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -spec: - privileged: false - allowPrivilegeEscalation: false - allowedCapabilities: - - 'CHOWN' - volumes: - - 'configMap' - - 'persistentVolumeClaim' - - 'emptyDir' - - 'secret' - - 'hostPath' - allowedHostPaths: - - pathPrefix: /etc - readOnly: true - - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} - {{- range .Values.server.extraHostPathMounts }} - - pathPrefix: {{ .hostPath }} - readOnly: {{ .readOnly }} - {{- end }} - hostNetwork: false - hostPID: false - hostIPC: false - runAsUser: - rule: 'RunAsAny' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pvc.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pvc.yaml deleted file mode 100644 index 7afb54aed..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pvc.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if not .Values.server.statefulSet.enabled -}} -{{- if .Values.server.persistentVolume.enabled -}} -{{- if not .Values.server.persistentVolume.existingClaim -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - {{- if .Values.server.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} - {{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} - name: {{ template "prometheus.server.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: -{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} -{{- if .Values.server.persistentVolume.storageClass }} -{{- if (eq "-" .Values.server.persistentVolume.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" -{{- end }} -{{- end }} -{{- if .Values.server.persistentVolume.volumeBindingMode }} - volumeBindingModeName: "{{ .Values.server.persistentVolume.volumeBindingMode }}" -{{- end }} - resources: - requests: - storage: "{{ .Values.server.persistentVolume.size }}" -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service.yaml deleted file mode 100644 index da7eac7f9..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -apiVersion: v1 -kind: Service -metadata: -{{- if .Values.server.service.annotations }} - annotations: -{{ toYaml .Values.server.service.annotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} -{{- if .Values.server.service.labels }} -{{ toYaml .Values.server.service.labels | indent 4 }} -{{- end }} - name: {{ template "prometheus.server.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: -{{- if .Values.server.service.clusterIP }} - clusterIP: {{ .Values.server.service.clusterIP }} -{{- end }} -{{- if .Values.server.service.externalIPs }} - externalIPs: -{{ toYaml .Values.server.service.externalIPs | indent 4 }} -{{- end }} -{{- if .Values.server.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} -{{- end }} -{{- if .Values.server.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} - - {{ $cidr }} - {{- end }} -{{- end }} - ports: - - name: http - port: {{ .Values.server.service.servicePort }} - protocol: TCP - targetPort: 9090 - {{- if .Values.server.service.nodePort }} - nodePort: {{ .Values.server.service.nodePort }} - {{- end }} - {{- if .Values.server.service.gRPC.enabled }} - - name: grpc - port: {{ .Values.server.service.gRPC.servicePort }} - protocol: TCP - targetPort: 10901 - {{- if .Values.server.service.gRPC.nodePort }} - nodePort: {{ .Values.server.service.gRPC.nodePort }} - {{- end }} - {{- end }} - selector: - {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} - statefulset.kubernetes.io/pod-name: {{ .Release.Name }}-{{ .Values.server.name }}-{{ .Values.server.service.statefulsetReplica.replica }} - {{- else -}} - {{- include "prometheus.server.matchLabels" . | nindent 4 }} -{{- if .Values.server.service.sessionAffinity }} - sessionAffinity: {{ .Values.server.service.sessionAffinity }} -{{- end }} - {{- end }} - type: "{{ .Values.server.service.type }}" -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml deleted file mode 100644 index 37ac3d80b..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-statefulset.yaml +++ /dev/null @@ -1,225 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.server.statefulSet.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: -{{- if .Values.server.statefulSet.annotations }} - annotations: -{{ toYaml .Values.server.statefulSet.annotations | indent 4 }} -{{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} - {{- if .Values.server.statefulSet.labels}} - {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} - {{- end}} - name: {{ template "prometheus.server.fullname" . }} - namespace: {{ .Release.Namespace }} -spec: - serviceName: {{ template "prometheus.server.fullname" . }}-headless - selector: - matchLabels: - {{- include "prometheus.server.matchLabels" . | nindent 6 }} - replicas: {{ .Values.server.replicaCount }} - podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} - template: - metadata: - {{- if .Values.server.podAnnotations }} - annotations: -{{ toYaml .Values.server.podAnnotations | indent 8 }} - {{- end }} - labels: - {{- include "prometheus.server.labels" . | nindent 8 }} - {{- if .Values.server.statefulSet.labels}} - {{ toYaml .Values.server.statefulSet.labels | nindent 8 }} - {{- end}} - spec: -{{- if .Values.server.affinity }} - affinity: -{{ toYaml .Values.server.affinity | indent 8 }} -{{- end }} -{{- if .Values.server.priorityClassName }} - priorityClassName: "{{ .Values.server.priorityClassName }}" -{{- end }} -{{- if .Values.server.schedulerName }} - schedulerName: "{{ .Values.server.schedulerName }}" -{{- end }} - serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} - containers: - {{- if .Values.configmapReload.prometheus.enabled }} - - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} - image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" - imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" - args: - - --watched-dir=/etc/config - - --reload-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload - {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} - - --watched-dir={{ . }} - {{- end }} - resources: -{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- end }} - - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} - image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" - imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" - {{- if .Values.server.env }} - env: -{{ toYaml .Values.server.env | indent 12}} - {{- end }} - args: - {{- if .Values.server.retention }} - - --storage.tsdb.retention.time={{ .Values.server.retention }} - {{- end }} - - --config.file={{ .Values.server.configPath }} - - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} - - --web.console.libraries=/etc/prometheus/console_libraries - - --web.console.templates=/etc/prometheus/consoles - {{- range .Values.server.extraFlags }} - - --{{ . }} - {{- end }} - {{- range $key, $value := .Values.server.extraArgs }} - - --{{ $key }}={{ $value }} - {{- end }} - {{- if .Values.server.baseURL }} - - --web.external-url={{ .Values.server.baseURL }} - {{- end }} - ports: - - containerPort: 9090 - readinessProbe: - httpGet: - path: {{ .Values.server.prefixURL }}/-/ready - port: 9090 - initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} - timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} - livenessProbe: - httpGet: - path: {{ .Values.server.prefixURL }}/-/healthy - port: 9090 - initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} - timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} - resources: -{{ toYaml .Values.server.resources | indent 12 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - - name: storage-volume - mountPath: {{ .Values.server.persistentVolume.mountPath }} - subPath: "{{ .Values.server.persistentVolume.subPath }}" - {{- range .Values.server.extraHostPathMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- range .Values.server.extraConfigmapMounts }} - - name: {{ $.Values.server.name }}-{{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- range .Values.server.extraSecretMounts }} - - name: {{ .name }} - mountPath: {{ .mountPath }} - subPath: {{ .subPath }} - readOnly: {{ .readOnly }} - {{- end }} - {{- if .Values.server.extraVolumeMounts }} - {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} - {{- end }} - {{- if .Values.server.sidecarContainers }} - {{- toYaml .Values.server.sidecarContainers | nindent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.server.nodeSelector }} - nodeSelector: -{{ toYaml .Values.server.nodeSelector | indent 8 }} - {{- end }} - {{- if .Values.server.securityContext }} - securityContext: -{{ toYaml .Values.server.securityContext | indent 8 }} - {{- end }} - {{- if .Values.server.tolerations }} - tolerations: -{{ toYaml .Values.server.tolerations | indent 8 }} - {{- end }} - {{- if .Values.server.affinity }} - affinity: -{{ toYaml .Values.server.affinity | indent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} - volumes: - - name: config-volume - configMap: - name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} - {{- range .Values.server.extraHostPathMounts }} - - name: {{ .name }} - hostPath: - path: {{ .hostPath }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} - {{- range .Values.server.extraConfigmapMounts }} - - name: {{ $.Values.server.name }}-{{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} - {{- range .Values.server.extraSecretMounts }} - - name: {{ .name }} - secret: - secretName: {{ .secretName }} - {{- end }} - {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} - - name: {{ .name }} - configMap: - name: {{ .configMap }} - {{- end }} -{{- if .Values.server.extraVolumes }} -{{ toYaml .Values.server.extraVolumes | indent 8}} -{{- end }} -{{- if .Values.server.persistentVolume.enabled }} - volumeClaimTemplates: - - metadata: - name: storage-volume - {{- if .Values.server.persistentVolume.annotations }} - annotations: -{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} - {{- end }} - spec: - accessModes: -{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} - resources: - requests: - storage: "{{ .Values.server.persistentVolume.size }}" - {{- if .Values.server.persistentVolume.storageClass }} - {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} - storageClassName: "" - {{- else }} - storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" - {{- end }} - {{- end }} -{{- else }} - - name: storage-volume - emptyDir: {} -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-vpa.yaml b/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-vpa.yaml deleted file mode 100644 index 854d02db2..000000000 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-vpa.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.server.verticalAutoscaler.enabled -}} -apiVersion: autoscaling.k8s.io/v1beta2 -kind: VerticalPodAutoscaler -metadata: - labels: - {{- include "prometheus.server.labels" . | nindent 4 }} - name: {{ template "prometheus.server.fullname" . }}-vpa - namespace: {{ .Release.Namespace }} -spec: - targetRef: -{{- if .Values.server.statefulSet.enabled }} - apiVersion: "apps/v1" - kind: StatefulSet -{{- else }} - apiVersion: "extensions/v1beta1" - kind: Deployment -{{- end }} - name: {{ template "prometheus.server.fullname" . }} - updatePolicy: - updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} - resourcePolicy: - containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} -{{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} -{{- end -}} {{/* .Values.server.enabled */}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/.helmignore b/charts/kubecost/cost-analyzer/charts/thanos/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/kubecost/cost-analyzer/charts/thanos/Chart.yaml b/charts/kubecost/cost-analyzer/charts/thanos/Chart.yaml deleted file mode 100644 index 5c5c39c18..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/Chart.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -appVersion: 0.29.0 -description: Thanos is a set of components that can be composed into a highly available - metric system with unlimited storage capacity, which can be added seamlessly on - top of existing Prometheus deployments. -icon: https://raw.githubusercontent.com/thanos-io/thanos/master/website/static/Thanos-logo_full.svg -keywords: -- thanos -- prometheus -- metrics -maintainers: -- email: info@banzaicloud.com - name: Banzai Cloud -name: thanos -sources: -- https://github.com/thanos-io/thanos -- https://github.com/banzaicloud/banzai-charts/tree/master/thanos -version: 0.29.0 diff --git a/charts/kubecost/cost-analyzer/charts/thanos/requirements.yaml b/charts/kubecost/cost-analyzer/charts/thanos/requirements.yaml deleted file mode 100644 index e69de29bb..000000000 diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/NOTES.txt b/charts/kubecost/cost-analyzer/charts/thanos/templates/NOTES.txt deleted file mode 100644 index e69de29bb..000000000 diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/charts/thanos/templates/_helpers.tpl deleted file mode 100644 index 7b5fb57d8..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/_helpers.tpl +++ /dev/null @@ -1,51 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "thanos.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "thanos.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "thanos.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - - -{{/* -Create a default fully qualified component name from the full app name and a component name. -We truncate the full name at 63 - 1 (last dash) - len(component name) chars because some Kubernetes name fields are limited to this (by the DNS naming spec) -and we want to make sure that the component is included in the name. -*/}} -{{- define "thanos.componentname" -}} -{{- $global := index . 0 -}} -{{- $component := index . 1 | trimPrefix "-" -}} -{{- printf "%s-%s" (include "thanos.fullname" $global | trunc (sub 62 (len $component) | int) | trimSuffix "-" ) $component | trimSuffix "-" -}} -{{- end -}} - -{{/* - -*/}} -{{- define "thanos.secretname" }} -{{- default (include "thanos.name" .) .Values.storeSecretName }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-deployment.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-deployment.yaml deleted file mode 100644 index e6d6f6a4c..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-deployment.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.bucket.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "thanos.componentname" (list $ "bucket") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end -}} - {{- with .Values.bucket.deploymentAnnotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.bucket.replicaCount | default 1 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.deploymentMatchLabels }}{{ toYaml . | indent 6 }}{{ end }} -{{ with .Values.bucket.deploymentStrategy }} - strategy: {{ toYaml . | nindent 4 }} -{{ end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.labels }}{{ toYaml . | indent 8 }}{{ end }} - {{- with .Values.bucket.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: thanos-bucket - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: {{- with .Values.bucket.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} - args: - - "tools" - - "bucket" - - "web" - - "--log.level={{ .Values.bucket.logLevel }}" - - "--http-address=0.0.0.0:{{ .Values.bucket.http.port }}" - - "--objstore.config-file=/etc/config/object-store.yaml" - {{- if .Values.bucket.refresh }} - - "--refresh={{ .Values.bucket.refresh }}" - {{- end }} - {{- if .Values.bucket.timeout }} - - "--timeout={{ .Values.bucket.timeout }}" - {{- end }} - {{- if .Values.bucket.label }} - - "--label={{ .Values.bucket.label }}" - {{- end }} - {{ with .Values.bucket.extraArgs }}{{ toYaml . | nindent 8 }}{{- end }} - ports: - - name: http - containerPort: {{ .Values.bucket.http.port }} - volumeMounts: - {{- if .Values.bucket.selfsignedCertConfigMapName }} - - name: {{ .Values.bucket.selfsignedCertConfigMapName }} - mountPath: /etc/ssl/certs/my-cert.pem - subPath: my-cert.pem - readOnly: false - {{- end }} - - name: config-volume - mountPath: /etc/config - readOnly: true - resources: {{ toYaml .Values.bucket.resources | nindent 10 }} - volumes: - {{- if .Values.bucket.selfsignedCertConfigMapName }} - - name: {{ .Values.bucket.selfsignedCertConfigMapName }} - configMap: - name: {{ .Values.bucket.selfsignedCertConfigMapName }} - {{- end }} - - name: config-volume - secret: - secretName: {{ include "thanos.secretname" . }} - {{- with .Values.bucket.securityContext }} - securityContext: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.bucket.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.bucket.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.bucket.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.bucket.serviceAccount }} - serviceAccountName: "{{ . }}" - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-ingress.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-ingress.yaml deleted file mode 100644 index fc0face08..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-ingress.yaml +++ /dev/null @@ -1,64 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if and .Values.bucket.enabled .Values.bucket.http.ingress.enabled }} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "bucket") }} - namespace: {{ .Release.Namespace }} - {{- with .Values.bucket.http.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: bucket - {{- if .Values.bucket.http.ingress.labels }} -{{ toYaml .Values.bucket.http.ingress.labels | indent 4 }} - {{- end }} -spec: -{{- if .Values.bucket.http.ingress.className }} - ingressClassName: {{ .Values.ingress.bucket.http.className }} -{{- end }} - {{- if .Values.bucket.http.ingress.tls }} - tls: - {{- range .Values.bucket.http.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.bucket.http.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.bucket.http.ingress.path }} - pathType: {{ $.Values.bucket.http.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "bucket") }} - port: - number: {{ $.Values.bucket.http.port }} - {{- else }} - - path: {{ $.Values.bucket.http.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "bucket") }} - servicePort: {{ $.Values.bucket.http.port }} - {{- end }} - {{- end }} -{{ end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-poddisruptionbudget.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-poddisruptionbudget.yaml deleted file mode 100644 index 418a48d2c..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-poddisruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.bucket.enabled .Values.bucket.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "thanos.componentname" (list $ "bucket") }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - {{- if .Values.bucket.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.bucket.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.bucket.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.bucket.podDisruptionBudget.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/component: bucket -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-service.yaml deleted file mode 100644 index 9b656eb2a..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/bucket-service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.bucket.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "bucket") }} - namespace: {{ .Release.Namespace }} - {{- with .Values.bucket.http.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - ports: - - port: {{ .Values.bucket.http.port }} - protocol: TCP - targetPort: http - name: http - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: bucket -{{ with .Values.bucket.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{ end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-deployment.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-deployment.yaml deleted file mode 100644 index 8bcb5b4ac..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-deployment.yaml +++ /dev/null @@ -1,129 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.compact.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "thanos.componentname" (list $ "compact") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: compact -{{ with .Values.compact.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end -}} - {{- with .Values.compact.deploymentAnnotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.compact.replicaCount | default 1 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: compact -{{ with .Values.compact.deploymentMatchLabels }}{{ toYaml . | indent 6 }}{{ end }} -{{ with .Values.compact.deploymentStrategy }} - strategy: {{ toYaml . | nindent 4 }} -{{ end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: compact -{{ with .Values.compact.labels }}{{ toYaml . | indent 8 }}{{ end }} - {{- with .Values.compact.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.compact.metrics.annotations.enabled }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.compact.http.port }}" - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: thanos-compact - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: {{- with .Values.compact.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} - args: - - "compact" - - "--log.level={{ .Values.compact.logLevel }}" - - "--http-address=0.0.0.0:{{ .Values.compact.http.port }}" - - "--objstore.config-file=/etc/config/object-store.yaml" - - "--data-dir=/var/thanos/compact" - - "--consistency-delay={{ .Values.compact.consistencyDelay }}" - - "--retention.resolution-raw={{ .Values.compact.retentionResolutionRaw }}" - - "--retention.resolution-5m={{ .Values.compact.retentionResolution5m }}" - - "--retention.resolution-1h={{ .Values.compact.retentionResolution1h }}" - - "--compact.concurrency={{ .Values.compact.compactConcurrency }}" -{{- if .Values.compact.disableDownsampling }} - - "--downsampling.disable" -{{- end }} - - "--wait" -{{ with .Values.compact.extraArgs }}{{ toYaml . | indent 8 }}{{- end }} - ports: - - name: http - containerPort: {{ .Values.compact.http.port }} - volumeMounts: - {{- if .Values.compact.selfsignedCertConfigMapName }} - - name: {{ .Values.compact.selfsignedCertConfigMapName }} - mountPath: /etc/ssl/certs/my-cert.pem - subPath: my-cert.pem - readOnly: false - {{- end }} - - name: config-volume - mountPath: /etc/config - readOnly: true - - name: data-volume - mountPath: /var/thanos/compact - resources: {{ toYaml .Values.compact.resources | nindent 10 }} - volumes: - {{- if .Values.compact.selfsignedCertConfigMapName }} - - name: {{ .Values.compact.selfsignedCertConfigMapName }} - configMap: - name: {{ .Values.compact.selfsignedCertConfigMapName }} - {{- end }} - - name: data-volume - {{- if .Values.compact.dataVolume }} - {{- if .Values.compact.dataVolume.persistentVolumeClaim }} - {{- if .Values.compact.dataVolume.persistentVolumeClaim.claimName }} - persistentVolumeClaim: - claimName: {{ .Values.compact.dataVolume.persistentVolumeClaim.claimName }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config-volume - secret: - secretName: {{ include "thanos.secretname" . }} - {{- with .Values.compact.securityContext }} - securityContext: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.compact.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.compact.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.compact.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.compact.serviceAccount }} - serviceAccountName: "{{ . }}" - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-pvc.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-pvc.yaml deleted file mode 100644 index 61fb72844..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.compact.enabled }} -{{- if .Values.compact.dataVolume -}} -{{- if .Values.compact.dataVolume.persistentVolumeClaim -}} -{{- if .Values.compact.dataVolume.persistentVolumeClaim.claimName -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ .Values.compact.dataVolume.persistentVolumeClaim.claimName }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: - - ReadWriteOnce - {{- if .Values.compact.dataVolume.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.compact.dataVolume.persistentVolumeClaim.storageClass }} - {{- end }} - resources: - requests: - {{- if .Values.compact.dataVolume.persistentVolumeClaim.storage }} - storage: {{ .Values.compact.dataVolume.persistentVolumeClaim.storage }} - {{- else }} - storage: 100Gi - {{- end }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-service.yaml deleted file mode 100644 index 1cdb1e8f1..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.compact.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "compact") }} - namespace: {{ .Release.Namespace }} - {{- with .Values.compact.http.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: compact -{{ with .Values.compact.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - ports: - - port: {{ .Values.compact.http.port }} - protocol: TCP - targetPort: http - name: http - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: compact -{{ with .Values.compact.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{ end}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-servicemonitor.yaml deleted file mode 100644 index 025d093f6..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/compact-servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.compact.enabled .Values.compact.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "thanos.componentname" (list $ "compact") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: compact -{{ with .Values.compact.metrics.serviceMonitor.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - jobLabel: thanos-compact - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: compact - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: http - interval: {{ .Values.compact.metrics.serviceMonitor.interval | default "15s" }} - {{- with .Values.compact.metrics.serviceMonitor.relabellings }} - metricRelabelings: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-deployment.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-deployment.yaml deleted file mode 100644 index 5cf998151..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-deployment.yaml +++ /dev/null @@ -1,159 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.query.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "thanos.componentname" (list $ "query") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -{{ with .Values.query.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} - {{- with .Values.query.deploymentAnnotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if not .Values.query.autoscaling.enabled }} - replicas: {{ .Values.query.replicaCount | default 1 }} -{{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query -{{ with .Values.query.deploymentMatchLabels }}{{ toYaml . | indent 6 }}{{ end }} -{{ with .Values.query.deploymentStrategy }} - strategy: {{ toYaml . | nindent 4 }} -{{ end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query -{{ with .Values.query.labels }}{{ toYaml . | indent 8 }}{{ end }} - {{- with .Values.query.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.query.metrics.annotations.enabled }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.query.http.port }}" - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: thanos-query - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - "query" - - "--log.level={{ .Values.query.logLevel }}" - - "--grpc-address=0.0.0.0:{{ .Values.query.grpc.port }}" - - "--http-address=0.0.0.0:{{ .Values.query.http.port }}" - - "--query.timeout={{ .Values.query.timeout }}" - - "--query.max-concurrent={{ .Values.query.maxConcurrent }}" - {{- if .Values.query.autoDownsampling }} - - "--query.auto-downsampling" - {{- end }} - {{- if .Values.query.replicaLabel }} - - "--query.replica-label={{ .Values.query.replicaLabel }}" - {{- end }} - {{- if .Values.query.webRoutePrefix }} - - "--web.route-prefix={{ .Values.query.webRoutePrefix }}" - {{- end }} - {{- if .Values.query.webExternalPrefix }} - - "--web.external-prefix={{ .Values.query.webExternalPrefix }}" - {{- end }} - {{- if .Values.query.webPrefixHeader }} - - "--web.prefix-header={{ .Values.query.webPrefixHeader }}" - {{- end }} - {{- if .Values.query.storeDNSResolver }} - - "--store.sd-dns-resolver={{ .Values.query.storeDNSResolver }}" - {{- end }} - {{- if .Values.query.storeDNSDiscovery }} - - "--store=dnssrv+_grpc._tcp.{{ include "thanos.componentname" (list $ "store") }}-grpc.{{ .Release.Namespace }}.svc" - {{- end }} - {{- if .Values.query.sidecarDNSDiscovery }} - - "--store=dnssrv+_grpc._tcp.{{ include "thanos.componentname" (list $ "sidecar") }}-grpc.{{ .Release.Namespace }}.svc" - {{- end }} - {{- range .Values.query.stores }} - - "--endpoint={{ . }}" - {{- end }} - {{- range .Values.query.serviceDiscoveryFiles }} - - "--store.sd-files={{ . }}" - {{- end }} - {{- range .Values.query.serviceDiscoveryFileConfigMaps }} - - "--store.sd-files=/etc/query/{{ . }}/*.yaml" - - "--store.sd-files=/etc/query/{{ . }}/*.yml" - - "--store.sd-files=/etc/query/{{ . }}/*.json" - {{- end }} - {{- if .Values.query.serviceDiscoveryInterval }} - - "--store.sd-interval={{ .Values.query.serviceDiscoveryInterval }}" - {{- end }} - - {{- if .Values.query.extraArgs }} - {{ toYaml .Values.query.extraArgs | nindent 8 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.query.http.port }} - - name: grpc - containerPort: {{ .Values.query.grpc.port }} - resources: - {{ toYaml .Values.query.resources | nindent 10 }} - env: - {{- toYaml .Values.query.extraEnv | nindent 10 }} - volumeMounts: - {{- range .Values.query.serviceDiscoveryFileConfigMaps }} - - mountPath: /etc/query/{{ . }} - name: {{ . }} - {{- end }} - {{- if .Values.query.certSecretName }} - - mountPath: /etc/certs - name: {{ .Values.query.certSecretName }} - readOnly: true - {{- end }} - livenessProbe: - httpGet: - path: /-/healthy - port: http - volumes: - {{- range .Values.query.serviceDiscoveryFileConfigMaps }} - - name: {{ . }} - configMap: - defaultMode: 420 - name: {{ . }} - {{- end }} - {{- if .Values.query.certSecretName }} - - name: {{ .Values.query.certSecretName }} - secret: - defaultMode: 420 - secretName: {{ .Values.query.certSecretName }} - {{- end }} - {{- with .Values.query.securityContext }} - securityContext: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.query.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.query.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.query.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.query.serviceAccount }} - serviceAccountName: "{{ . }}" - {{- end }} -{{ end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-deployment.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-deployment.yaml deleted file mode 100644 index dd993ba4a..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-deployment.yaml +++ /dev/null @@ -1,151 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.queryFrontend.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} - {{- with .Values.queryFrontend.deploymentAnnotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if not .Values.queryFrontend.autoscaling.enabled }} - replicas: {{ .Values.queryFrontend.replicaCount | default 1 }} -{{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.deploymentMatchLabels }}{{ toYaml . | indent 6 }}{{ end }} -{{ with .Values.queryFrontend.deploymentStrategy }} - strategy: {{ toYaml . | nindent 4 }} -{{ end }} - template: - metadata: - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.labels }}{{ toYaml . | indent 8 }}{{ end }} - {{- with .Values.queryFrontend.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.queryFrontend.metrics.annotations.enabled }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.queryFrontend.http.port }}" - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: thanos-query-frontend - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - "query-frontend" - - "--log.level={{ .Values.queryFrontend.logLevel }}" - - "--http-address=0.0.0.0:{{ .Values.queryFrontend.http.port }}" - - "--query-frontend.downstream-url=http://{{ include "thanos.componentname" (list $ "query") }}-http.{{ .Release.Namespace }}:{{ .Values.query.http.port }}" - - "--query-range.split-interval={{ .Values.queryFrontend.splitInterval }}" - - "--query-range.max-retries-per-request={{ .Values.queryFrontend.maxRetriesPerRequest }}" - - "--query-range.max-query-length={{ .Values.queryFrontend.maxQueryLength }}" - - "--query-range.max-query-parallelism={{ .Values.queryFrontend.maxQueryParallelism }}" - - "--query-range.response-cache-max-freshness={{ .Values.queryFrontend.responseCacheMaxFreshness }}" - {{- if .Values.queryFrontend.downstreamTripper.enabled }} - {{- with .Values.queryFrontend.downstreamTripper }} - - |- - --query-frontend.downstream-tripper-config= - idle_conn_timeout: {{ quote .idleConnectionTimeout }} - response_header_timeout: {{ quote .responseHeaderTimeout }} - tls_handshake_timeout: {{ quote .tlsHandshakeTimeout }} - expect_continue_timeout: {{ quote .expectContinueTimeout }} - max_idle_conns: {{ .maxIdleConnections }} - max_idle_conns_per_host: {{ .maxIdleConnectionsPerHost }} - max_conns_per_host: {{ .maxConnectionsPerHost }} - {{- end }} - {{- else if .Values.queryFrontend.downstreamTripperConfigFile }} - - "--query-frontend.downstream-tripper-config-file={{ .Values.queryFrontend.downstreamTripperConfigFile }}" - {{- else if .Values.queryFrontend.downstreamTripperConfig }} - - |- - --query-frontend.downstream-tripper-config={{ toYaml .Values.queryFrontend.downstreamTripperConfig | nindent 12 }} - {{- end }} - {{- if .Values.queryFrontend.responseCache.enabled }} - {{- with .Values.queryFrontend.responseCache }} - - |- - --query-range.response-cache-config= - config: - max_size: {{ quote .maxSize }} - max_size_items: {{ .maxSizeItems }} - validity: {{ quote .validity }} - type: "in-memory" - {{- end }} - {{- else if .Values.queryFrontend.responseCacheConfigFile }} - - "--query-range.response-cache-config-file={{ .Values.queryFrontend.responseCacheConfigFile }}" - {{- else if .Values.queryFrontend.responseCacheConfig }} - - |- - --query-range.response-cache-config={{ toYaml .Values.queryFrontend.responseCacheConfig | nindent 12 }} - {{- end }} - {{- if .Values.queryFrontend.compressResponses }} - - "--query-frontend.compress-responses" - {{- end }} - {{- if .Values.queryFrontend.partialResponse }} - - "--query-range.partial-response" - {{- end }} - {{- if .Values.queryFrontend.extraArgs }} - {{ toYaml .Values.queryFrontend.extraArgs | nindent 8 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.queryFrontend.http.port }} - resources: - {{ toYaml .Values.queryFrontend.resources | nindent 10 }} - env: - {{- toYaml .Values.queryFrontend.extraEnv | nindent 10 }} - volumeMounts: - {{- if .Values.queryFrontend.certSecretName }} - - mountPath: /etc/certs - name: {{ .Values.queryFrontend.certSecretName }} - readOnly: true - {{- end }} - livenessProbe: - httpGet: - path: /-/healthy - port: http - volumes: - {{- if .Values.queryFrontend.certSecretName }} - - name: {{ .Values.queryFrontend.certSecretName }} - secret: - defaultMode: 420 - secretName: {{ .Values.queryFrontend.certSecretName }} - {{- end }} - {{- with .Values.queryFrontend.securityContext }} - securityContext: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.queryFrontend.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.queryFrontend.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.queryFrontend.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.queryFrontend.serviceAccount }} - serviceAccountName: "{{ . }}" - {{- end }} -{{ end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-horizontalpodautoscaler.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-horizontalpodautoscaler.yaml deleted file mode 100644 index a9da03205..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-horizontalpodautoscaler.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.queryFrontend.enabled }} -{{- if .Values.queryFrontend.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "thanos.componentname" (list $ "query-frontend") }} - minReplicas: {{ .Values.queryFrontend.autoscaling.minReplicas }} - maxReplicas: {{ .Values.queryFrontend.autoscaling.maxReplicas }} - metrics: -{{- with .Values.queryFrontend.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ . }} -{{- end }} -{{- with .Values.queryFrontend.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ . }} -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-ingress.yml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-ingress.yml deleted file mode 100644 index 2a9288661..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-ingress.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.queryFrontend.enabled .Values.queryFrontend.http.ingress.enabled }} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }}-http - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend - {{- if .Values.queryFrontend.http.ingress.labels }} - {{ toYaml .Values.queryFrontend.http.ingress.labels | indent 4 }} - {{- end }} - {{- with .Values.queryFrontend.http.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.queryFrontend.http.ingress.className }} - ingressClassName: {{ .Values.ingress.queryFrontend.http.className }} -{{- end }} - {{- if .Values.queryFrontend.http.ingress.tls }} - tls: - {{- range .Values.queryFrontend.http.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - {{- if .secretName }} - secretName: {{ .secretName }} - {{- end}} - {{- end }} - {{- end }} - rules: - {{- range .Values.queryFrontend.http.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.queryFrontend.http.ingress.path }} - pathType: {{ $.Values.queryFrontend.http.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "query-frontend") }}-http - port: - number: {{ $.Values.queryFrontend.http.port }} - {{- else }} - - path: {{ $.Values.queryFrontend.http.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "query-frontend") }}-http - servicePort: {{ $.Values.queryFrontend.http.port }} - {{- end }} - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-poddisruptionbudget.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-poddisruptionbudget.yaml deleted file mode 100644 index 79d489865..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-poddisruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.queryFrontend.enabled .Values.queryFrontend.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - {{- if .Values.queryFrontend.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.queryFrontend.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.queryFrontend.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.queryFrontend.podDisruptionBudget.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/component: query-frontend -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-service.yaml deleted file mode 100644 index a7b3d7d0f..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-service.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.queryFrontend.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }}-http - namespace: {{ .Release.Namespace }} - {{- with .Values.queryFrontend.http.service.annotations }} - annotations: {{ toYaml .| nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: {{ .Values.queryFrontend.http.service.type }} - {{- if .Values.queryFrontend.http.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.queryFrontend.http.externalTrafficPolicy }} - {{- end }} - ports: - - port: {{ .Values.queryFrontend.http.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-servicemonitor.yaml deleted file mode 100644 index 0da1bf8c0..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-frontend-servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.queryFrontend.enabled .Values.queryFrontend.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "thanos.componentname" (list $ "query-frontend") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query-frontend -{{ with .Values.queryFrontend.metrics.serviceMonitor.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - jobLabel: thanos-query - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query-frontend - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: http - interval: {{ .Values.queryFrontend.metrics.serviceMonitor.interval | default "15s" }} - {{- with .Values.queryFrontend.metrics.serviceMonitor.relabellings }} - metricRelabelings: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-horizontalpodautoscaler.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-horizontalpodautoscaler.yaml deleted file mode 100644 index 8f847e1a1..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-horizontalpodautoscaler.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.query.enabled }} -{{- if .Values.query.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "thanos.componentname" (list $ "query") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "thanos.componentname" (list $ "query") }} - minReplicas: {{ .Values.query.autoscaling.minReplicas }} - maxReplicas: {{ .Values.query.autoscaling.maxReplicas }} - metrics: -{{- with .Values.query.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ . }} -{{- end }} -{{- with .Values.query.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ . }} -{{- end }} -{{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-ingress.yml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-ingress.yml deleted file mode 100644 index b4405bbe7..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-ingress.yml +++ /dev/null @@ -1,132 +0,0 @@ ---- -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.query.enabled .Values.query.http.ingress.enabled }} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "query") }}-http - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query - {{- if .Values.query.http.ingress.labels }} - {{ toYaml .Values.query.http.ingress.labels | indent 4 }} - {{- end }} - {{- with .Values.query.http.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.query.http.ingress.className }} - ingressClassName: {{ .Values.ingress.query.http.className }} -{{- end }} - {{- if .Values.query.http.ingress.tls }} - tls: - {{- range .Values.query.http.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - {{- if .secretName }} - secretName: {{ .secretName }} - {{- end}} - {{- end }} - {{- end }} - rules: - {{- range .Values.query.http.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.query.http.ingress.path }} - pathType: {{ $.Values.query.http.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "query") }}-http - port: - number: {{ $.Values.query.http.port }} - {{- else }} - - path: {{ $.Values.query.http.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "query") }}-http - servicePort: {{ $.Values.query.http.port }} - {{- end }} - {{- end }} -{{- end }} - -{{- if and .Values.query.enabled .Values.query.grpc.ingress.enabled }} ---- -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "query") }}-grpc - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query - {{- if .Values.query.grpc.ingress.labels }} - {{ toYaml .Values.grpc.ingress.labels | indent 4 }} - {{- end }} - {{- with .Values.query.grpc.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.query.grpc.ingress.className }} - ingressClassName: {{ .Values.ingress.query.grpc.className }} -{{- end }} - {{- if .Values.query.grpc.ingress.tls }} - tls: - {{- range .Values.query.grpc.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - {{- if .secretName }} - secretName: {{ .secretName }} - {{- end}} - {{- end }} - {{- end }} - rules: - {{- range .Values.query.grpc.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.query.grpc.ingress.path }} - pathType: {{ $.Values.query.grpc.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "query") }}-grpc - port: - number: {{ $.Values.query.grpc.port }} - {{- else }} - - path: {{ $.Values.query.grpc.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "query") }}-grpc - servicePort: {{ $.Values.query.grpc.port }} - {{- end }} - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-poddisruptionbudget.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-poddisruptionbudget.yaml deleted file mode 100644 index 0b6d0c3c9..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-poddisruptionbudget.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.query.enabled .Values.query.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} -apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "thanos.componentname" (list $ "query") }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -{{ with .Values.query.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - {{- if .Values.query.podDisruptionBudget.minAvailable }} - minAvailable: {{ .Values.query.podDisruptionBudget.minAvailable }} - {{- end }} - {{- if .Values.query.podDisruptionBudget.maxUnavailable }} - maxUnavailable: {{ .Values.query.podDisruptionBudget.maxUnavailable }} - {{- end }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/component: query -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-service.yaml deleted file mode 100644 index 24d4bd939..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-service.yaml +++ /dev/null @@ -1,66 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.query.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "query") }}-grpc - namespace: {{ .Release.Namespace }} - {{- with .Values.query.grpc.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -{{ with .Values.query.grpc.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: ClusterIP - clusterIP: None - ports: - - port: {{ .Values.query.grpc.port }} - targetPort: grpc - protocol: TCP - name: grpc - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query -{{ with .Values.query.grpc.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "query") }}-http - {{- with .Values.query.http.service.annotations }} - annotations: {{ toYaml .| nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -{{ with .Values.query.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: {{ .Values.query.http.service.type }} - {{- if .Values.query.http.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.query.http.externalTrafficPolicy }} - {{- end }} - ports: - - port: {{ .Values.query.http.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query -{{ with .Values.query.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/query-servicemonitor.yaml deleted file mode 100644 index 27b60ba17..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/query-servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.query.enabled .Values.query.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "thanos.componentname" (list $ "query") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: query -{{ with .Values.query.metrics.serviceMonitor.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - jobLabel: thanos-query - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: query - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: http - interval: {{ .Values.query.metrics.serviceMonitor.interval | default "15s" }} - {{- with .Values.query.metrics.serviceMonitor.relabellings }} - metricRelabelings: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-service.yaml deleted file mode 100644 index 55d5c968a..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-service.yaml +++ /dev/null @@ -1,62 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.sidecar.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "sidecar") }}-grpc - namespace: {{ .Release.Namespace }} - {{- with .Values.sidecar.grpc.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: sidecar -{{ with .Values.sidecar.grpc.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: ClusterIP - clusterIP: None - ports: - - port: {{ .Values.sidecar.grpc.port }} - protocol: TCP - targetPort: grpc - name: grpc - selector: - app: prometheus -{{ with .Values.sidecar.grpc.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "sidecar") }}-http - {{- with .Values.sidecar.http.service.annotations }} - annotations: {{ toYaml .| nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: sidecar -{{ with .Values.sidecar.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: {{ .Values.sidecar.http.service.type }} - {{- if .Values.sidecar.http.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.sidecar.http.externalTrafficPolicy }} - {{- end }} - ports: - - port: {{ .Values.sidecar.http.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: prometheus -{{ with .Values.sidecar.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-servicemonitor.yaml deleted file mode 100644 index d826a0bf1..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/sidecar-servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.sidecar.enabled .Values.sidecar.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "thanos.componentname" (list $ "sidecar") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: sidecar -{{ with .Values.sidecar.metrics.serviceMonitor.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - jobLabel: thanos-sidecar - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: sidecar - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: http - interval: {{ .Values.sidecar.metrics.serviceMonitor.interval | default "15s" }} - {{- with .Values.sidecar.metrics.serviceMonitor.relabellings }} - metricRelabelings: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-deployment.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/store-deployment.yaml deleted file mode 100644 index 8180c1e54..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-deployment.yaml +++ /dev/null @@ -1,156 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{ if .Values.store.enabled }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "thanos.componentname" (list $ "store") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store -{{ with .Values.store.deploymentLabels }}{{ toYaml . | indent 4 }}{{ end }} - {{- with .Values.store.deploymentAnnotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.store.replicaCount | default 1 }} - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: store -{{ with .Values.store.deploymentMatchLabels }}{{ toYaml . | indent 6 }}{{ end }} -{{ with .Values.store.deploymentStrategy }} - strategy: {{ toYaml . | nindent 4 }} -{{ end }} - template: - metadata: - labels: -{{ with .Values.store.labels }}{{ toYaml . | indent 8 }}{{ end }} - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: store - {{- with .Values.store.annotations }} - annotations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.store.metrics.annotations.enabled }} - prometheus.io/scrape: "true" - prometheus.io/port: "{{ .Values.store.http.port }}" - {{- end }} - spec: - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" - {{- end }} - containers: - - name: thanos-store - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - args: - - "store" - - "--data-dir=/var/thanos/store" - - "--log.level={{ .Values.store.logLevel }}" - - "--http-address=0.0.0.0:{{ .Values.store.http.port }}" - - "--grpc-address=0.0.0.0:{{ .Values.store.grpc.port }}" - - "--objstore.config-file=/etc/config/object-store.yaml" - {{- if .Values.store.indexCacheSize }} - - "--index-cache-size={{ .Values.store.indexCacheSize }}" - {{- end }} - {{- if .Values.store.chunkPoolSize }} - - "--chunk-pool-size={{ .Values.store.chunkPoolSize }}" - {{- end }} - {{- if .Values.store.grpcSeriesSampleLimit }} - - "--store.grpc.series-sample-limit={{ .Values.store.grpcSeriesSampleLimit }}" - {{- end }} - {{- if .Values.store.grpcSeriesMaxConcurrency }} - - "--store.grpc.series-max-concurrency={{ .Values.store.grpcSeriesMaxConcurrency }}" - {{- end }} - {{- if .Values.store.syncBlockDuration }} - - "--sync-block-duration={{ .Values.store.syncBlockDuration }}" - {{- end }} - {{- if .Values.store.blockSyncConcurrency }} - - "--block-sync-concurrency={{ .Values.store.blockSyncConcurrency }}" - {{- end }} - {{- if .Values.store.extraArgs }} - {{ toYaml .Values.store.extraArgs | nindent 8 }} - {{- end }} - ports: - - name: http - containerPort: {{ .Values.store.http.port }} - - name: grpc - containerPort: {{ .Values.store.grpc.port }} - env: - {{- toYaml .Values.store.extraEnv | nindent 10 }} - volumeMounts: - - name: config-volume - mountPath: /etc/config - readOnly: true - {{- if .Values.store.selfsignedCertConfigMapName }} - - name: {{ .Values.store.selfsignedCertConfigMapName }} - mountPath: /etc/ssl/certs/my-cert.pem - subPath: my-cert.pem - readOnly: false - {{- end }} - - name: data - mountPath: /var/thanos/store - {{- if .Values.store.certSecretName }} - - mountPath: /etc/certs - name: {{ .Values.store.certSecretName }} - readOnly: true - {{- end }} - resources: - {{ toYaml .Values.store.resources | nindent 10 }} - volumes: - - name: data - {{- if .Values.store.dataVolume }} - {{- if .Values.store.dataVolume.persistentVolumeClaim }} - {{- if .Values.store.dataVolume.persistentVolumeClaim.claimName }} - persistentVolumeClaim: - claimName: {{ .Values.store.dataVolume.persistentVolumeClaim.claimName }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config-volume - secret: - secretName: {{ include "thanos.secretname" . }} - {{- if .Values.store.selfsignedCertConfigMapName }} - - name: {{ .Values.store.selfsignedCertConfigMapName }} - configMap: - name: {{ .Values.store.selfsignedCertConfigMapName }} - {{- end }} - {{- if .Values.store.certSecretName }} - - name: {{ .Values.store.certSecretName }} - secret: - defaultMode: 420 - secretName: {{ .Values.store.certSecretName }} - {{- end }} - {{- with .Values.store.securityContext }} - securityContext: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.store.nodeSelector }} - nodeSelector: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.store.affinity }} - affinity: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.store.tolerations }} - tolerations: {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.store.serviceAccount }} - serviceAccountName: "{{ . }}" - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-ingress.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/store-ingress.yaml deleted file mode 100644 index 43d3c6e1d..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-ingress.yaml +++ /dev/null @@ -1,128 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.store.enabled .Values.store.http.ingress.enabled }} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "store") }}-http - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store - {{- if .Values.store.http.ingress.labels }} - {{ toYaml .Values.store.http.ingress.labels | indent 4 }} - {{- end }} - {{- with .Values.store.http.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.store.http.ingress.className }} - ingressClassName: {{ .Values.ingress.store.http.className }} -{{- end }} - {{- if .Values.store.http.ingress.tls }} - tls: - {{- range .Values.store.http.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.store.http.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.store.http.ingress.path }} - pathType: {{ .Values.store.http.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "store") }}-http - port: - number: {{ $.Values.store.http.port }} - {{- else }} - - path: {{ $.Values.store.http.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "store") }}-http - servicePort: {{ $.Values.store.http.port }} - {{- end }} - {{- end }} -{{- end }} - ---- - - {{- if and .Values.store.enabled .Values.store.grpc.ingress.enabled }} -{{- $apiV1 := false -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} -{{- $apiV1 = true -}} -apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} -kind: Ingress -metadata: - name: {{ include "thanos.componentname" (list $ "store") }}-grpc - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store - {{- if .Values.store.grpc.ingress.labels }} - {{ toYaml .Values.grpc.ingress.labels | indent 4 }} - {{- end }} - {{- with .Values.store.grpc.ingress.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.store.grpc.ingress.className }} - ingressClassName: {{ .Values.ingress.store.grpc.className }} -{{- end }} - {{- if .Values.store.grpc.ingress.tls }} - tls: - {{- range .Values.store.grpc.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.store.grpc.ingress.hosts }} - - host: {{ . }} - http: - paths: - {{- if $apiV1 }} - - path: {{ $.Values.store.grpc.ingress.path }} - pathType: {{ $.Values.store.grpc.ingress.pathType }} - backend: - service: - name: {{ include "thanos.componentname" (list $ "store") }}-grpc - port: - number: {{ $.Values.store.grpc.port }} - {{- else }} - - path: {{ $.Values.store.grpc.ingress.path }} - backend: - serviceName: {{ include "thanos.componentname" (list $ "store") }}-grpc - servicePort: {{ $.Values.store.grpc.port }} - {{- end }} - {{- end }} -{{- end }} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-pvc.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/store-pvc.yaml deleted file mode 100644 index 85c83f4a9..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-pvc.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.store.enabled }} -{{- if .Values.store.dataVolume -}} -{{- if .Values.store.dataVolume.persistentVolumeClaim -}} -{{- if .Values.store.dataVolume.persistentVolumeClaim.claimName -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ .Values.store.dataVolume.persistentVolumeClaim.claimName }} - namespace: {{ .Release.Namespace }} -spec: - accessModes: - - ReadWriteOnce - {{- if .Values.store.dataVolume.persistentVolumeClaim.storageClass }} - storageClassName: {{ .Values.store.dataVolume.persistentVolumeClaim.storageClass }} - {{- end }} - resources: - requests: - {{- if .Values.store.dataVolume.persistentVolumeClaim.storage }} - storage: {{ .Values.store.dataVolume.persistentVolumeClaim.storage }} - {{- else }} - storage: 100Gi - {{- end }} -{{- end -}} -{{- end -}} -{{- end -}} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-service.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/store-service.yaml deleted file mode 100644 index dd912a8fb..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-service.yaml +++ /dev/null @@ -1,67 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if .Values.store.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "store") }}-grpc - namespace: {{ .Release.Namespace }} - {{- with .Values.store.grpc.service.annotations }} - annotations: {{ toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store -{{ with .Values.store.grpc.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: ClusterIP - clusterIP: None - ports: - - port: {{ .Values.store.grpc.port }} - targetPort: grpc - protocol: TCP - name: grpc - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: store -{{ with .Values.store.grpc.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ include "thanos.componentname" (list $ "store") }}-http - namespace: {{ .Release.Namespace }} - {{- with .Values.store.http.service.annotations }} - annotations: {{ toYaml .| nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ $.Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store -{{ with .Values.store.http.service.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - type: {{ .Values.store.http.service.type }} - {{- if .Values.store.http.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.store.http.externalTrafficPolicy }} - {{- end }} - ports: - - port: {{ .Values.store.http.port }} - targetPort: http - protocol: TCP - name: http - selector: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: store -{{ with .Values.store.http.service.matchLabels }}{{ toYaml . | indent 4 }}{{ end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-servicemonitor.yaml b/charts/kubecost/cost-analyzer/charts/thanos/templates/store-servicemonitor.yaml deleted file mode 100644 index 5ee7d49b7..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/templates/store-servicemonitor.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{ if .Values.global.thanos.enabled }} -{{- if and .Values.store.enabled .Values.store.metrics.serviceMonitor.enabled }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "thanos.componentname" (list $ "store") }} - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - helm.sh/chart: {{ include "thanos.chart" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/managed-by: {{ .Release.Service }} - app.kubernetes.io/version: {{ .Chart.AppVersion | replace "+" "_" }} - app.kubernetes.io/component: store -{{ with .Values.store.metrics.serviceMonitor.labels }}{{ toYaml . | indent 4 }}{{ end }} -spec: - jobLabel: thanos-store - selector: - matchLabels: - app.kubernetes.io/name: {{ include "thanos.name" . }} - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/component: store - namespaceSelector: - matchNames: - - {{ .Release.Namespace }} - endpoints: - - port: http - interval: {{ .Values.store.metrics.serviceMonitor.interval | default "15s" }} - {{- with .Values.store.metrics.serviceMonitor.relabellings }} - metricRelabelings: {{ toYaml . | nindent 8 }} - {{- end }} -{{- end -}} -{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/thanos/values.yaml b/charts/kubecost/cost-analyzer/charts/thanos/values.yaml deleted file mode 100644 index c0f2c6783..000000000 --- a/charts/kubecost/cost-analyzer/charts/thanos/values.yaml +++ /dev/null @@ -1,800 +0,0 @@ -image: - repository: thanosio/thanos - tag: v0.32.5 - pullPolicy: IfNotPresent - -## PriorityClassName -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: "" - -store: - enabled: true - # Maximum size of items held in the index cache. - indexCacheSize: 250MB - # Maximum size of concurrently allocatable bytes for chunks. - chunkPoolSize: 2GB - # Maximum amount of samples returned via a single series call. 0 means no limit. - # NOTE: for efficiency we take 120 as the number of samples in chunk (it cannot be bigger than that), - # so the actual number of samples might be lower, even though the maximum could be hit. - grpcSeriesSampleLimit: 0 - # Maximum number of concurrent Series calls. - grpcSeriesMaxConcurrency: 20 - # Repeat interval for syncing the blocks between local and remote view. - syncBlockDuration: 3m - # Number of goroutines to use when syncing blocks from object storage. - blockSyncConcurrency: 20 - # Log filtering level. - logLevel: info - # Add extra environment variables to store - extraEnv: [] - # - name: ENV - # value: value - # - # Add extra arguments to the store service - extraArgs: [] - # - "--extraargs=extravalue" - # - # Data volume for the store to store temporary data defaults to emptyDir - dataVolume: - persistentVolumeClaim: - claimName: store-data-volume - storage: 100Gi - # Number of replicas running from store component - replicaCount: 1 - # Extra labels for store pod template - labels: {} - # cluster: example - # - # Extra annotations for store pod template - annotations: {} - # example.com: default - # - # Add extra labels to store deployment - deploymentLabels: {} - # extraLabel: extraLabelValue - # - # Add extra annotations to store deployment - deploymentAnnotations: {} - # extraAnnotation: extraAnnotationValue - # - # Add extra selector matchLabels to store deployment - deploymentMatchLabels: {} - # Override the default deployment strategy - deploymentStrategy: - type: Recreate - - # Enable metrics collecting for store service - metrics: - # This is the Prometheus annotation type scraping configuration - annotations: - enabled: false - # Enable ServiceMonitor https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - # Labels for prometheus-operator to find servicemonitor - labels: {} - # The grpc endpoint to communicate with other components - grpc: - # grpc listen port number - port: 10901 - # Service definition for query grpc service - service: - # Annotations to query grpc service - annotations: {} - # Labels to query grpc service - labels: {} - matchLabels: {} - # Set up ingress for the grpc service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - # The http endpoint to communicate with other components - http: - # http listen port number - port: 10902 - # Service definition for query http service - service: - type: ClusterIP - # Annotations to query http service - annotations: {} - # Labels to query http service - labels: {} - matchLabels: {} - # Set up ingress for the http service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - # Optional securityContext - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - - resources: {} - # limits: - # cpu: 2000m - # memory: 16Gi - # requests: - # cpu: 1000m - # memory: 4Gi - # - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # - # Node labels for store pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - # - nodeSelector: {} - # - # Pod affinity - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity - affinity: {} - serviceAccount: "" - -# Query Frontend Component -queryFrontend: - enabled: true - - # Split queries by an interval and execute in parallel, 0 disables it. - splitInterval: 24h - - # Maximum number of retries for a single request; beyond this, the downstream error is returned. - maxRetriesPerRequest: 5 - - # Limit the query time range (end - start time) in the query-frontend, 0 disables it. - maxQueryLength: 0 - - # Maximum number of queries will be scheduled in parallel by the frontend.\ - maxQueryParallelism: 14 - - # Most recent allowed cacheable result, to prevent caching very recent results that might still be in flux. - responseCacheMaxFreshness: 1m - - # Path to YAML file that contains response cache configuration. - # responseCacheConfigFile: - - # Response Cache Configuration - responseCache: - enabled: false - maxSize: 512MB - maxSizeItems: 0 - validity: 10m - - downstreamTripper: - enabled: false - idleConnectionTimeout: 90s - responseHeaderTimeout: 2m - tlsHandshakeTimeout: 10s - expectContinueTimeout: 1s - maxIdleConnections: 200 - maxIdleConnectionsPerHost: 100 - maxConnectionsPerHost: 0 - - # Downstream Tripper Configuration Content - # downstreamTripperConfig: - - # Response cache configuration content - # responseCacheConfig: - - # Enable partial response for queries if no partial_response param is specified. --no-query-range.partial-response for disabling. - # partialResponse: false - - # Compress HTTP responses. - compressResponses: true - - logLevel: info - # Add extra environment variables to query - extraEnv: [] - # - name: ENV - # value: value - # - # Add extra arguments to the query service - extraArgs: [] - # - "--extraargs=extravalue" - # - # Number of replicas running from query component - replicaCount: 1 - # Enable HPA for query component - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 3 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - # Enable podDisruptionBudget for query component - podDisruptionBudget: - enabled: false - # minAvailable and maxUnavailable can't be used simultaneous. Choose one. - minAvailable: 1 - # maxUnavailable: 50% - - serviceAccount: "" - - # The http endpoint to communicate with other components - http: - # http listen port number - port: 10902 - # Service definition for query http service - service: - type: ClusterIP - # Annotations to query http service - annotations: {} - # Labels to query http service - labels: {} - matchLabels: {} - # Set up ingress for the http service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - certSecretName: "" - # Extra labels for query pod template - labels: {} - # cluster: example - # - # Extra annotations for query pod template - annotations: {} - # example.com: default - # - # Add extra labels to query deployment - deploymentLabels: {} - # extraLabel: extraLabelValue - # - # Add extra annotations to query deployment - deploymentAnnotations: {} - # extraAnnotation: extraAnnotationValue - # - # Add extra selector matchLabels to query deployment - deploymentMatchLabels: {} - # Override the default deployment strategy - deploymentStrategy: - type: Recreate - - # Enable metrics collecting for query service - metrics: - # This is the Prometheus annotation type scraping configuration - annotations: - enabled: false - # Enable ServiceMonitor https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - # Labels for prometheus-operator to find servicemonitor - labels: {} - - # Optional securityContext - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - - resources: {} - # limits: - # cpu: 2000m - # memory: 16Gi - # requests: - # cpu: 1000m - # memory: 4Gi - # - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # - # Node labels for compact pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - # - nodeSelector: {} - # - # Pod affinity - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity - affinity: {} - -query: - enabled: true - # Label to treat as a replica indicator along which data is deduplicated. - # Still you will be able to query without deduplication using 'dedup=false' parameter. - replicaLabel: "" - # Prefix for API and UI endpoints. This allows thanos UI to be served on a sub-path. - # This option is analogous to --web.route-prefix of Promethus. - webRoutePrefix: "" - # Static prefix for all HTML links and redirect - # URLs in the UI query web interface. Actual - # endpoints are still served on / or the - # web.route-prefix. This allows thanos UI to be - # served behind a reverse proxy that strips a URL - # sub-path. - webExternalPrefix: "" - # Name of HTTP request header used for dynamic prefixing of UI links and redirects. - # This option is ignored if web.external-prefix argument is set. Security risk: enable this - # option only if a reverse proxy in front of thanos is resetting the header. The --web.prefix-header=X-Forwarded-Prefix option - # can be useful, for example, if Thanos UI is served via Traefik reverse proxy with PathPrefixStrip option enabled, which sends the - # stripped prefix value in X-Forwarded-Prefix header. This allows thanos UI to be served on a sub-path - webPrefixHeader: "" - # Maximum time to process query by query node. - timeout: 2m - # Maximum number of queries processed concurrently by query node. - maxConcurrent: 16 - # Maximum number of select requests made concurrently per a query. - maxConcurrentSelect: 4 - # Enable automatic adjustment (step / 5) to what source of data should be used in store gateways - # if no max_source_resolution param is specified. - autoDownsampling: false - # https://github.com/improbable-eng/thanos/issues/1015 - storeDNSResolver: miekgdns - # Enable DNS discovery for stores - storeDNSDiscovery: true - # Enable DNS discovery for sidecars (this is for the chart built-in sidecar service) - sidecarDNSDiscovery: true - # Addresses of statically configured store API servers (repeatable). - # The scheme may be prefixed with 'dns+' or 'dnssrv+' to detect store API servers through respective DNS lookups. - stores: [] - # - "dnssrv+_grpc._tcp...svc" - # - # Path to files that contains addresses of store API servers. The path can be a glob pattern (repeatable). - serviceDiscoveryFiles: [] - # Names of configmaps that contain addresses of store API servers, used for file service discovery. - serviceDiscoveryFileConfigMaps: [] - # Refresh interval to re-read file SD files. It is used as a resync fallback. - serviceDiscoveryInterval: 5m - # Log filtering level. - logLevel: info - # Add extra environment variables to query - extraEnv: [] - # - name: ENV - # value: value - # - # Add extra arguments to the query service - extraArgs: [] - # - "--extraargs=extravalue" - # - # Number of replicas running from query component - replicaCount: 1 - # Enable HPA for query component - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 3 - targetCPUUtilizationPercentage: 50 - targetMemoryUtilizationPercentage: 50 - # Enable podDisruptionBudget for query component - podDisruptionBudget: - enabled: false - # minAvailable and maxUnavailable can't be used simultaneous. Choose one. - minAvailable: 1 - # maxUnavailable: 50% - - # The http endpoint to communicate with other components - http: - # http listen port number - port: 10902 - # Service definition for query http service - service: - type: ClusterIP - # Annotations to query http service - annotations: {} - # Labels to query http service - labels: {} - matchLabels: {} - # Set up ingress for the http service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - pathType: ImplementationSpecific - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - certSecretName: "" - # Extra labels for query pod template - labels: {} - # cluster: example - # - # Extra annotations for query pod template - annotations: {} - # example.com: default - # - # Add extra labels to query deployment - deploymentLabels: {} - # extraLabel: extraLabelValue - # - # Add extra annotations to query deployment - deploymentAnnotations: {} - # extraAnnotation: extraAnnotationValue - # - # Add extra selector matchLabels to query deployment - deploymentMatchLabels: {} - # Override the default deployment strategy - deploymentStrategy: - type: Recreate - - # Enable metrics collecting for query service - metrics: - # This is the Prometheus annotation type scraping configuration - annotations: - enabled: false - # Enable ServiceMonitor https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - # Labels for prometheus-operator to find servicemonitor - labels: {} - - # Optional securityContext - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - - resources: {} - # limits: - # cpu: 2000m - # memory: 16Gi - # requests: - # cpu: 1000m - # memory: 4Gi - # - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # - # Node labels for compact pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - # - nodeSelector: {} - # - # Pod affinity - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity - affinity: {} - - # The grpc endpoint to communicate with other components - grpc: - # grpc listen port number - port: 10901 - # Service definition for query grpc service - service: - # Annotations to query grpc service - annotations: {} - # labels to query grpc service - labels: {} - matchLabels: {} - # Set up ingress for the grpc service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - pathType: ImplementationSpecific - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - serviceAccount: "" - -compact: - enabled: true - # Minimum age of fresh (non-compacted) blocks before they are being processed. - # Malformed blocks older than the maximum of consistency-delay and 30m0s will be removed. - consistencyDelay: 30m - # How long to retain raw samples in bucket. Setting this to 0d will retain samples of this resolution forever - retentionResolutionRaw: 1825d - # How long to retain samples of resolution 1 (5 minutes) in bucket. Setting this to 0d will retain samples of this resolution forever - retentionResolution5m: 1825d - # How long to retain samples of resolution 2 (1 hour) in bucket. Setting this to 0d will retain samples of this resolution forever - retentionResolution1h: 1825d - # Number of goroutines to use when compacting groups. - compactConcurrency: 1 - # Disables Downsampling data - disableDownsampling: false - # Log filtering level. - logLevel: info - # Compact service listening http port - http: - port: 10902 - service: - labels: {} - # Add extra environment variables to compact - extraEnv: - # - name: ENV - # value: value - # - # Add extra arguments to the compact service - extraArgs: - # - "--extraargs=extravalue" - # - # Data volume for the compactor to store temporary data defaults to emptyDir - # dataVolume: - # persistentVolumeClaim: - # claimName: compact-data-volume - # storage: 100Gi - # Extra labels for compact pod template - labels: {} - # cluster: example - # - # Extra annotations for compact pod template - annotations: {} - # example.com: default - # - # Add extra labels to compact deployment - deploymentLabels: {} - # extraLabel: extraLabelValue - # - # Add extra annotations to compact deployment - deploymentAnnotations: {} - # extraAnnotation: extraAnnotationValue - # - # Add extra selector matchLabels to compact deployment - deploymentMatchLabels: {} - # Override the default deployment strategy - deploymentStrategy: - type: Recreate - - # Enable metrics collecting for compact service - metrics: - # This is the Prometheus annotation type scraping configuration - annotations: - enabled: false - # Enable ServiceMonitor https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - # Labels for prometheus-operator to find servicemonitor - labels: {} - serviceAccount: "" - - # Optional securityContext - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - - resources: {} - # limits: - # cpu: 2000m - # memory: 16Gi - # requests: - # cpu: 1000m - # memory: 4Gi - # - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # - # Node labels for compact pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - # - nodeSelector: {} - # - # Pod affinity - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity - affinity: {} - -bucket: - enabled: true - # Number of replicas running from bucket component - replicaCount: 1 - # Log filtering level. - logLevel: info - # Refresh interval to download metadata from remote storage - refresh: 30m - # Timeout to download metadata from remote storage - timeout: 5m - # Prometheus label to use as timeline title - label: "" - # The http endpoint to communicate with other components - http: - # http listen port number - port: 8080 - # Service definition for bucket http service - service: - type: ClusterIP - # Annotations to bucket http service - annotations: {} - # Labels to bucket http service - labels: {} - matchLabels: {} - # Set up ingress for the http service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - pathType: ImplementationSpecific - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - # Add extra environment variables to bucket - extraEnv: - # - name: ENV - # value: value - # - # Add extra arguments to the bucket service - extraArgs: - # - "--extraargs=extravalue" - # - # Extra labels for bucket pod template - labels: {} - # cluster: example - # - # Extra annotations for bucket pod template - annotations: {} - # example.com: default - # - # Add extra labels to bucket deployment - deploymentLabels: {} - # extraLabel: extraLabelValue - # - # Add extra annotations to bucket deployment - deploymentAnnotations: {} - # - # Add extra selector matchLabels to bucket deployment - deploymentMatchLabels: {} - # Override the default deployment strategy - deploymentStrategy: - type: Recreate - - # Enable podDisruptionBudget for bucket component - podDisruptionBudget: - enabled: false - # minAvailable and maxUnavailable can't be used simultaneous. Choose one. - minAvailable: 1 - # maxUnavailable: 50% - - # Optional securityContext - securityContext: - fsGroup: 1001 - runAsNonRoot: true - runAsUser: 1001 - - resources: {} - # limits: - # cpu: 2000m - # memory: 16Gi - # requests: - # cpu: 1000m - # memory: 4Gi - # - # Node tolerations for server scheduling to nodes with taints - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # - # Node labels for bucket pod assignment - # Ref: https://kubernetes.io/docs/user-guide/node-selection/ - # - nodeSelector: {} - # - # Pod affinity - # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity - affinity: {} - serviceAccount: "" - -sidecar: - # NOTE: This is only the service references for the sidecar - enabled: true - # Enable metrics collecting for sidecar service - metrics: - # Enable ServiceMonitor https://github.com/coreos/prometheus-operator - serviceMonitor: - enabled: false - # Labels for prometheus-operator to find servicemonitor - labels: {} - # The grpc endpoint to communicate with other components - grpc: - # grpc listen port number - port: 10901 - # Service definition for sidecar grpc service - service: - # Annotations to sidecar grpc service - annotations: {} - # Labels to sidecar grpc service - labels: {} - matchLabels: {} - # Set up ingress for the grpc service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - pathType: ImplementationSpecific - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - - # The http endpoint to communicate with other components - http: - # http listen port number - port: 10902 - # Service definition for sidecar http service - service: - type: ClusterIP - # Annotations to sidecar http service - annotations: {} - # Labels to sidecar http service - labels: {} - matchLabels: {} - # Set up ingress for the http service - ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - labels: {} - path: "/" - pathType: ImplementationSpecific - hosts: - - "/" - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -storeSecretName: diff --git a/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml b/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml index 42e6c3593..523b9e81b 100644 --- a/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml +++ b/charts/kubecost/cost-analyzer/ci/aggregator-values.yaml @@ -2,11 +2,16 @@ kubecostAggregator: enabled: true cloudCost: enabled: true - aggregatorStorage: - storageRequest: 5Gi aggregatorDbStorage: storageRequest: 10Gi kubecostModel: federatedStorageConfigSecret: federated-store kubecostProductConfigs: cloudIntegrationSecret: cloud-integration + clusterName: CLUSTER_NAME +prometheus: + server: + global: + external_labels: + # cluster_id should be unique for all clusters and the same value as .kubecostProductConfigs.clusterName + cluster_id: CLUSTER_NAME diff --git a/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml index 1362f872f..ef4f03856 100644 --- a/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml +++ b/charts/kubecost/cost-analyzer/ci/federatedetl-primary-netcosts-values.yaml @@ -3,11 +3,7 @@ kubecostProductConfigs: # cloudIntegrationSecret: cloud-integration federatedETL: useExistingS3Config: false - primaryCluster: true federatedCluster: true - federator: - enabled: true - # primaryClusterID: CLUSTER_NAME # Add after initial setup. This will break the combined folder setup if included at deployment. kubecostModel: containerStatsEnabled: true cloudCost: @@ -17,7 +13,6 @@ kubecostModel: serviceAccount: # this example uses AWS IRSA, which creates a service account with rights to the s3 bucket. If using keys+secrets in the federated-store, set create: true create: true kubecostDeployment: - queryServiceReplicas: 0 # to improve performance, increase replica count. see: https://docs.kubecost.com/install-and-configure/install/etl-backup/query-service-replicas global: prometheus: enabled: true @@ -26,10 +21,6 @@ global: enabled: false proxy: false prometheus: - kubeStateMetrics: - enabled: false - kube-state-metrics: - disabled: true nodeExporter: enabled: false server: diff --git a/charts/kubecost/cost-analyzer/charts/grafana/values.yaml b/charts/kubecost/cost-analyzer/old-grafana-values.yaml similarity index 80% rename from charts/kubecost/cost-analyzer/charts/grafana/values.yaml rename to charts/kubecost/cost-analyzer/old-grafana-values.yaml index 61039ebee..7843bc9a3 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/values.yaml +++ b/charts/kubecost/cost-analyzer/old-grafana-values.yaml @@ -1,55 +1,3 @@ -rbac: - create: true - pspEnabled: false - pspUseAppArmor: true -serviceAccount: - create: true - name: - -replicas: 1 - -deploymentStrategy: RollingUpdate - -readinessProbe: - httpGet: - path: /api/health - port: 3000 - -livenessProbe: - httpGet: - path: /api/health - port: 3000 - initialDelaySeconds: 60 - timeoutSeconds: 30 - failureThreshold: 10 - -image: - repository: grafana/grafana - tag: 9.4.7 - pullPolicy: IfNotPresent - - ## Optionally specify an array of imagePullSecrets. - ## Secrets must be manually created in the namespace. - ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ - ## - # pullSecrets: - # - myRegistrKeySecretName - -securityContext: {} - # runAsUser: 472 - # fsGroup: 472 - -downloadDashboardsImage: - repository: curlimages/curl - tag: latest - pullPolicy: IfNotPresent - -## Pod Annotations -# podAnnotations: {} - -## Deployment annotations -# annotations: {} - ## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. ## ref: http://kubernetes.io/docs/user-guide/services/ @@ -140,19 +88,6 @@ plugins: [] # - digrich-bubblechart-panel # - grafana-clock-panel -## Configure grafana datasources -## ref: http://docs.grafana.org/administration/provisioning/#datasources -## -datasources: {} -# datasources.yaml: -# apiVersion: 1 -# datasources: -# - name: Prometheus2 -# type: prometheus -# url: http://prometheus-server.default.svc -# access: proxy -# isDefault: false - ## Configure grafana dashboard providers ## ref: http://docs.grafana.org/administration/provisioning/#dashboards ## @@ -195,27 +130,6 @@ dashboards: {} dashboardsConfigMaps: {} # default: "" -## Grafana's primary configuration -## NOTE: values in map will be converted to ini format -## ref: http://docs.grafana.org/installation/configuration/ -## -grafana.ini: - paths: - data: /var/lib/grafana/data - logs: /var/log/grafana - plugins: /var/lib/grafana/plugins - provisioning: /etc/grafana/provisioning - analytics: - check_for_updates: true - log: - mode: console - grafana_net: - url: https://grafana.net - auth.anonymous: - enabled: true - org_role: Editor - org_name: Main Org. - ## LDAP Authentication can be enabled with the following values on grafana.ini ## NOTE: Grafana will fail to start if the value for ldap.toml is invalid # auth.ldap: @@ -258,7 +172,7 @@ smtp: sidecar: image: repository: kiwigrid/k8s-sidecar - tag: 1.25.2 + tag: 1.25.3 pullPolicy: IfNotPresent resources: {} dashboards: @@ -272,6 +186,23 @@ sidecar: # label that the configmaps with datasources are marked with label: grafana_datasource -## PriorityClassName -## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass -priorityClassName: "" +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + paths: + data: /var/lib/grafana/data + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net + auth.anonymous: + enabled: true + org_role: Editor + org_name: Main Org. diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml b/charts/kubecost/cost-analyzer/old-prometheus-values.yaml similarity index 99% rename from charts/kubecost/cost-analyzer/charts/prometheus/values.yaml rename to charts/kubecost/cost-analyzer/old-prometheus-values.yaml index 392bae709..bdd91396f 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/values.yaml +++ b/charts/kubecost/cost-analyzer/old-prometheus-values.yaml @@ -43,7 +43,7 @@ alertmanager: ## image: repository: quay.io/prometheus/alertmanager - tag: v0.25.0 + tag: v0.26.0 pullPolicy: IfNotPresent ## alertmanager priorityClassName @@ -321,7 +321,7 @@ configmapReload: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.69.1 + tag: v0.71.2 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -361,7 +361,7 @@ configmapReload: ## image: repository: quay.io/prometheus-operator/prometheus-config-reloader - tag: v0.69.1 + tag: v0.71.2 pullPolicy: IfNotPresent ## Additional configmap-reload container arguments @@ -387,12 +387,6 @@ configmapReload: ## resources: {} -kube-state-metrics: - ## If false, kube-state-metrics sub-chart will not be installed - ## Please see https://github.com/helm/charts/tree/master/stable/kube-state-metrics for configurable values - ## - enabled: true - nodeExporter: ## If false, node-exporter will not be installed ## @@ -543,7 +537,7 @@ server: ## image: repository: quay.io/prometheus/prometheus - tag: v2.48.1 + tag: v2.49.1 pullPolicy: IfNotPresent ## prometheus server priorityClassName @@ -1295,7 +1289,7 @@ serverFiles: regex: true - source_labels: [__meta_kubernetes_endpoints_name] action: keep - regex: (.*kube-state-metrics|.*node-exporter|kubecost-network-costs) + regex: (.*node-exporter|kubecost-network-costs) - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] action: replace target_label: __scheme__ diff --git a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json b/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json index 135efa47d..6839559e3 100644 --- a/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json +++ b/charts/kubecost/cost-analyzer/pod-utilization-multi-cluster.json @@ -612,24 +612,6 @@ "tags": [], "templating": { "list": [ - { - "current": { - "selected": false, - "text": "Thanos", - "value": "Thanos" - }, - "hide": 0, - "includeAll": false, - "multi": false, - "name": "datasource", - "options": [], - "query": "prometheus", - "queryValue": "", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, { "current": { "selected": false, diff --git a/charts/kubecost/cost-analyzer/templates/NOTES.txt b/charts/kubecost/cost-analyzer/templates/NOTES.txt index 75da274ec..0288f012c 100644 --- a/charts/kubecost/cost-analyzer/templates/NOTES.txt +++ b/charts/kubecost/cost-analyzer/templates/NOTES.txt @@ -1,33 +1,16 @@ - - -------------------------------------------------- -{{- $isEKS := (regexMatch ".*eks.*" (.Capabilities.KubeVersion | quote) )}} -{{- $isGT22 := (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion) }} -{{- $PVNotExists := (empty (lookup "v1" "PersistentVolume" "" "")) }} -{{- $EBSCSINotExists := (empty (lookup "apps/v1" "Deployment" "kube-system" "ebs-csi-controller")) }} - +{{- include "kubecostV2-preconditions" . -}} +{{- include "cloudIntegrationSourceCheck" . -}} +{{- include "eksCheck" . -}} +{{- include "cloudIntegrationSecretCheck" . -}} {{- $servicePort := .Values.service.port | default 9090 }} Kubecost {{ .Chart.Version }} has been successfully installed. -{{ if (and $isEKS $isGT22) -}} +Welcome to Kubecost 2.0! -WARNING: ON EKS v1.23+ INSTALLATION OF EBS-CSI DRIVER IS REQUIRED TO MANAGE PERSISTENT VOLUMES. LEARN MORE HERE: https://docs.kubecost.com/install-and-configure/install/provider-installations/aws-eks-cost-monitoring#prerequisites +Kubecost 2.0 is a major upgrade from previous versions and includes major new features including a brand new API Backend. Please review the following documentation to ensure a smooth transition: https://docs.kubecost.com/install-and-configure/install/kubecostv2 -{{ if (and $EBSCSINotExists $PVNotExists) -}} - -ERROR: MISSING EBS-CSI DRIVER WHICH IS REQUIRED ON EKS v1.23+ TO MANAGE PERSISTENT VOLUMES. LEARN MORE HERE: https://docs.kubecost.com/install-and-configure/install/provider-installations/aws-eks-cost-monitoring#prerequisites - -{{ else if (and $EBSCSINotExists (not $PVNotExists)) -}} - -ERROR: MISSING EBS-CSI DRIVER WHICH IS REQUIRED ON EKS v1.23+ TO MANAGE PERSISTENT VOLUMES. LEARN MORE HERE: https://docs.kubecost.com/install-and-configure/install/provider-installations/aws-eks-cost-monitoring#prerequisites - -{{ end -}} -{{ end -}} - - -Please allow 5-10 minutes for Kubecost to gather metrics. - -When configured, cost reconciliation with cloud provider billing data will have a 48 hour delay. +For the full list of enhancements, please see our release notes: https://github.com/kubecost/cost-analyzer-helm-chart/releases/tag/v2.0.0 When pods are Ready, you can enable port-forwarding with the following command: @@ -35,4 +18,6 @@ When pods are Ready, you can enable port-forwarding with the following command: Then, navigate to http://localhost:{{ $servicePort }} in a web browser. +Please allow 25 minutes for Kubecost to gather metrics. A progress indicator will appear at the top of the UI. + Having installation issues? View our Troubleshooting Guide at http://docs.kubecost.com/troubleshoot-install diff --git a/charts/kubecost/cost-analyzer/templates/_helpers.tpl b/charts/kubecost/cost-analyzer/templates/_helpers.tpl index bf5da954d..9ab1459b9 100644 --- a/charts/kubecost/cost-analyzer/templates/_helpers.tpl +++ b/charts/kubecost/cost-analyzer/templates/_helpers.tpl @@ -1,16 +1,166 @@ {{/* vim: set filetype=mustache: */}} + +{{/* +Set important variables before starting main templates +*/}} +{{- define "aggregator.deployMethod" -}} + {{- if (.Values.federatedETL).primaryCluster }} + {{- printf "statefulset" }} + {{- else if (not .Values.kubecostAggregator) }} + {{- printf "singlepod" }} + {{- else if .Values.kubecostAggregator.enabled }} + {{- printf "statefulset" }} + {{- else if eq .Values.kubecostAggregator.deployMethod "singlepod" }} + {{- printf "singlepod" }} + {{- else if eq .Values.kubecostAggregator.deployMethod "statefulset" }} + {{- printf "statefulset" }} + {{- else if eq .Values.kubecostAggregator.deployMethod "disabled" }} + {{- printf "disabled" }} + {{- else }} + {{- fail "Unknown kubecostAggregator.deployMethod value" }} + {{- end }} +{{- end }} + +{{/* +Kubecost 2.0 preconditions +*/}} +{{- define "kubecostV2-preconditions" -}} + {{/* Iterate through all StatefulSets in the namespace and check if any of them have a label indicating they are from + a pre-2.0 Helm Chart (e.g. "helm.sh/chart: cost-analyzer-1.108.1"). If so, return an error message with details and + documentation for how to properly upgrade to Kubecost 2.0 */}} + {{- $sts := (lookup "apps/v1" "StatefulSet" .Release.Namespace "") -}} + {{- if not (empty $sts.items) -}} + {{- range $index, $sts := $sts.items -}} + {{- if contains "aggregator" $sts.metadata.name -}} + {{- if $sts.metadata.labels -}} + {{- $stsLabels := $sts.metadata.labels -}} {{/* helm.sh/chart: cost-analyzer-1.108.1 */}} + {{- if hasKey $stsLabels "helm.sh/chart" -}} + {{- $chartLabel := index $stsLabels "helm.sh/chart" -}} {{/* cost-analyzer-1.108.1 */}} + {{- $chartNameAndVersion := split "-" $chartLabel -}} {{/* _0:cost _1:analyzer _2:1.108.1 */}} + {{- if gt (len $chartNameAndVersion) 2 -}} + {{- $chartVersion := $chartNameAndVersion._2 -}} {{/* 1.108.1 */}} + {{- if semverCompare ">=1.0.0-0 <2.0.0-0" $chartVersion -}} + {{- fail "\n\nAn existing Aggregator StatefulSet was found in your namespace.\nBefore upgrading to Kubecost 2.x, please `kubectl delete` this Statefulset.\nRefer to the following documentation for more information: https://docs.kubecost.com/install-and-configure/install/kubecostv2" -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{/*https://github.com/helm/helm/issues/8026#issuecomment-881216078*/}} + {{- if ((.Values.thanos).store).enabled -}} + {{- fail "\n\nYou are attempting to upgrade to Kubecost 2.0.\nKubecost no longer includes Thanos by default. \nPlease see https://docs.kubecost.com/install-and-configure/install/kubecostv2 for more information.\nIf you have any questions or concerns, please reach out to us at product@kubecost.com" -}} + {{- end -}} + + {{- if or (((.Values.global).amp).enabled) (((.Values.global).gmp).enabled) (((.Values.global).thanos).queryService) (((.Values.global).mimirProxy).enabled) -}} + {{- if or (not (.Values.federatedETL).federatedCluster) (not (.Values.upgrade).toV2) -}} + {{- fail "\n\nMulti-Cluster-Prometheus Error:\nYou are attempting to upgrade to Kubecost 2.x\nSupport for multi-cluster Prometheus (Thanos/AMP/GMP/mimir/etc) without using `Kubecost Federated ETL Object Storage` will be added in future release. \nIf this is a single cluster Kubecost environment, upgrading is supported using a flag to acknowledge this change.\nMore information can be found here: \nhttps://docs.kubecost.com/install-and-configure/install/kubecostv2\nIf you have any questions or concerns, please reach out to us at product@kubecost.com\n\nWhen ready to upgrade, add `--set upgrade.toV2=true`." -}} + {{- end -}} + {{- end -}} + + {{- if or ((.Values.saml).rbac).enabled ((.Values.oidc).rbac).enabled -}} + {{- if (not (.Values.upgrade).toV2) -}} + {{- fail "\n\nSSO with RBAC is enabled.\nNote that Kubecost 2.x has significant architectural changes that may impact RBAC.\nThis should be tested before giving end-users access to the UI.\nKubecost has tested various configurations and believe that 2.x will be 100% compatible with existing configurations.\nRefer to the following documentation for more information: https://docs.kubecost.com/install-and-configure/install/kubecostv2\n\nWhen ready to upgrade, add `--set upgrade.toV2=true`." -}} + {{- end -}} + {{- end -}} + + {{- if not .Values.kubecostModel.etlFileStoreEnabled -}} + {{- fail "\n\nKubecost 2.0 does not support running fully in-memory. Some file system must be available to store cost data." -}} + {{- end -}} + + + {{- if (.Values.agent) -}} + {{- fail "\n\nKubecost 2.0 Does not support Thanos based agents. For Thanos, please continue to use 1.108.x.\nConsider moving to Kubecost Federated ETL based agents.\nRefer to the following documentation for more information: https://docs.kubecost.com/install-and-configure/install/kubecostv2\nSupport for Thanos agents is under consideration.\nIf you have any questions or concerns, please reach out to us at product@kubecost.com" -}} + {{- end -}} + {{- if .Values.kubecostModel.openSourceOnly -}} + {{- fail "In Kubecost 2.0, kubecostModel.openSourceOnly is not supported" -}} + {{- end -}} + + {{/* Aggregator config reconciliation and common config */}} + {{- if eq (include "aggregator.deployMethod" .) "statefulset" -}} + {{- if .Values.kubecostAggregator -}} + {{- if (not .Values.kubecostAggregator.aggregatorDbStorage) -}} + {{- fail "In Enterprise configuration, Aggregator DB storage is required" -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if (.Values.podSecurityPolicy).enabled }} + {{- fail "Kubecost no longer includes PodSecurityPolicy by default. Please take steps to preserve your existing PSPs before attempting the installation/upgrade again with the podSecurityPolicy values removed." }} + {{- end }} + +{{- end -}} + +{{- define "cloudIntegrationFromProductConfigs" }} + { + "aws": [ + { + "athenaBucketName": "{{ .Values.kubecostProductConfigs.athenaBucketName }}", + "athenaRegion": "{{ .Values.kubecostProductConfigs.athenaRegion }}", + "athenaDatabase": "{{ .Values.kubecostProductConfigs.athenaDatabase }}", + "athenaTable": "{{ .Values.kubecostProductConfigs.athenaTable }}", + "projectID": "{{ .Values.kubecostProductConfigs.athenaProjectID }}" + {{- if and ((.Values.kubecostProductConfigs).awsServiceKeyName) ((.Values.kubecostProductConfigs).awsServiceKeyPassword) }}, + "serviceKeyName": "{{ .Values.kubecostProductConfigs.awsServiceKeyName }}", + "serviceKeySecret": "{{ .Values.kubecostProductConfigs.awsServiceKeyPassword }}" + {{- end }} + } + ] + } +{{- end }} + +{{/* +Cloud integration source contents check. Either the Secret must be specified or the JSON, not both. +Additionally, for upgrade protection, certain individual values populated under the kubecostProductConfigs map, if found, +will result in failure. Users are asked to select one of the two presently-available sources for cloud integration information. +*/}} +{{- define "cloudIntegrationSourceCheck" -}} + {{- if and (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON -}} + {{- fail "\ncloudIntegrationSecret and cloudIntegrationJSON are mutually exclusive. Please specify only one." -}} + {{- end -}} +{{- if and (.Values.kubecostProductConfigs).cloudIntegrationSecret ((.Values.kubecostProductConfigs).athenaProjectID) }} + {{- fail "\nUsing a cloud-integration secret and kubecostProductConfigs.athena* values are mutually exclusive. Please specifiy only one." -}} + {{- end -}} +{{- end -}} + + +{{/* +Print a warning if PV is enabled AND EKS is detected AND the EBS-CSI driver is not installed +*/}} +{{- define "eksCheck" }} +{{- $isEKS := (regexMatch ".*eks.*" (.Capabilities.KubeVersion | quote) )}} +{{- $isGT22 := (semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion) }} +{{- $PVNotExists := (empty (lookup "v1" "PersistentVolume" "" "")) }} +{{- $EBSCSINotExists := (empty (lookup "apps/v1" "Deployment" "kube-system" "ebs-csi-controller")) }} +{{- if (and $isEKS $isGT22 .Values.persistentVolume.enabled $EBSCSINotExists) -}} + +ERROR: MISSING EBS-CSI DRIVER WHICH IS REQUIRED ON EKS v1.23+ TO MANAGE PERSISTENT VOLUMES. LEARN MORE HERE: https://docs.kubecost.com/install-and-configure/install/provider-installations/aws-eks-cost-monitoring#prerequisites + +{{- end -}} +{{- end -}} + +{{/* +Verify the cloud integration secret exists with the expected key when cloud integration is enabled. +*/}} +{{- define "cloudIntegrationSecretCheck" -}} +{{- if (.Values.kubecostProductConfigs).cloudIntegrationSecret }} +{{- if .Capabilities.APIVersions.Has "v1/Secret" }} + {{- $secret := lookup "v1" "Secret" .Release.Namespace .Values.kubecostProductConfigs.cloudIntegrationSecret }} + {{- if or (not $secret) (not (index $secret.data "cloud-integration.json")) }} + {{- fail (printf "The cloud integration secret '%s' does not exist or does not contain the expected key 'cloud-integration.json'" .Values.kubecostProductConfigs.cloudIntegrationSecret) }} + {{- end }} +{{- end -}} +{{- end -}} +{{- end -}} + {{/* Expand the name of the chart. */}} {{- define "cost-analyzer.name" -}} {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "query-service.name" -}} -{{- default "query-service" | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- define "federator.name" -}} -{{- default "federator" | trunc 63 | trimSuffix "-" -}} -{{- end -}} {{- define "aggregator.name" -}} {{- default "aggregator" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -20,6 +170,9 @@ Expand the name of the chart. {{- define "etlUtils.name" -}} {{- default "etl-utils" | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "forecasting.name" -}} +{{- default "forecasting" | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* Create a default fully qualified app name. @@ -39,14 +192,6 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{- define "query-service.fullname" -}} -{{- if .Values.queryServiceFullnameOverride -}} -{{- .Values.queryServiceFullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name "query-service" | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} - {{- define "diagnostics.fullname" -}} {{- if .Values.diagnosticsFullnameOverride -}} {{- .Values.diagnosticsFullnameOverride | trunc 63 | trimSuffix "-" -}} @@ -55,10 +200,6 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{- define "federator.fullname" -}} -{{- printf "%s-%s" .Release.Name "federator" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "aggregator.fullname" -}} {{- printf "%s-%s" .Release.Name "aggregator" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -70,6 +211,9 @@ If release name contains chart name it will be used as a full name. {{- define "etlUtils.fullname" -}} {{- printf "%s-%s" .Release.Name (include "etlUtils.name" .) | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{- define "forecasting.fullname" -}} +{{- printf "%s-%s" .Release.Name (include "forecasting.name" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} {{/* Create the fully qualified name for Prometheus server service. @@ -113,10 +257,6 @@ Create the fully qualified name for Prometheus alertmanager service. {{- printf "%s-%s" .Release.Name "cost-analyzer" | trunc 63 | trimSuffix "-" -}} {{- end -}} -{{- define "query-service.serviceName" -}} -{{- printf "%s-%s" .Release.Name "query-service-load-balancer" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - {{- define "diagnostics.serviceName" -}} {{- printf "%s-%s" .Release.Name "diagnostics" | trunc 63 | trimSuffix "-" -}} {{- end -}} @@ -129,6 +269,9 @@ Create the fully qualified name for Prometheus alertmanager service. {{- define "etlUtils.serviceName" -}} {{ include "etlUtils.fullname" . }} {{- end -}} +{{- define "forecasting.serviceName" -}} +{{ include "forecasting.fullname" . }} +{{- end -}} {{/* Create the name of the service account @@ -140,13 +283,6 @@ Create the name of the service account {{ default "default" .Values.serviceAccount.name }} {{- end -}} {{- end -}} -{{- define "query-service.serviceAccountName" -}} -{{- if .Values.kubecostDeployment.queryService.serviceAccount.create -}} - {{ default (include "query-service.fullname" .) .Values.kubecostDeployment.queryService.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.kubecostDeployment.queryService.serviceAccount.name }} -{{- end -}} -{{- end -}} {{- define "aggregator.serviceAccountName" -}} {{- if .Values.kubecostAggregator.serviceAccountName -}} {{ .Values.kubecostAggregator.serviceAccountName }} @@ -202,18 +338,6 @@ helm.sh/chart: {{ include "cost-analyzer.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end -}} -{{- define "kubecost.queryService.chartLabels" -}} -app.kubernetes.io/name: {{ include "query-service.name" . }} -helm.sh/chart: {{ include "cost-analyzer.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} -{{- define "kubecost.federator.chartLabels" -}} -app.kubernetes.io/name: {{ include "federator.name" . }} -helm.sh/chart: {{ include "cost-analyzer.chart" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} {{- define "kubecost.aggregator.chartLabels" -}} app.kubernetes.io/name: {{ include "aggregator.name" . }} helm.sh/chart: {{ include "cost-analyzer.chart" . }} @@ -232,30 +356,30 @@ app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} app: cost-analyzer {{- end -}} -{{- define "query-service.commonLabels" -}} -{{ include "kubecost.queryService.chartLabels" . }} -app: query-service -{{- end -}} -{{- define "federator.commonLabels" -}} -{{ include "kubecost.federator.chartLabels" . }} -app: federator -{{- end -}} + {{- define "aggregator.commonLabels" -}} {{ include "cost-analyzer.chartLabels" . }} app: aggregator {{- end -}} + {{- define "diagnostics.commonLabels" -}} {{ include "cost-analyzer.chartLabels" . }} app: diagnostics {{- end -}} + {{- define "cloudCost.commonLabels" -}} {{ include "cost-analyzer.chartLabels" . }} {{ include "cloudCost.selectorLabels" . }} {{- end -}} + {{- define "etlUtils.commonLabels" -}} {{ include "cost-analyzer.chartLabels" . }} {{ include "etlUtils.selectorLabels" . }} {{- end -}} +{{- define "forecasting.commonLabels" -}} +{{ include "cost-analyzer.chartLabels" . }} +{{ include "forecasting.selectorLabels" . }} +{{- end -}} {{/* Create the networkcosts common labels. Note that because this is a daemonset, we don't want app.kubernetes.io/instance: to take the release name, which allows the scrape config to be static. @@ -287,25 +411,33 @@ app.kubernetes.io/name: {{ include "cost-analyzer.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app: cost-analyzer {{- end -}} -{{- define "query-service.selectorLabels" -}} -app.kubernetes.io/name: {{ include "query-service.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app: query-service -{{- end -}} -{{- define "federator.selectorLabels" -}} -app.kubernetes.io/name: {{ include "federator.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -app: federator -{{- end -}} + {{- define "aggregator.selectorLabels" -}} +{{- if eq (include "aggregator.deployMethod" .) "statefulset" }} app.kubernetes.io/name: {{ include "aggregator.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app: aggregator -{{- end -}} +{{- else if eq (include "aggregator.deployMethod" .) "singlepod" }} +{{- include "cost-analyzer.selectorLabels" . }} +{{- else }} +{{ fail "Failed to set aggregator.selectorLabels" }} +{{- end }} +{{- end }} + {{- define "cloudCost.selectorLabels" -}} +{{- if eq (include "aggregator.deployMethod" .) "statefulset" }} app.kubernetes.io/name: {{ include "cloudCost.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app: {{ include "cloudCost.name" . }} +{{- else }} +{{- include "cost-analyzer.selectorLabels" . }} +{{- end }} +{{- end }} + +{{- define "forecasting.selectorLabels" -}} +app.kubernetes.io/name: {{ include "forecasting.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app: {{ include "forecasting.name" . }} {{- end -}} {{- define "etlUtils.selectorLabels" -}} app.kubernetes.io/name: {{ include "etlUtils.name" . }} @@ -313,50 +445,6 @@ app.kubernetes.io/instance: {{ .Release.Name }} app: {{ include "etlUtils.name" . }} {{- end -}} -{{/* -Return the appropriate apiVersion for daemonset. -*/}} -{{- define "cost-analyzer.daemonset.apiVersion" -}} -{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.9-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "apps/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for priorityClass. -*/}} -{{- define "cost-analyzer.priorityClass.apiVersion" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "scheduling.k8s.io/v1beta1" -}} -{{- else if semverCompare "^1.14-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "scheduling.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for networkpolicy. -*/}} -{{- define "cost-analyzer.networkPolicy.apiVersion" -}} -{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "networking.k8s.io/v1" -}} -{{- end -}} -{{- end -}} - -{{/* -Return the appropriate apiVersion for podsecuritypolicy. -*/}} -{{- define "cost-analyzer.podSecurityPolicy.apiVersion" -}} -{{- if semverCompare ">=1.3-0, <1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "extensions/v1beta1" -}} -{{- else if semverCompare "^1.10-0" .Capabilities.KubeVersion.GitVersion -}} -{{- print "policy/v1beta1" -}} -{{- end -}} -{{- end -}} - {{/* Recursive filter which accepts a map containing an input map (.v) and an output map (.r). The template will traverse all values inside .v recursively writing non-map values to the output .r. If a nested map @@ -398,31 +486,626 @@ The implied use case is {{ template "cost-analyzer.filterEnabled" .Values }} {{- end -}} {{/* -This template runs the full check for leader/follower requirements in order to determine -whether it should be configured. This template will return true if it's enabled and all -requirements are met. +============================================================== +Begin Prometheus templates +============================================================== */}} -{{- define "cost-analyzer.leaderFollowerEnabled" }} - {{- if .Values.kubecostDeployment }} - {{- if .Values.kubecostDeployment.leaderFollower }} - {{- if .Values.kubecostDeployment.leaderFollower.enabled }} - {{- $replicas := .Values.kubecostDeployment.replicas | default 1 }} - {{- if not .Values.kubecostModel.etlFileStoreEnabled }} - {{- "" }} - {{- else if (eq (quote .Values.kubecostModel.etlBucketConfigSecret) "") }} - {{- "" }} - {{- else if not (gt (int $replicas) 1) }} - {{- ""}} - {{- else }} - {{- "true" }} - {{- end }} - {{- else }} - {{- "" }} - {{- end }} - {{- else }} - {{- "" }} - {{- end }} - {{- else }} - {{- "" }} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- "prometheus" -}} +{{- end -}} + +{{/* +Define common selector labels for all Prometheus components +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ template "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{/* +Define common top-level labels for all Prometheus components +*/}} +{{- define "prometheus.common.metaLabels" -}} +heritage: {{ .Release.Service }} +{{- end -}} + +{{/* +Define top-level labels for Alert Manager +*/}} +{{- define "prometheus.alertmanager.labels" -}} +{{ include "prometheus.alertmanager.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{/* +Define selector labels for Alert Manager +*/}} +{{- define "prometheus.alertmanager.matchLabels" -}} +component: {{ .Values.prometheus.alertmanager.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Define top-level labels for Node Exporter +*/}} +{{- define "prometheus.nodeExporter.labels" -}} +{{ include "prometheus.nodeExporter.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{/* +Define selector labels for Node Exporter +*/}} +{{- define "prometheus.nodeExporter.matchLabels" -}} +component: {{ .Values.prometheus.nodeExporter.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Define top-level labels for Push Gateway +*/}} +{{- define "prometheus.pushgateway.labels" -}} +{{ include "prometheus.pushgateway.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{/* +Define selector labels for Push Gateway +*/}} +{{- define "prometheus.pushgateway.matchLabels" -}} +component: {{ .Values.prometheus.pushgateway.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Define top-level labels for Server +*/}} +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{/* +Define selector labels for Server +*/}} +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.prometheus.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.prometheus.fullnameOverride -}} +{{- .Values.prometheus.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "prometheus" .Values.prometheus.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified alertmanager name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Values.prometheus.alertmanager.fullnameOverride -}} +{{- .Values.prometheus.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "prometheus" .Values.prometheus.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.prometheus.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.prometheus.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{/* +Create a fully qualified node-exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.nodeExporter.fullname" -}} +{{- if .Values.prometheus.nodeExporter.fullnameOverride -}} +{{- .Values.prometheus.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "prometheus" .Values.prometheus.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.prometheus.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.prometheus.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.prometheus.server.fullnameOverride -}} +{{- .Values.prometheus.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "prometheus" .Values.prometheus.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.prometheus.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.prometheus.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified pushgateway name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.pushgateway.fullname" -}} +{{- if .Values.prometheus.pushgateway.fullnameOverride -}} +{{- .Values.prometheus.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "prometheus" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.prometheus.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.prometheus.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the alertmanager component +*/}} +{{- define "prometheus.serviceAccountName.alertmanager" -}} +{{- if .Values.prometheus.serviceAccounts.alertmanager.create -}} + {{ default (include "prometheus.alertmanager.fullname" .) .Values.prometheus.serviceAccounts.alertmanager.name }} +{{- else -}} + {{ default "default" .Values.prometheus.serviceAccounts.alertmanager.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the nodeExporter component +*/}} +{{- define "prometheus.serviceAccountName.nodeExporter" -}} +{{- if .Values.prometheus.serviceAccounts.nodeExporter.create -}} + {{ default (include "prometheus.nodeExporter.fullname" .) .Values.prometheus.serviceAccounts.nodeExporter.name }} +{{- else -}} + {{ default "default" .Values.prometheus.serviceAccounts.nodeExporter.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the pushgateway component +*/}} +{{- define "prometheus.serviceAccountName.pushgateway" -}} +{{- if .Values.prometheus.serviceAccounts.pushgateway.create -}} + {{ default (include "prometheus.pushgateway.fullname" .) .Values.prometheus.serviceAccounts.pushgateway.name }} +{{- else -}} + {{ default "default" .Values.prometheus.serviceAccounts.pushgateway.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.prometheus.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.prometheus.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.prometheus.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +============================================================== +Begin Grafana templates +============================================================== +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- "grafana" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.grafana.fullnameOverride -}} +{{- .Values.grafana.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "grafana" .Values.grafana.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "grafana.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +============================================================== +Begin Kubecost 2.0 templates +============================================================== +*/}} + +{{- define "aggregator.containerTemplate" }} +- name: aggregator +{{- if .Values.kubecostAggregator.containerSecurityContext }} + securityContext: + {{- toYaml .Values.kubecostAggregator.containerSecurityContext | nindent 4 }} +{{- else if .Values.global.containerSecurityContext }} + securityContext: + {{- toYaml .Values.global.containerSecurityContext | nindent 4 }} +{{- end }} + {{- if .Values.kubecostModel }} + {{- if .Values.kubecostAggregator.fullImageName }} + image: {{ .Values.kubecostAggregator.fullImageName }} + {{- else if .Values.imageVersion }} + image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + image: gcr.io/kubecost1/cost-model-nightly:latest + {{- else }} + image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} + {{- end }} + {{- else }} + image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} + {{- end }} + {{- if .Values.kubecostAggregator.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: 9004 + initialDelaySeconds: {{ .Values.kubecostAggregator.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.kubecostAggregator.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.kubecostAggregator.readinessProbe.failureThreshold }} + {{- end }} + imagePullPolicy: Always + args: ["waterfowl"] + ports: + - name: tcp-api + containerPort: 9004 + protocol: TCP + {{- with.Values.kubecostAggregator.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} + resources: + {{- toYaml .Values.kubecostAggregator.resources | nindent 4 }} + volumeMounts: + - name: persistent-configs + mountPath: /var/configs + {{- if .Values.kubecostModel.federatedStorageConfigSecret }} + - name: federated-storage-config + mountPath: /var/configs/etl + readOnly: true + {{- else if eq (include "aggregator.deployMethod" .) "statefulset" }} + {{- fail "When in StatefulSet mode, Aggregator requires that kubecostModel.federatedStorageConfigSecret be set." }} + {{- end }} + {{- if and .Values.persistentVolume.dbPVEnabled (eq (include "aggregator.deployMethod" .) "singlepod") }} + - name: persistent-db + mountPath: /var/db + # aggregator should only need read access to ETL data + readOnly: true + {{- end }} + {{- if eq (include "aggregator.deployMethod" .) "statefulset" }} + - name: aggregator-db-storage + mountPath: /var/configs/waterfowl/duckdb + - name: aggregator-staging + # Aggregator uses /var/configs/waterfowl as a "staging" directory for + # things like intermediate-state files pre-ingestion. In order to avoid a + # permission problem similar to + # https://github.com/kubernetes/kubernetes/issues/81676, we create an + # emptyDir at this path. + # + # This hasn't been observed as a problem in cost-analyzer, likely because + # of the init container that gives everything under /var/configs 777. + mountPath: /var/configs/waterfowl + {{- end }} + {{- if .Values.saml }} + {{- if .Values.saml.enabled }} + {{- if .Values.saml.secretName }} + - name: secret-volume + mountPath: /var/configs/secret-volume + {{- end }} + {{- if .Values.saml.encryptionCertSecret }} + - name: saml-encryption-cert + mountPath: /var/configs/saml-encryption-cert + {{- end }} + {{- if .Values.saml.decryptionKeySecret }} + - name: saml-decryption-key + mountPath: /var/configs/saml-decryption-key + {{- end }} + {{- if .Values.saml.metadataSecretName }} + - name: metadata-secret-volume + mountPath: /var/configs/metadata-secret-volume + {{- end }} + - name: saml-auth-secret + mountPath: /var/configs/saml-auth-secret + {{- if .Values.saml.rbac.enabled }} + - name: saml-roles + mountPath: /var/configs/saml + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.oidc }} + {{- if .Values.oidc.enabled }} + - name: oidc-config + mountPath: /var/configs/oidc + {{- if .Values.oidc.secretName }} + - name: oidc-client-secret + mountPath: /var/configs/oidc-client-secret + {{- end }} + {{- end }} + {{- end }} + env: + {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} + - name: CLUSTER_ID + value: {{ .Values.prometheus.server.global.external_labels.cluster_id }} + {{- end }} + {{- if .Values.prometheus.server.clusterIDConfigmap }} + - name: CLUSTER_ID + valueFrom: + configMapKeyRef: + name: {{ .Values.prometheus.server.clusterIDConfigmap }} + key: CLUSTER_ID + {{- end }} + {{- if .Values.kubecostAggregator.jaeger.enabled }} + - name: TRACING_URL + value: "http://localhost:14268/api/traces" + {{- end }} + - name: CONFIG_PATH + value: /var/configs/ + {{- if and .Values.persistentVolume.dbPVEnabled (eq (include "aggregator.deployMethod" .) "singlepod") }} + - name: ETL_PATH_PREFIX + value: "/var/db" + {{- end }} + - name: ETL_ENABLED + value: "false" # this container should never run KC's concept of "ETL" + - name: CLOUD_PROVIDER_API_KEY + value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API.' + {{- if .Values.systemProxy.enabled }} + - name: HTTP_PROXY + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: http_proxy + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: HTTPS_PROXY + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: https_proxy + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: NO_PROXY + value: {{ .Values.systemProxy.noProxy }} + - name: no_proxy + value: {{ .Values.systemProxy.noProxy }} + {{- end }} + {{- if .Values.kubecostAggregator.extraEnv -}} + {{- toYaml .Values.kubecostAggregator.extraEnv | nindent 4 }} + {{- end }} + {{- if eq (include "aggregator.deployMethod" .) "statefulset" }} + # If this isn't set, we pretty much have to be in a read only state, + # initialization will probably fail otherwise. + - name: ETL_BUCKET_CONFIG + {{- if not .Values.kubecostModel.federatedStorageConfigSecret }} + value: /var/configs/etl/object-store.yaml + {{- else }} + value: /var/configs/etl/federated-store.yaml + - name: FEDERATED_STORE_CONFIG + value: /var/configs/etl/federated-store.yaml + - name: FEDERATED_PRIMARY_CLUSTER # this ensures the ingester runs assuming federated primary paths in the bucket + value: "true" + - name: FEDERATED_CLUSTER # this ensures the ingester runs assuming federated primary paths in the bucket + value: "true" + {{- end }} + {{- end }} + + {{- range $key, $value := .Values.kubecostAggregator.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + - name: KUBECOST_NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.oidc.enabled }} + - name: OIDC_ENABLED + value: "true" + - name: OIDC_SKIP_ONLINE_VALIDATION + value: {{ (quote .Values.oidc.skipOnlineTokenValidation) | default (quote false) }} + {{- end}} + {{- if .Values.kubecostAggregator }} + {{- if .Values.kubecostAggregator.collections }} + {{- if (((.Values.kubecostAggregator).collections).cache) }} + - name: COLLECTIONS_MEMORY_CACHE_ENABLED + value: {{ (quote .Values.kubecostAggregator.collections.cache.enabled) | default (quote true) }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.saml }} + {{- if .Values.saml.enabled }} + - name: SAML_ENABLED + value: "true" + - name: IDP_URL + value: {{ .Values.saml.idpMetadataURL }} + - name: SP_HOST + value: {{ .Values.saml.appRootURL }} + {{- if .Values.saml.audienceURI }} + - name: AUDIENCE_URI + value: {{ .Values.saml.audienceURI }} + {{- end }} + {{- if .Values.saml.isGLUUProvider }} + - name: GLUU_SAML_PROVIDER + value: {{ (quote .Values.saml.isGLUUProvider) }} + {{- end }} + {{- if .Values.saml.nameIDFormat }} + - name: NAME_ID_FORMAT + value: {{ .Values.saml.nameIDFormat }} + {{- end}} + {{- if .Values.saml.authTimeout }} + - name: AUTH_TOKEN_TIMEOUT + value: {{ (quote .Values.saml.authTimeout) }} + {{- end}} + {{- if .Values.saml.redirectURL }} + - name: LOGOUT_REDIRECT_URL + value: {{ .Values.saml.redirectURL }} + {{- end}} + {{- if .Values.saml.rbac.enabled }} + - name: SAML_RBAC_ENABLED + value: "true" + {{- end }} + {{- if and .Values.saml.encryptionCertSecret .Values.saml.decryptionKeySecret }} + - name: SAML_RESPONSE_ENCRYPTED + value: "true" + {{- end}} + {{- end }} {{- end }} {{- end }} + + +{{- define "aggregator.jaeger.sidecarContainerTemplate" }} +- name: embedded-jaeger + securityContext: + {{- toYaml .Values.kubecostAggregator.jaeger.containerSecurityContext | nindent 4 }} + image: {{ .Values.kubecostAggregator.jaeger.image }}:{{ .Values.kubecostAggregator.jaeger.imageVersion }} +{{- end }} + + +{{- define "aggregator.cloudCost.containerTemplate" }} +- name: cloud-cost + {{- if .Values.kubecostModel }} + {{- if .Values.kubecostAggregator.fullImageName }} + image: {{ .Values.kubecostAggregator.fullImageName }} + {{- else if .Values.kubecostModel.fullImageName }} + image: {{ .Values.kubecostModel.fullImageName }} + {{- else if .Values.imageVersion }} + image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + image: gcr.io/kubecost1/cost-model-nightly:latest + {{- else }} + image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} + {{ end }} + {{- else }} + image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} + {{ end }} + {{- if .Values.kubecostAggregator.cloudCost.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: 9005 + initialDelaySeconds: {{ .Values.kubecostAggregator.cloudCost.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.kubecostAggregator.cloudCost.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.kubecostAggregator.cloudCost.readinessProbe.failureThreshold }} + {{- end }} + imagePullPolicy: Always + args: ["cloud-cost"] + ports: + - name: tcp-api + containerPort: 9005 + protocol: TCP + resources: + {{- toYaml .Values.kubecostAggregator.cloudCost.resources | nindent 4 }} + volumeMounts: + - name: persistent-configs + mountPath: /var/configs + {{- if .Values.kubecostModel.federatedStorageConfigSecret }} + - name: federated-storage-config + mountPath: /var/configs/etl/federated + readOnly: true + {{- end }} + {{- if .Values.kubecostModel.etlBucketConfigSecret }} + - name: etl-bucket-config + mountPath: /var/configs/etl + readOnly: true + {{- end }} + {{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + - name: cloud-integration + mountPath: /var/configs/cloud-integration + {{- end }} + env: + - name: CONFIG_PATH + value: /var/configs/ + {{- if .Values.kubecostModel.etlBucketConfigSecret }} + - name: ETL_BUCKET_CONFIG + value: /var/configs/etl/object-store.yaml + {{- end}} + {{- if .Values.kubecostModel.federatedStorageConfigSecret }} + - name: FEDERATED_STORE_CONFIG + value: /var/configs/etl/federated/federated-store.yaml + - name: FEDERATED_CLUSTER + value: "true" + {{- end}} + - name: CLOUD_COST_REFRESH_RATE_HOURS + value: {{ .Values.kubecostAggregator.cloudCost.refreshRateHours | default 6 | quote }} + - name: CLOUD_COST_QUERY_WINDOW_DAYS + value: {{ .Values.kubecostAggregator.cloudCost.queryWindowDays | default 7 | quote }} + - name: CLOUD_COST_RUN_WINDOW_DAYS + value: {{ .Values.kubecostAggregator.cloudCost.runWindowDays | default 3 | quote }} + {{- with .Values.kubecostModel.cloudCost }} + {{- with .labelList }} + - name: CLOUD_COST_IS_INCLUDE_LIST + value: {{ (quote .IsIncludeList) | default (quote false) }} + - name: CLOUD_COST_LABEL_LIST + value: {{ (quote .labels) }} + {{- end }} + - name: CLOUD_COST_TOP_N + value: {{ (quote .topNItems) | default (quote 1000) }} + {{- end }} + {{- range $key, $value := .Values.kubecostAggregator.cloudCost.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- if .Values.systemProxy.enabled }} + - name: HTTP_PROXY + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: http_proxy + value: {{ .Values.systemProxy.httpProxyUrl }} + - name: HTTPS_PROXY + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: https_proxy + value: {{ .Values.systemProxy.httpsProxyUrl }} + - name: NO_PROXY + value: {{ .Values.systemProxy.noProxy }} + - name: no_proxy + value: {{ .Values.systemProxy.noProxy }} + {{- end }} +{{- end }} + +{{/* +SSO enabled flag for nginx configmap +*/}} +{{- define "ssoEnabled" -}} + {{- if or (.Values.saml).enabled (.Values.oidc).enabled -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + +{{- define "cost-analyzer.grafanaEnabled" -}} + {{- if and (.Values.global.grafana.enabled) (not .Values.federatedETL.agentOnly) -}} + {{- printf "true" -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml index 88fdc7646..c0b44911d 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-deployment.yaml @@ -1,4 +1,9 @@ -{{- if .Values.kubecostAggregator.cloudCost.enabled }} +{{- if eq (include "aggregator.deployMethod" .) "statefulset" }} + +{{/* + A cloud integration secret is required for cloud cost to function as a dedicated pod. +*/}} +{{- if or (.Values.kubecostProductConfigs).cloudIntegrationSecret (.Values.kubecostProductConfigs).cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} apiVersion: apps/v1 kind: Deployment @@ -7,6 +12,9 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{ include "cloudCost.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: @@ -20,6 +28,9 @@ spec: app.kubernetes.io/name: cloud-cost app.kubernetes.io/instance: {{ .Release.Name }} app: cloud-cost + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.global.podAnnotations}} annotations: {{- toYaml . | nindent 8 }} @@ -47,94 +58,20 @@ spec: items: - key: cloud-integration.json path: cloud-integration.json - {{- else }} - {{- fail "Cloud Cost requires configuration secret" }} + {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + - name: cloud-integration + secret: + secretName: cloud-integration + items: + - key: cloud-integration.json + path: cloud-integration.json {{- end }} + {{/* Titled persistent-configs to be compatible with single-pod install. + All data stored here is ephemeral, and does not require a PV. */}} + - name: persistent-configs + emptyDir: {} containers: - - name: cloud-cost - {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.openSourceOnly }} - {{- fail "Kubecost Aggregator cannot be used with open source only" }} - {{- else if .Values.kubecostAggregator.fullImageName }} - image: {{ .Values.kubecostAggregator.fullImageName }} - {{- else if .Values.kubecostModel.fullImageName }} - image: {{ .Values.kubecostModel.fullImageName }} - {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} - {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} - {{ end }} - {{- else }} - image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz - port: 9005 - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 200 - imagePullPolicy: Always - args: ["cloud-cost"] - ports: - - name: tcp-api - containerPort: 9005 - protocol: TCP - resources: - {{- toYaml .Values.kubecostAggregator.cloudCost.resources | nindent 12 }} - volumeMounts: - {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: federated-storage-config - mountPath: /var/configs/etl/federated - readOnly: true - {{- end }} - {{- if .Values.kubecostModel.etlBucketConfigSecret }} - - name: etl-bucket-config - mountPath: /var/configs/etl - readOnly: true - {{- end }} - {{- if .Values.kubecostProductConfigs.cloudIntegrationSecret }} - - name: cloud-integration - mountPath: /var/configs/cloud-integration - {{- end }} - env: - - name: CONFIG_PATH - value: /var/configs/ - {{- if .Values.kubecostModel.etlBucketConfigSecret }} - - name: ETL_BUCKET_CONFIG - value: "/var/configs/etl/object-store.yaml" - {{- end}} - {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: FEDERATED_STORE_CONFIG - value: "/var/configs/etl/federated/federated-store.yaml" - - name: FEDERATED_CLUSTER - value: "true" - {{- end}} - - name: CLOUD_COST_REFRESH_RATE_HOURS - value: {{ .Values.kubecostAggregator.cloudCost.refreshRateHours | default 6 | quote }} - - name: CLOUD_COST_QUERY_WINDOW_DAYS - value: {{ .Values.kubecostAggregator.cloudCost.queryWindowDays | default 7 | quote }} - - name: CLOUD_COST_RUN_WINDOW_DAYS - value: {{ .Values.kubecostAggregator.cloudCost.runWindowDays | default 3 | quote }} - - {{- range $key, $value := .Values.kubecostAggregator.cloudCost.env }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - {{- if .Values.systemProxy.enabled }} - - name: HTTP_PROXY - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: http_proxy - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: HTTPS_PROXY - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: https_proxy - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: NO_PROXY - value: {{ .Values.systemProxy.noProxy }} - - name: no_proxy - value: {{ .Values.systemProxy.noProxy }} - {{- end }} + {{- include "aggregator.cloudCost.containerTemplate" . | nindent 8 }} {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 2 }} @@ -161,3 +98,4 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-service.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-service.yaml index a0ea7deba..96a05b511 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-cloud-cost-service.yaml @@ -1,4 +1,5 @@ -{{- if .Values.kubecostAggregator.cloudCost.enabled }} +{{- if and (not .Values.agent) (not .Values.cloudAgent) }} +{{- if not (eq .Values.kubecostAggregator.deployMethod "disabled") }} kind: Service apiVersion: v1 @@ -16,3 +17,4 @@ spec: port: 9005 targetPort: 9005 {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml index 275a2db3c..7e487aff1 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-service.yaml @@ -1,5 +1,5 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostAggregator) }} -{{- if .Values.kubecostAggregator.enabled }} +{{- if and (not .Values.agent) (not .Values.cloudAgent) }} +{{- if not (eq .Values.kubecostAggregator.deployMethod "disabled") }} kind: Service apiVersion: v1 @@ -16,8 +16,14 @@ spec: - name: tcp-api port: 9004 targetPort: 9004 + {{- if or .Values.saml.enabled .Values.oidc.enabled}} + - name: apiserver + port: 9008 + targetPort: 9008 + {{- end }} {{- with .Values.kubecostAggregator.extraPorts }} {{- toYaml . | nindent 4 }} {{- end }} + {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml index a03335240..6293e73fd 100644 --- a/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml +++ b/charts/kubecost/cost-analyzer/templates/aggregator-statefulset.yaml @@ -1,5 +1,5 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostAggregator) }} -{{- if .Values.kubecostAggregator.enabled }} +{{- if and (not .Values.agent) (not .Values.cloudAgent) }} +{{- if eq (include "aggregator.deployMethod" .) "statefulset" }} apiVersion: apps/v1 kind: StatefulSet @@ -8,32 +8,16 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{- include "aggregator.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.kubecostAggregator.replicas }} serviceName: {{ template "aggregator.serviceName" . }} selector: matchLabels: - app.kubernetes.io/name: aggregator - app.kubernetes.io/instance: {{ .Release.Name }} - app: aggregator + {{- include "aggregator.selectorLabels" . | nindent 6 }} volumeClaimTemplates: - - metadata: - name: persistent-configs - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.kubecostAggregator.persistentConfigsStorage.storageClass }} - resources: - requests: - storage: {{ .Values.kubecostAggregator.persistentConfigsStorage.storageRequest }} - - metadata: - name: aggregator-storage - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.kubecostAggregator.aggregatorStorage.storageClass }} - resources: - requests: - storage: {{ .Values.kubecostAggregator.aggregatorStorage.storageRequest }} - {{- if .Values.kubecostAggregator.aggregatorDbStorage }} - metadata: name: aggregator-db-storage spec: @@ -42,13 +26,28 @@ spec: resources: requests: storage: {{ .Values.kubecostAggregator.aggregatorDbStorage.storageRequest }} - {{- end }} + - metadata: + # In the StatefulSet config, Aggregator should not share any filesystem + # state with the cost-model to maintain independence and improve + # stability (in the event of bad file-locking state). Still, there is + # a need to "mount" ConfigMap files (using the watcher) to a file system; + # that's what this per-replica Volume is used for. + name: persistent-configs + spec: + accessModes: [ "ReadWriteOnce" ] + storageClassName: {{ .Values.kubecostAggregator.persistentConfigsStorage.storageClass }} + resources: + requests: + storage: {{ .Values.kubecostAggregator.persistentConfigsStorage.storageRequest }} template: metadata: labels: app.kubernetes.io/name: aggregator app.kubernetes.io/instance: {{ .Release.Name }} app: aggregator + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} {{- with .Values.global.podAnnotations}} annotations: {{- toYaml . | nindent 8 }} @@ -67,139 +66,82 @@ spec: {{- end }} serviceAccountName: {{ template "aggregator.serviceAccountName" . }} volumes: + - name: aggregator-staging + emptyDir: + sizeLimit: {{ .Values.kubecostAggregator.stagingEmptyDirSizeLimit }} {{- $etlBackupBucketSecret := "" }} {{- if .Values.kubecostModel.federatedStorageConfigSecret }} {{- $etlBackupBucketSecret = .Values.kubecostModel.federatedStorageConfigSecret }} {{- end }} {{- if $etlBackupBucketSecret }} - - name: bucket-config + {{- if .Values.kubecostModel.federatedStorageConfigSecret }} + - name: federated-storage-config + secret: + defaultMode: 420 + secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret }} + {{- end }} + - name: etl-bucket-config secret: defaultMode: 420 secretName: {{ $etlBackupBucketSecret }} {{- else }} - {{- fail "Kubecost Aggregator requires .Values.kubecostModel.federatedStorageConfigSecret" }} + {{- fail "Kubecost Aggregator Enterprise Config requires .Values.kubecostModel.federatedStorageConfigSecret" }} + {{- end }} + {{- if .Values.saml }} + {{- if .Values.saml.enabled }} + {{- if .Values.saml.secretName }} + - name: secret-volume + secret: + secretName: {{ .Values.saml.secretName }} + {{- end }} + {{- if .Values.saml.encryptionCertSecret }} + - name: saml-encryption-cert + secret: + secretName: {{ .Values.saml.encryptionCertSecret }} + {{- end }} + {{- if .Values.saml.decryptionKeySecret }} + - name: saml-decryption-key + secret: + secretName: {{ .Values.saml.decryptionKeySecret }} + {{- end }} + {{- if .Values.saml.metadataSecretName }} + - name: metadata-secret-volume + secret: + secretName: {{ .Values.saml.metadataSecretName }} + {{- end }} + - name: saml-auth-secret + secret: + secretName: {{ .Values.saml.authSecretName | default "kubecost-saml-secret" }} + {{- if .Values.saml.rbac.enabled }} + - name: saml-roles + configMap: + name: {{ template "cost-analyzer.fullname" . }}-saml + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.oidc }} + {{- if .Values.oidc.enabled }} + - name: oidc-config + configMap: + name: {{ template "cost-analyzer.fullname" . }}-oidc + {{- if and (not .Values.oidc.existingCustomSecret.enabled) .Values.oidc.secretName }} + - name: oidc-client-secret + secret: + secretName: {{ .Values.oidc.secretName }} + {{- end }} + {{- if .Values.oidc.existingCustomSecret.enabled }} + - name: oidc-client-secret + secret: + secretName: {{ .Values.oidc.existingCustomSecret.name }} + {{- end }} + {{- end }} {{- end }} containers: - {{- if .Values.kubecostAggregator.jaeger.enabled }} - - name: embedded-jaeger - securityContext: - {{- toYaml .Values.kubecostAggregator.jaeger.containerSecurityContext | nindent 12 }} - image: {{ .Values.kubecostAggregator.jaeger.image }}:{{ .Values.kubecostAggregator.jaeger.imageVersion }} - {{- end }} - - name: aggregator - {{- if .Values.kubecostAggregator.containerSecurityContext }} - securityContext: - {{- toYaml .Values.kubecostAggregator.containerSecurityContext | nindent 12 }} - {{- else if .Values.global.containerSecurityContext }} - securityContext: - {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} - {{ end }} - {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.openSourceOnly }} - {{- fail "Kubecost Aggregator cannot be used with open source only" }} - {{- else if .Values.kubecostAggregator.fullImageName }} - image: {{ .Values.kubecostAggregator.fullImageName }} - {{- else if .Values.kubecostModel.fullImageName }} - image: {{ .Values.kubecostModel.fullImageName }} - {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} - {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} - {{ end }} - {{- else }} - image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz - port: 9004 - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 200 - imagePullPolicy: Always - args: ["waterfowl"] - ports: - - name: tcp-api - containerPort: 9004 - protocol: TCP - {{- with.Values.kubecostAggregator.extraPorts }} - {{- toYaml . | nindent 12 }} - {{- end }} - resources: - {{ toYaml .Values.kubecostAggregator.resources | nindent 12 }} - volumeMounts: - - name: persistent-configs - mountPath: /var/configs - - name: bucket-config - mountPath: /var/configs/etl - - name: aggregator-storage - mountPath: /var/configs/waterfowl - {{- if .Values.kubecostAggregator.aggregatorDbStorage }} - - name: aggregator-db-storage - mountPath: /var/configs/waterfowl/duckdb - {{- end }} - env: - {{- if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} - - name: CLUSTER_ID - value: {{ .Values.prometheus.server.global.external_labels.cluster_id }} - {{- end }} - {{- if .Values.prometheus.server.clusterIDConfigmap }} - - name: CLUSTER_ID - valueFrom: - configMapKeyRef: - name: {{ .Values.prometheus.server.clusterIDConfigmap }} - key: CLUSTER_ID - {{- end }} - {{- if .Values.kubecostAggregator.jaeger.enabled }} - - name: TRACING_URL - value: "http://localhost:14268/api/traces" - {{- end }} - - name: CONFIG_PATH - value: /var/configs/ - - name: ETL_ENABLED - value: "false" # this pod should never run KC's concept of "ETL" - - name: CLOUD_PROVIDER_API_KEY - value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API.' - {{- if .Values.systemProxy.enabled }} - - name: HTTP_PROXY - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: http_proxy - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: HTTPS_PROXY - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: https_proxy - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: NO_PROXY - value: {{ .Values.systemProxy.noProxy }} - - name: no_proxy - value: {{ .Values.systemProxy.noProxy }} - {{- end }} - {{- if .Values.kubecostAggregator.extraEnv -}} - {{ toYaml .Values.kubecostAggregator.extraEnv | nindent 12 }} - {{- end }} - {{- if $etlBackupBucketSecret }} - # If this isn't set, we pretty much have to be in a read only state, - # initialization will probably fail otherwise. - - name: ETL_BUCKET_CONFIG - {{- if not .Values.kubecostModel.federatedStorageConfigSecret}} - value: "/var/configs/etl/object-store.yaml" - {{- else }} - value: "/var/configs/etl/federated-store.yaml" - - name: FEDERATED_STORE_CONFIG - value: "/var/configs/etl/federated-store.yaml" - - name: FEDERATED_PRIMARY_CLUSTER # this ensures the ingester runs assuming federated primary paths in the bucket - value: "true" - - name: FEDERATED_CLUSTER # this ensures the ingester runs assuming federated primary paths in the bucket - value: "true" - {{- end }} - {{- end }} + {{- include "aggregator.containerTemplate" . | nindent 8 }} - {{- range $key, $value := .Values.kubecostAggregator.env }} - - name: {{ $key | quote }} - value: {{ $value | quote }} - {{- end }} - - name: KUBECOST_NAMESPACE - value: {{ .Release.Namespace }} + {{- if .Values.kubecostAggregator.jaeger.enabled }} + {{ include "aggregator.jaeger.sidecarContainerTemplate" . | nindent 8 }} + {{- end }} {{- if .Values.imagePullSecrets }} imagePullSecrets: diff --git a/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml index 883cd6683..ada60fa01 100644 --- a/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/awsstore-deployment-template.yaml @@ -6,7 +6,7 @@ metadata: name: {{ template "cost-analyzer.fullname" . }}-awsstore namespace: {{ .Release.Namespace }} labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} spec: selector: matchLabels: @@ -29,6 +29,10 @@ spec: {{- if .Values.awsstore.priorityClassName }} priorityClassName: "{{ .Values.awsstore.priorityClassName }}" {{- end }} + {{- with .Values.awsstore.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - image: {{ .Values.awsstore.imageNameAndVersion }} name: awsstore diff --git a/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml b/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml new file mode 100644 index 000000000..d52f82d8a --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/cloud-integration-secret.yaml @@ -0,0 +1,16 @@ +{{- if or ((.Values.kubecostProductConfigs).cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaProjectID) }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: cloud-integration + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +data: + {{- if (.Values.kubecostProductConfigs).cloudIntegrationJSON }} + cloud-integration.json: {{ .Values.kubecostProductConfigs.cloudIntegrationJSON | replace "\n" "" | b64enc }} + {{- else }} + cloud-integration.json: {{ include "cloudIntegrationFromProductConfigs" . |nindent 4| replace "\n" "" | b64enc }} + {{- end }} +{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml index 94d25aaa0..ec431857e 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-cluster-role-template.yaml @@ -44,15 +44,6 @@ rules: - get - list - watch -{{- $isLeaderFollowerEnabled := include "cost-analyzer.leaderFollowerEnabled" . }} -{{- if $isLeaderFollowerEnabled }} - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' -{{- end }} - apiGroups: - apps resources: diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-db-pvc-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-db-pvc-template.yaml index f7a4dd74b..9b81ee367 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-db-pvc-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-db-pvc-template.yaml @@ -1,9 +1,7 @@ -{{- if (.Values.kubecostModel.etlToDisk | default true) -}} {{- if .Values.persistentVolume -}} {{- if not .Values.persistentVolume.dbExistingClaim -}} {{- if .Values.persistentVolume.enabled -}} {{- if .Values.persistentVolume.dbPVEnabled -}} -{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) -}} kind: PersistentVolumeClaim apiVersion: v1 metadata: @@ -35,5 +33,3 @@ spec: {{- end -}} {{- end -}} {{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml index 61a627d1a..d38cc6cef 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-deployment-template.yaml @@ -1,10 +1,6 @@ {{- if and (not .Values.agent) (not .Values.cloudAgent) }} apiVersion: apps/v1 -{{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }} -kind: StatefulSet -{{- else }} kind: Deployment -{{- end }} metadata: name: {{ template "cost-analyzer.fullname" . }} namespace: {{ .Release.Namespace }} @@ -20,9 +16,6 @@ metadata: spec: {{- if .Values.kubecostDeployment }} replicas: {{ .Values.kubecostDeployment.replicas | default 1 }} -{{- end }} -{{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }} - serviceName: {{ template "cost-analyzer.serviceName" . }} {{- end }} selector: matchLabels: @@ -83,7 +76,7 @@ spec: {{- end }} - name: tmp emptyDir: {} - {{- if .Values.kubecostFrontend.enabled }} + {{- if and .Values.kubecostFrontend.enabled (not .Values.federatedETL.agentOnly) }} - name: nginx-conf configMap: name: nginx-conf @@ -98,14 +91,11 @@ spec: emptyDir: { } {{- end }} {{- /* - If Thanos is enabled, then enable ETL backups by default. To opt out of ETL backups, set .Values.kubecostModel.etlBucketConfigSecret="" */}} {{- $etlBackupBucketSecret := "" }} {{- if .Values.kubecostModel.etlBucketConfigSecret }} {{- $etlBackupBucketSecret = .Values.kubecostModel.etlBucketConfigSecret }} - {{- else if and .Values.global.thanos.enabled (ne (typeOf .Values.kubecostModel.etlBucketConfigSecret) "string") }} - {{- $etlBackupBucketSecret = .Values.thanos.storeSecretName }} {{- end }} {{- if $etlBackupBucketSecret }} - name: etl-bucket-config @@ -168,6 +158,13 @@ spec: items: - key: cloud-integration.json path: cloud-integration.json + {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + - name: cloud-integration + secret: + secretName: cloud-integration + items: + - key: cloud-integration.json + path: cloud-integration.json {{- end }} {{- if .Values.kubecostProductConfigs.clusters }} - name: kubecost-clusters @@ -232,6 +229,9 @@ spec: secret: secretName: {{ .Values.saml.metadataSecretName }} {{- end }} + - name: saml-auth-secret + secret: + secretName: {{ .Values.saml.authSecretName | default "kubecost-saml-secret" }} {{- if .Values.saml.rbac.enabled }} - name: saml-roles configMap: @@ -260,7 +260,6 @@ spec: # Extra volume(s) {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} -{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) }} - name: persistent-configs {{- if .Values.persistentVolume }} {{- if .Values.persistentVolume.enabled }} @@ -277,8 +276,7 @@ spec: persistentVolumeClaim: claimName: {{ template "cost-analyzer.fullname" . }} {{- end }} -{{- end }} -{{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled (not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled)) }} +{{- if .Values.persistentVolume.dbPVEnabled }} - name: persistent-db {{- if .Values.persistentVolume }} {{- if .Values.persistentVolume.enabled }} @@ -308,15 +306,15 @@ spec: resources: {{- toYaml . | nindent 12 }} {{- end }} - {{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }} + {{- if .Values.persistentVolume.dbPVEnabled }} command: ["sh", "-c", "/bin/chmod -R 777 /var/configs && /bin/chmod -R 777 /var/db"] {{- else }} command: ["sh", "-c", "/bin/chmod -R 777 /var/configs"] - {{- end}} + {{- end }} volumeMounts: - name: persistent-configs mountPath: /var/configs - {{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }} + {{- if .Values.persistentVolume.dbPVEnabled }} - name: persistent-db mountPath: /var/db {{- end }} @@ -452,12 +450,12 @@ spec: mountPath: /etc/ubbagent {{- end }} {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.openSourceOnly }} - - image: quay.io/kubecost1/kubecost-cost-model:{{ .Values.imageVersion }} - {{- else if .Values.kubecostModel.fullImageName }} + {{- if .Values.kubecostModel.fullImageName }} - image: {{ .Values.kubecostModel.fullImageName }} {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + - image: gcr.io/kubecost1/cost-model-nightly:latest {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} {{- end }} @@ -530,7 +528,7 @@ spec: - name: etl-bucket-config mountPath: /var/configs/etl readOnly: true - {{- else if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }} + {{- else if .Values.persistentVolume.dbPVEnabled }} - name: persistent-db mountPath: /var/db {{- end }} @@ -562,7 +560,7 @@ spec: - name: azure-storage-config mountPath: /var/azure-storage-config {{- end }} - {{- if .Values.kubecostProductConfigs.cloudIntegrationSecret }} + {{- if or (.Values.kubecostProductConfigs.cloudIntegrationSecret) (.Values.kubecostProductConfigs.cloudIntegrationJSON) }} - name: cloud-integration mountPath: /var/configs/cloud-integration {{- end }} @@ -601,6 +599,8 @@ spec: - name: metadata-secret-volume mountPath: /var/configs/metadata-secret-volume {{- end }} + - name: saml-auth-secret + mountPath: /var/configs/saml-auth-secret {{- if .Values.saml.rbac.enabled }} - name: saml-roles mountPath: /var/configs/saml @@ -620,7 +620,7 @@ spec: env: {{- if .Values.global.grafana }} - name: GRAFANA_ENABLED - value: {{ (quote .Values.global.grafana.enabled) | default (quote false) }} + value: "{{ template "cost-analyzer.grafanaEnabled" . }}" {{- end}} {{- if .Values.kubecostModel.extraEnv -}} {{ toYaml .Values.kubecostModel.extraEnv | nindent 12 }} @@ -678,6 +678,8 @@ spec: configMapKeyRef: name: {{ template "cost-analyzer.fullname" . }} key: prometheus-server-endpoint + - name: CLOUD_COST_ENABLED + value: "false" - name: CLOUD_PROVIDER_API_KEY value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API. {{- if .Values.kubecostProductConfigs }} @@ -713,24 +715,6 @@ spec: value: {{ (quote .Values.kubecostProductConfigs.regionOverrides) }} {{- end }} {{- end }} - {{- if .Values.remoteWrite.postgres.enabled }} - - name: REMOTE_WRITE_ENABLED - value: "true" - - name: REMOTE_WRITE_PASSWORD - value: {{ .Values.remoteWrite.postgres.auth.password }} - {{- end }} - {{- if .Values.global.thanos.queryServiceBasicAuthSecretName}} - - name: MC_BASIC_AUTH_USERNAME - valueFrom: - secretKeyRef: - name: {{ .Values.global.thanos.queryServiceBasicAuthSecretName }} - key: USERNAME - - name: MC_BASIC_AUTH_PW - valueFrom: - secretKeyRef: - name: {{ .Values.global.thanos.queryServiceBasicAuthSecretName }} - key: PASSWORD - {{- end }} {{- if .Values.global.prometheus.queryServiceBasicAuthSecretName}} - name: DB_BASIC_AUTH_USERNAME valueFrom: @@ -750,13 +734,6 @@ spec: name: {{ .Values.global.prometheus.queryServiceBearerTokenSecretName }} key: TOKEN {{- end }} - {{- if .Values.global.thanos.queryServiceBearerTokenSecretName }} - - name: MC_BEARER_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.global.thanos.queryServiceBearerTokenSecretName }} - key: TOKEN - {{- end }} {{- if .Values.global.prometheus.insecureSkipVerify }} - name: INSECURE_SKIP_VERIFY value: {{ (quote .Values.global.prometheus.insecureSkipVerify) }} @@ -838,15 +815,11 @@ spec: {{- if or .Values.federatedETL.federatedCluster .Values.kubecostModel.federatedStorageConfigSecret }} - name: FEDERATED_CLUSTER value: "true" - {{- end}} - {{- if .Values.federatedETL.primaryCluster }} - - name: FEDERATED_PRIMARY_CLUSTER - value: "true" - {{- end}} + {{- end }} {{- if .Values.federatedETL.redirectS3Backup }} - name: FEDERATED_REDIRECT_BACKUP value: "true" - {{- end}} + {{- end }} {{- if .Values.federatedETL.useMultiClusterDB }} - name: CURRENT_CLUSTER_ID_FILTER_ENABLED value: "true" @@ -895,24 +868,6 @@ spec: {{- end }} {{- end }} {{- end }} - {{- with .Values.kubecostModel.cloudCost }} - - name: CLOUD_COST_ENABLED - value: {{ (quote .enabled) | default (quote true) }} - {{- with .labelList }} - - name: CLOUD_COST_IS_INCLUDE_LIST - value: {{ (quote .IsIncludeList) | default (quote false) }} - - name: CLOUD_COST_LABEL_LIST - value: {{ (quote .labels) }} - {{- end }} - - name: CLOUD_COST_TOP_N - value: {{ (quote .topNItems) | default (quote 1000) }} - {{- end }} - - name: CLOUD_COST_REFRESH_RATE_HOURS - value: {{ .Values.kubecostModel.cloudCost.refreshRateHours | default .Values.kubecostModel.etlCloudRefreshRateHours | default 6 | quote }} - - name: CLOUD_COST_QUERY_WINDOW_DAYS - value: {{ .Values.kubecostModel.cloudCost.queryWindowDays | default .Values.kubecostModel.etlCloudQueryWindowDays | default 7 | quote }} - - name: CLOUD_COST_RUN_WINDOW_DAYS - value: {{ .Values.kubecostModel.cloudCost.runWindowDays | default .Values.kubecostModel.etlCloudRunWindowDays | default 3 | quote }} - name: CONTAINER_STATS_ENABLED value: {{ (quote .Values.kubecostModel.containerStatsEnabled) | default (quote false) }} - name: RECONCILE_NETWORK @@ -962,38 +917,6 @@ spec: {{- end }} {{- end }} {{- end }} - {{- /* - If queryService is set, the cost-analyzer will always pass THANOS_ENABLED as true - to ensure that the custom query service target is used. The global.thanos.enabled - flag does not have any affect on this behavior. - */}} - {{- if .Values.global.thanos.queryService }} - - name: THANOS_ENABLED - value: "true" - - name: THANOS_QUERY_URL - value: {{ .Values.global.thanos.queryService }} - - name: THANOS_QUERY_OFFSET - value: {{ .Values.global.thanos.queryOffset | default "3h" }} - - name: THANOS_MAX_SOURCE_RESOLUTION - value: {{ .Values.kubecostModel.maxSourceResolution | default "raw" }} - {{- else if and .Values.global.thanos.enabled .Values.thanos }} - {{- if .Values.thanos.query }} - {{- if .Values.thanos.query.enabled }} - - name: THANOS_ENABLED - {{- if .Values.hosted }} - value: "false" - {{- else }} - value: "true" - {{- end }} - - name: THANOS_QUERY_URL - value: http://{{ .Release.Name }}-thanos-query-frontend-http.{{ .Release.Namespace }}:{{ .Values.thanos.queryFrontend.http.port }} - - name: THANOS_QUERY_OFFSET - value: {{ .Values.global.thanos.queryOffset | default "3h" }} - - name: THANOS_MAX_SOURCE_RESOLUTION - value: {{ .Values.kubecostModel.maxSourceResolution | default "raw" }} - {{- end }} - {{- end }} - {{- end }} {{- if .Values.oidc.enabled }} - name: OIDC_ENABLED value: "true" @@ -1049,13 +972,6 @@ spec: name: {{ .Values.prometheus.server.clusterIDConfigmap }} key: CLUSTER_ID {{- end }} - {{- if .Values.remoteWrite.postgres.installLocal }} - - name: SQL_ADDRESS - value: pgprometheus - {{- else }} - - name: SQL_ADDRESS - value: {{ .Values.remoteWrite.postgres.remotePostgresAddress }} - {{- end }} {{- if .Values.kubecostModel.promClusterIDLabel }} - name: PROM_CLUSTER_ID_LABEL value: {{ .Values.kubecostModel.promClusterIDLabel }} @@ -1076,41 +992,6 @@ spec: - name: COST_EVENTS_AUDIT_ENABLED value: {{ (quote .Values.costEventsAudit.enabled) | default (quote false) }} {{- end }} - {{- /* - Leader/Follower has baseline requirements before enabling: - * ETL FileStore Enabled - * Bucket Backup Configured - * Replicas > 1 - */}} - {{- if .Values.kubecostDeployment }} - {{- if .Values.kubecostDeployment.leaderFollower }} - {{- if .Values.kubecostDeployment.leaderFollower.enabled -}} - - {{- $etlFileStore := .Values.kubecostModel.etlFileStoreEnabled }} - {{- if not $etlFileStore }} - {{- fail "Leader/Follower requires kubecostModel.etlFileStoreEnabled be true." }} - {{- end -}} - - {{- if (eq (quote .Values.kubecostModel.etlBucketConfigSecret) "") }} - {{- fail "Leader/Follower requires kubecostModel.etlBucketConfigSecret be valid." }} - {{- end -}} - - {{- $replicas := .Values.kubecostDeployment.replicas | default 1 }} - {{- if not (gt (int $replicas) 1) }} - {{- fail "Leader/Follower should be used with kubecostDeployment.replicas > 1" }} - {{- end }} - {{- /* - Checks to ensure that the named template returns true if we've made it here - */}} - {{- $result := include "cost-analyzer.leaderFollowerEnabled" . }} - {{- if not $result }} - {{- fail (quote $result) }} - {{- end }} - - name: LEADER_FOLLOWER_ENABLED - value: "true" - {{- end }} - {{- end }} - {{- end }} - name: RELEASE_NAME value: {{ .Release.Name }} - name: KUBECOST_NAMESPACE @@ -1125,16 +1006,16 @@ spec: configMapKeyRef: name: {{ template "cost-analyzer.fullname" . }} key: kubecost-token - {{- if .Values.kubecostAggregator.enabled }} - name: WATERFOWL_ENABLED value: "true" - {{- end }} - {{- if .Values.kubecostFrontend.enabled }} + {{- if and .Values.kubecostFrontend.enabled (not .Values.federatedETL.agentOnly) }} {{- if .Values.kubecostFrontend }} {{- if .Values.kubecostFrontend.fullImageName }} - image: {{ .Values.kubecostFrontend.fullImageName }} {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostFrontend.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + - image: gcr.io/kubecost1/frontend-nightly:latest {{- else }} - image: {{ .Values.kubecostFrontend.image }}:prod-{{ $.Chart.AppVersion }} {{- end }} @@ -1202,6 +1083,15 @@ spec: {{- toYaml .Values.global.containerSecuritycontext | nindent 12 }} {{- end }} {{ end }} + + {{- if and (eq (include "aggregator.deployMethod" .) "singlepod") (not .Values.federatedETL.agentOnly) }} + {{- include "aggregator.containerTemplate" . | nindent 8 }} + {{- if .Values.kubecostAggregator.jaeger.enabled }} + {{- include "aggregator.jaeger.sidecarContainerTemplate" . | nindent 8 }} + {{- end }} + {{- include "aggregator.cloudCost.containerTemplate" . | nindent 8 }} + {{- end }} + {{- if .Values.imagePullSecrets }} imagePullSecrets: {{ toYaml .Values.imagePullSecrets | indent 2 }} @@ -1227,39 +1117,8 @@ spec: affinity: {{- toYaml . | nindent 8 }} {{- end }} - {{- if and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled }} - volumeClaimTemplates: - - metadata: - name: persistent-configs - spec: - accessModes: - - ReadWriteOnce - {{- if .Values.persistentVolume.storageClass }} - storageClassName: {{ .Values.persistentVolume.storageClass }} - {{ end }} - resources: - requests: - {{- if .Values.persistentVolume }} - storage: {{ .Values.persistentVolume.size }} - {{- else }} - storage: 32.0Gi - {{ end }} - {{- if and (.Values.kubecostModel.etlToDisk | default true) .Values.persistentVolume.dbPVEnabled }} - - metadata: - name: persistent-db - spec: - accessModes: - - ReadWriteOnce - {{- if .Values.persistentVolume.dbStorageClass }} - storageClassName: {{ .Values.persistentVolume.dbStorageClass }} - {{ end }} - resources: - requests: - {{- if .Values.persistentVolume }} - storage: {{ .Values.persistentVolume.dbSize }} - {{- else }} - storage: 32.0Gi - {{ end }} - {{- end }} - {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-federator-config-map-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-federator-config-map-template.yaml deleted file mode 100644 index 72a326af4..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-federator-config-map-template.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.federatedETL.federator }} -{{- if .Values.federatedETL.federator.enabled }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "cost-analyzer.fullname" . }}-federator - namespace: {{ .Release.Namespace }} - labels: - {{- include "cost-analyzer.commonLabels" . | nindent 4 }} -data: -{{- $root := . }} - federator.json: '{{ toJson .Values.federatedETL.federator }}' -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml index 97a391824..1b9b03222 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-frontend-config-map-template.yaml @@ -1,5 +1,5 @@ {{- if .Values.kubecostFrontend.enabled }} -{{- if and (not .Values.agent) (not .Values.cloudAgent) }} +{{- if and (not .Values.agent) (not .Values.cloudAgent) (not .Values.federatedETL.agentOnly) }} {{- $serviceName := include "cost-analyzer.serviceName" . -}} {{- if .Values.saml.enabled }} {{- if .Values.oidc.enabled }} @@ -101,25 +101,22 @@ data: } {{- end }} - {{- if and (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) (gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0) }} - upstream queryservice { - server {{ .Release.Name }}-query-service-load-balancer.{{ .Release.Namespace }}:9003; + {{- if .Values.forecasting.enabled }} + upstream forecasting { + server {{ .Release.Name }}-forecasting.{{ .Release.Namespace }}:5000; } {{- end }} - {{- if .Values.kubecostAggregator.enabled }} + {{- if and (not .Values.agent) (not .Values.cloudAgent) (not (eq (include "aggregator.deployMethod" .) "disabled")) }} upstream aggregator { server {{ .Release.Name }}-aggregator.{{ .Release.Namespace }}:9004; } - {{- end }} - {{- if .Values.kubecostAggregator.cloudCost.enabled }} upstream cloudCost { - server {{ template "cloudCost.fullname" . }}.{{ .Release.Namespace }}:9005; + server {{ template "cloudCost.serviceName" . }}.{{ .Release.Namespace }}:9005; } {{- end }} - {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} - {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} upstream multi-cluster-diagnostics { server {{ template "diagnostics.fullname" . }}.{{ .Release.Namespace }}:9007; } @@ -252,7 +249,7 @@ data: proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; - proxy_pass http://model/oidc/; + proxy_pass http://aggregator/oidc/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; @@ -263,7 +260,7 @@ data: proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; - proxy_pass http://model/saml/; + proxy_pass http://aggregator/saml/; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; @@ -274,7 +271,7 @@ data: proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; - proxy_pass http://model/login; + proxy_pass http://aggregator/login; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; @@ -287,7 +284,7 @@ data: proxy_connect_timeout 180; proxy_send_timeout 180; proxy_read_timeout 180; - proxy_pass http://model/logout; + proxy_pass http://aggregator/logout; proxy_redirect off; proxy_http_version 1.1; proxy_set_header Connection ""; @@ -309,65 +306,26 @@ data: proxy_set_header Host $http_host; } {{ end }} - {{- if or .Values.saml.enabled .Values.oidc.enabled }} + {{- if .Values.oidc.enabled }} location /auth { - proxy_pass http://model/isAuthenticated; + proxy_pass http://aggregator/isAuthenticated; } - {{- end }} - {{- if .Values.saml.rbac.enabled }} + {{- end }} + {{- if .Values.saml.enabled }} + location /auth { + proxy_pass http://aggregator/isAuthenticated; + } + {{- if .Values.saml.rbac.enabled }} location /authrbac { - proxy_pass http://model/isAdminAuthenticated; + proxy_pass http://aggregator/isAdminAuthenticated; } {{- end }} - - # Query Service Replicas (QSR) proxy - {{- if and (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) (gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0) }} - - {{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostAggregator) .Values.kubecostAggregator.enabled }} - {{- fail "Query Service Replicas should not be used at the same time as the Kubecost Aggregator" }} - {{- end }} - - location /model/allocation { - proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_pass http://queryservice/allocation; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - location /model/assets { - proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_pass http://queryservice/assets; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - - # to get memory profile from query service need to prefix all request by queryservice/ - # for example if you want heap dump from query service end point should be - # /model/queryservice/debug/pprof/heap to get queryservice heap dumps - location ~ /model/queryservice/(.*)$ { - proxy_connect_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_send_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 600 }}; - proxy_pass http://queryservice/$1; - proxy_redirect off; - proxy_http_version 1.1; - proxy_set_header Connection ""; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } {{- end }} -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostAggregator) .Values.kubecostAggregator.enabled }} + +{{- if and (not .Values.agent) (not .Values.cloudAgent) (not (eq (include "aggregator.deployMethod" .) "disabled")) }} + # TODO make aggregator route the default, start special-casing + # cost-model APIs # Aggregator proxy {{- if and (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) (gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0) }} @@ -585,6 +543,14 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } + location = /model/savings/persistentVolumeSizing/topline { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/savings/persistentVolumeSizing/topline; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } location = /model/reports/allocation { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://aggregator/reports/allocation; @@ -651,25 +617,193 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - {{- end }} + location = /model/collection { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collections { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/query/total { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/query/total; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/query/timeseries { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/query/timeseries; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/query/complement { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/query/complement; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/query/complement/cloud { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/query/complement/cloud; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/query/complement/kubernetes { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/query/complement/kubernetes; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } - location = /model/hideOrphanedResources { - default_type 'application/json'; - {{- if .Values.kubecostFrontend.hideOrphanedResources }} - return 200 '{"hideOrphanedResources": "true"}'; - {{- else }} - return 200 '{"hideOrphanedResources": "false"}'; - {{- end }} + location = /model/collections/query/total { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections/query/total; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - location = /model/hideDiagnostics { - default_type 'application/json'; - {{- if .Values.kubecostFrontend.hideDiagnostics }} - return 200 '{"hideDiagnostics": "true"}'; - {{- else }} - return 200 '{"hideDiagnostics": "false"}'; - {{- end }} + location = /model/collections/query/timeseries { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections/query/timeseries; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - {{- if .Values.kubecostAggregator.cloudCost.enabled }} + location = /model/collections/query/complement { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections/query/complement; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collections/query/complement/cloud { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections/query/complement/cloud; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collections/query/complement/kubernetes { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collections/query/complement/kubernetes; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/collection/cache/status { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/collection/cache/status; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/networkinsights { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/networkinsights; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/networkinsights/graph { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/networkinsights/graph; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/rbacGroups { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/rbacGroups; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/teams { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/teams; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/team { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/team; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/users { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/users; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/user { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/user; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/debug/orchestrator { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/debug/orchestrator; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/prediction/speccost { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/prediction/speccost; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + location = /model/diagnostic/coreCount { + proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; + proxy_pass http://aggregator/diagnostic/coreCount; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + #Cloud Cost Endpoints location = /model/cloudCost/status { proxy_read_timeout {{ .Values.kubecostFrontend.timeoutSeconds | default 300 }}; proxy_pass http://cloudCost/cloudCost/status; @@ -718,7 +852,27 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } - {{- end }} +{{- end }} + location = /model/hideOrphanedResources { + default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; + {{- if .Values.kubecostFrontend.hideOrphanedResources }} + return 200 '{"hideOrphanedResources": "true"}'; + {{- else }} + return 200 '{"hideOrphanedResources": "false"}'; + {{- end }} + } + location = /model/hideDiagnostics { + default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; + {{- if .Values.kubecostFrontend.hideDiagnostics }} + return 200 '{"hideDiagnostics": "true"}'; + {{- else }} + return 200 '{"hideDiagnostics": "false"}'; + {{- end }} + } {{- if .Values.kubecostFrontend.trendsDisabled }} location /model/allocation/trends { @@ -728,8 +882,10 @@ data: location /model/multi-cluster-diagnostics-enabled { default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} - {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} return 200 '{"multi-cluster-diagnostics-enabled": "true"}'; {{- end }} {{- else }} @@ -737,9 +893,11 @@ data: {{- end }} } {{- if and .Values.diagnostics.enabled .Values.diagnostics.isDiagnosticsPrimary.enabled }} - {{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} + {{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) }} location /model/multi-cluster-diagnostics { default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; proxy_read_timeout 300; proxy_pass http://multi-cluster-diagnostics/status; proxy_redirect off; @@ -750,6 +908,8 @@ data: # simple alias for support location /model/mcd { default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; proxy_read_timeout 300; proxy_pass http://multi-cluster-diagnostics/status?window=7d; proxy_redirect off; @@ -762,13 +922,35 @@ data: location /model/aggregatorEnabled { default_type 'application/json'; - {{- if .Values.kubecostAggregator.enabled }} return 200 '{"aggregatorEnabled": "true"}'; - {{- else }} - return 200 '{"aggregatorEnabled": "false"}'; - {{- end }} } + {{- if .Values.forecasting.enabled }} + location /forecasting { + default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; + proxy_read_timeout 300; + proxy_pass http://forecasting/; + proxy_redirect off; + proxy_set_header Connection ""; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + {{- else }} + location /forecasting { + default_type 'application/json'; + return 405 '{"forecastingEnabled": "false"}'; + } + {{- end }} + location /model/productConfigs { + default_type 'application/json'; + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET, PUT, POST, DELETE, OPTIONS' always; + return 200 '\n + {"ssoConfigured": "{{ template "ssoEnabled" . }}"}\n + '; + } } {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-ingress-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-ingress-template.yaml index 85394080e..03fb95bd4 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-ingress-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-ingress-template.yaml @@ -4,15 +4,7 @@ {{- $serviceName := include "cost-analyzer.serviceName" . -}} {{- $ingressPaths := .Values.ingress.paths -}} {{- $ingressPathType := .Values.ingress.pathType -}} -{{- $apiV1 := false -}} -{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare "^1.19-0" .Capabilities.KubeVersion.GitVersion) }} -{{- $apiV1 = true -}} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} kind: Ingress metadata: name: {{ $fullName }} @@ -46,7 +38,6 @@ spec: http: paths: {{- range $ingressPaths }} - {{- if $apiV1 }} - path: {{ . }} pathType: {{ $ingressPathType }} backend: @@ -54,12 +45,6 @@ spec: name: {{ $serviceName }} port: name: tcp-frontend - {{- else }} - - path: {{ . }} - backend: - serviceName: {{ $serviceName }} - servicePort: tcp-frontend - {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml index 8e0f1ba1c..2bfaf5bd0 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-costs-template.yaml @@ -1,6 +1,6 @@ {{- if .Values.networkCosts -}} {{- if .Values.networkCosts.enabled -}} -apiVersion: {{ include "cost-analyzer.daemonset.apiVersion" . }} +apiVersion: apps/v1 kind: DaemonSet metadata: name: {{ template "cost-analyzer.networkCostsName" . }} @@ -38,7 +38,11 @@ spec: serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} containers: - name: {{ template "cost-analyzer.networkCostsName" . }} + {{- if eq (typeOf .Values.networkCosts.image) "string" }} image: {{ .Values.networkCosts.image }} + {{- else }} + image: {{ .Values.networkCosts.image.repository }}:{{ .Values.networkCosts.image.tag }} + {{- end}} {{- if .Values.networkCosts.extraArgs }} args: {{- toYaml .Values.networkCosts.extraArgs | nindent 8 }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy-template.yaml index 2cfa39c20..812956f41 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.networkPolicy -}} {{- if .Values.networkPolicy.costAnalyzer.enabled -}} kind: NetworkPolicy -apiVersion: {{ include "cost-analyzer.networkPolicy.apiVersion" . }} +apiVersion: networking.k8s.io/v1 metadata: name: {{ template "cost-analyzer.fullname" . }} {{- if .Values.networkPolicy.costAnalyzer.annotations }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml index ba58350b7..77a062e9f 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-network-policy.yaml @@ -1,6 +1,6 @@ {{- if .Values.networkPolicy -}} {{- if .Values.networkPolicy.enabled -}} -apiVersion: {{ include "cost-analyzer.networkPolicy.apiVersion" . }} +apiVersion: networking.k8s.io/v1 kind: NetworkPolicy {{- if .Values.networkPolicy.denyEgress }} metadata: diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-deployment.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-deployment.yaml deleted file mode 100644 index 57bfcfa78..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.remoteWrite -}} -{{- if .Values.remoteWrite.postgres -}} -{{- if .Values.remoteWrite.postgres.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "cost-analyzer.fullname" . }}-adapter - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} -spec: - selector: - matchLabels: - app: adapter - strategy: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 1 - type: RollingUpdate - template: - metadata: - labels: - app: adapter - spec: - {{- if .Values.remoteWrite.postgres.priorityClassName }} - priorityClassName: "{{ .Values.remoteWrite.postgres.priorityClassName }}" - {{- end }} - initContainers: - - name: kubecost-sql-init - image: {{ .Values.remoteWrite.postgres.initImage }}:prod-{{ $.Chart.AppVersion }} - {{- if .Values.remoteWrite.postgres.initImagePullPolicy }} - imagePullPolicy: {{ .Values.remoteWrite.postgres.initImagePullPolicy }} - {{- else }} - imagePullPolicy: Always - {{- end }} - env: - - name: PROMETHEUS_SERVER_ENDPOINT - valueFrom: - configMapKeyRef: - name: {{ template "cost-analyzer.fullname" . }} - key: prometheus-server-endpoint - containers: - - image: timescale/prometheus-postgresql-adapter:latest - name: pgprometheusadapter - ports: - - containerPort: 9201 - args: - {{- if .Values.remoteWrite.postgres.installLocal }} - - "-pg-host=pgprometheus" - {{- else }} - - "-pg-host={{ .Values.remoteWrite.postgres.remotePostgresAddress }}" - {{- end }} - - "-pg-prometheus-log-samples=true" - - "-pg-password={{ .Values.remoteWrite.postgres.auth.password }}" - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-service.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-service.yaml deleted file mode 100644 index cad11064b..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-prometheus-postgres-adapter-service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.remoteWrite -}} -{{- if .Values.remoteWrite.postgres -}} -{{- if .Values.remoteWrite.postgres.enabled -}} -kind: Service -apiVersion: v1 -metadata: - name: pgprometheus-adapter - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} -spec: - selector: - app: adapter - type: ClusterIP - ports: - - name: server - port: 9201 - targetPort: 9201 -{{- end }} -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-role.template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-role.template.yaml deleted file mode 100644 index c62be765e..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-role.template.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.podSecurityPolicy }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "cost-analyzer.fullname" . }}-psp - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} - annotations: -{{- if .Values.podSecurityPolicy.annotations }} -{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} -{{- end }} -rules: -- apiGroups: ['extensions'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ template "cost-analyzer.fullname" . }}-psp -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-rolebinding.template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-rolebinding.template.yaml deleted file mode 100644 index 2eda00d4d..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp-rolebinding.template.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.podSecurityPolicy }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "cost-analyzer.fullname" . }}-psp - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 6 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "cost-analyzer.fullname" . }}-psp -subjects: -- kind: ServiceAccount - name: {{ template "cost-analyzer.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp.template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp.template.yaml deleted file mode 100644 index d33b9c2a6..000000000 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-psp.template.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.podSecurityPolicy }} -{{- if .Values.podSecurityPolicy.enabled }} -apiVersion: {{ include "cost-analyzer.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "cost-analyzer.fullname" . }}-psp - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 6 }} -spec: - privileged: false - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-pvc-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-pvc-template.yaml index 79e393c8e..82a9cdcd0 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-pvc-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-pvc-template.yaml @@ -1,7 +1,6 @@ {{- if .Values.persistentVolume -}} {{- if not .Values.persistentVolume.existingClaim -}} {{- if .Values.persistentVolume.enabled -}} -{{- if not (and .Values.kubecostDeployment.statefulSet.enabled .Values.kubecostDeployment.leaderFollower.enabled) -}} kind: PersistentVolumeClaim apiVersion: v1 metadata: @@ -32,4 +31,3 @@ spec: {{- end -}} {{- end -}} {{- end -}} -{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml index 662d0122f..541c2f8d8 100644 --- a/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/cost-analyzer-service-template.yaml @@ -42,19 +42,10 @@ spec: port: {{ .Values.service.port }} targetPort: {{ .Values.service.targetPort }} {{- end }} - {{- if .Values.saml }} - {{- if .Values.saml.enabled }} + {{- if or .Values.saml.enabled .Values.oidc.enabled}} - name: apiserver - port: 9004 - targetPort: 9004 - {{- end }} - {{- end }} - {{- if .Values.oidc }} - {{- if .Values.oidc.enabled }} - - name: apiserver - port: 9004 - targetPort: 9004 - {{- end }} + port: 9007 + targetPort: 9007 {{- end }} {{- if .Values.service.sessionAffinity.enabled }} sessionAffinity: ClientIP diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml index 5a5ae3cbf..a40833340 100644 --- a/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-deployment.yaml @@ -1,5 +1,5 @@ {{- if .Values.diagnostics.enabled }} -{{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} +{{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} {{- if eq .Values.prometheus.server.global.external_labels.cluster_id "cluster-one" }} {{- fail "Error: The 'cluster_id' is set to default 'cluster-one'. Please update so that the diagnostics service can uniquely identify data coming from this cluster." }} @@ -42,18 +42,10 @@ spec: serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} volumes: {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: federated-storage-config - secret: - defaultMode: 420 - secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret }} - {{- else if .Values.global.thanos.enabled }} - name: federated-storage-config secret: defaultMode: 420 - secretName: {{ .Values.thanos.storeSecretName }} - items: - - key: object-store.yaml - path: federated-store.yaml + secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret }} {{- end }} - name: config-db {{- /* #TODO: make pv? */}} @@ -62,12 +54,12 @@ spec: - name: diagnostics args: ["diagnostics"] {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.openSourceOnly }} - image: quay.io/kubecost1/kubecost-cost-model:{{ .Values.imageVersion }} - {{- else if .Values.kubecostModel.fullImageName }} + {{- if .Values.kubecostModel.fullImageName }} image: {{ .Values.kubecostModel.fullImageName }} {{- else if .Values.imageVersion }} image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + image: gcr.io/kubecost1/cost-model-nightly:latest {{- else }} image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} {{- end }} @@ -179,4 +171,4 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml index ae3937cec..04a3e9ef3 100644 --- a/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml +++ b/charts/kubecost/cost-analyzer/templates/diagnostics-service.yaml @@ -1,6 +1,6 @@ {{- if .Values.diagnostics.isDiagnosticsPrimary.enabled }} {{- if .Values.diagnostics.enabled }} -{{- if or .Values.global.thanos.enabled (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} +{{- if (not (empty .Values.kubecostModel.federatedStorageConfigSecret )) -}} apiVersion: v1 kind: Service metadata: diff --git a/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml b/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml index 9e5b5b2cd..fd539c971 100644 --- a/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/etl-utils-deployment.yaml @@ -6,12 +6,16 @@ metadata: name: {{ template "etlUtils.fullname" . }} namespace: {{ .Release.Namespace }} labels: - {{ include "etlUtils.commonLabels" . | nindent 4 }} + {{- include "etlUtils.commonLabels" . | nindent 4 }} + {{- with .Values.global.podAnnotations}} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: 1 selector: matchLabels: - {{ include "etlUtils.selectorLabels" . | nindent 6 }} + {{- include "etlUtils.selectorLabels" . | nindent 6 }} strategy: type: Recreate template: @@ -47,6 +51,8 @@ spec: image: {{ .Values.kubecostModel.fullImageName }} {{- else if .Values.imageVersion }} image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + image: gcr.io/kubecost1/cost-model-nightly:latest {{- else }} image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} {{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml deleted file mode 100644 index f77726770..000000000 --- a/charts/kubecost/cost-analyzer/templates/federator-deployment-template.yaml +++ /dev/null @@ -1,143 +0,0 @@ -{{- if .Values.federatedETL.useExistingS3Config -}} -{{- fail "ERROR: You are using a deprecated configuration `.Values.federatedETL.useExistingS3Config`. Please use `.Values.kubecostModel.federatedStorageConfigSecret` instead." -}} -{{- end -}} - -{{- if and (.Values.federatedETL.federator) (.Values.federatedETL.federator.enabled) }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "federator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "federator.commonLabels" . | nindent 4 }} -spec: - replicas: 1 - selector: - matchLabels: - {{- include "federator.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "federator.selectorLabels" . | nindent 8 }} - {{- with .Values.global.podAnnotations}} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - {{- if and .Values.global.platforms.openshift.enabled .Values.global.platforms.openshift.securityContext }} - securityContext: - {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} - {{- else if .Values.global.securityContext }} - securityContext: - {{- toYaml .Values.global.securityContext | nindent 8 }} - {{- end }} - containers: - - name: federator - {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.fullImageName }} - image: {{ .Values.kubecostModel.fullImageName }} - {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} - {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} - {{- end }} - {{- else }} - image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} - {{- end }} - imagePullPolicy: Always - {{- if .Values.global.containerSecurityContext }} - securityContext: - {{- toYaml .Values.global.containerSecurityContext | nindent 12 -}} - {{- end }} - args: ["federator"] - ports: - - name: tcp-model - containerPort: 9001 - protocol: TCP - volumeMounts: - - name: federator-config - mountPath: /var/configs/federator - {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: federated-storage-config - mountPath: /var/configs/etl/federated - readOnly: true - {{- end }} - {{- if .Values.federatedETL.federator.extraVolumeMounts }} - {{- toYaml .Values.federatedETL.federator.extraVolumeMounts | nindent 12 }} - {{- end }} - readinessProbe: - httpGet: - path: /healthz - port: 9001 - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 200 - resources: - {{- toYaml .Values.federatedETL.federator.resources | nindent 12 }} - env: - - name: CONFIG_PATH - value: /var/configs/ - - name: DB_PATH - value: /var/db/ - {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: FEDERATED_STORE_CONFIG - value: "/var/configs/etl/federated/federated-store.yaml" - {{- end }} - {{- if .Values.federatedETL.federator.extraEnv }} - {{- toYaml .Values.federatedETL.federator.extraEnv | nindent 12 }} - {{- end }} - {{- if .Values.systemProxy.enabled }} - - name: HTTP_PROXY - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: http_proxy - value: {{ .Values.systemProxy.httpProxyUrl }} - - name: HTTPS_PROXY - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: https_proxy - value: {{ .Values.systemProxy.httpsProxyUrl }} - - name: NO_PROXY - value: {{ .Values.systemProxy.noProxy }} - - name: no_proxy - value: {{ .Values.systemProxy.noProxy }} - {{- end }} - restartPolicy: Always - serviceAccountName: {{ template "cost-analyzer.serviceAccountName" . }} - volumes: - - name: federator-config - configMap: - name: {{ template "cost-analyzer.fullname" . }}-federator - {{- if .Values.kubecostModel.federatedStorageConfigSecret }} - - name: federated-storage-config - secret: - defaultMode: 420 - secretName: {{ .Values.kubecostModel.federatedStorageConfigSecret }} - {{- end }} - {{- if .Values.federatedETL.federator.extraVolumes }} - {{- toYaml .Values.federatedETL.federator.extraVolumes | nindent 8 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.federatedETL.federator.priority }} - {{- if .Values.federatedETL.federator.priority.enabled }} - {{- if .Values.federatedETL.federator.priority.name }} - priorityClassName: {{ .Values.federatedETL.federator.priority.name }} - {{- else }} - priorityClassName: {{ template "federator.fullname" . }}-priority - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.federatedETL.federator.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.federatedETL.federator.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.federatedETL.federator.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml new file mode 100644 index 000000000..a277a03a3 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/forecasting-deployment.yaml @@ -0,0 +1,131 @@ +{{- if and .Values.forecasting.enabled (not .Values.federatedETL.agentOnly) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "forecasting.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "forecasting.commonLabels" . | nindent 4 }} + {{- with .Values.global.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "forecasting.selectorLabels" . | nindent 6 }} + strategy: + type: RollingUpdate + template: + metadata: + labels: + app.kubernetes.io/name: forecasting + app.kubernetes.io/instance: {{ .Release.Name }} + app: forecasting + {{- with .Values.global.podAnnotations}} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: false + {{- if .Values.global.platforms.openshift.enabled }} + securityContext: + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} + securityContext: + {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- else }} + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + {{- end }} + restartPolicy: Always + containers: + - name: forecasting + {{- if .Values.forecasting.fullImageName }} + image: {{ .Values.forecasting.fullImageName }} + {{- else }} + image: gcr.io/kubecost1/kubecost-modeling:prod-{{ $.Chart.AppVersion }} + {{ end }} + {{- if .Values.forecasting.readinessProbe.enabled }} + volumeMounts: + - name: tmp + {{- /* In the future, this path should be configurable and not under tmp */}} + mountPath: /tmp + securityContext: + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + imagePullPolicy: Always + ports: + - name: tcp-api + containerPort: 5000 + protocol: TCP + {{- with .Values.forecasting.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: CONFIG_PATH + value: /var/configs/ + - name: KCM_BASE_URL + value: http://{{ template "cost-analyzer.serviceName" . }}:9090/model + - name: MODEL_STORAGE_PATH + value: "/tmp/localrun/models" + {{- range $key, $value := .Values.forecasting.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + readinessProbe: + httpGet: + path: /healthz + port: 5000 + initialDelaySeconds: {{ .Values.forecasting.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.forecasting.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.forecasting.readinessProbe.failureThreshold }} + {{- end }} + {{- if .Values.forecasting.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 5000 + initialDelaySeconds: {{ .Values.forecasting.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.forecasting.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.forecasting.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.forecasting.priority }} + {{- if .Values.forecasting.priority.enabled }} + {{- if .Values.forecasting.priority.name }} + priorityClassName: {{ .Values.forecasting.priority.name }} + {{- else }} + priorityClassName: {{ template "forecasting.fullname" . }}-priority + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.forecasting.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.forecasting.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.forecasting.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tmp + {{- /* + An emptyDir for models is necessary because of the + readOnlyRootFilesystem default In the future, this may optionally be a + PV. To allow Python to auto-detect a temp directory, which the code + currently relies on, we mount it at /tmp. In the future this will be a + configurable path. + */}} + emptyDir: + sizeLimit: 500Mi +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/forecasting-service.yaml b/charts/kubecost/cost-analyzer/templates/forecasting-service.yaml new file mode 100644 index 000000000..41e69961e --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/forecasting-service.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.forecasting.enabled (not .Values.federatedETL.agentOnly) }} +kind: Service +apiVersion: v1 +metadata: + name: {{ template "forecasting.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "forecasting.commonLabels" . | nindent 4 }} +spec: + selector: + {{- include "forecasting.selectorLabels" . | nindent 4 }} + type: ClusterIP + ports: + - name: tcp-api + port: 5000 + targetPort: 5000 +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml index dc6b36f44..2c2dee9b0 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-attached-disk-metrics-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrole.yaml b/charts/kubecost/cost-analyzer/templates/grafana-clusterrole.yaml similarity index 65% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrole.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-clusterrole.yaml index d49193651..ca1666823 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrole.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-clusterrole.yaml @@ -1,19 +1,18 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.rbac.create }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if .Values.grafana.rbac.create }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- with .Values.annotations }} +{{- with .Values.grafana.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} name: {{ template "grafana.fullname" . }}-clusterrole -{{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} +{{- if or .Values.grafana.sidecar.dashboards.enabled .Values.grafana.sidecar.datasources.enabled }} rules: - apiGroups: [""] # "" indicates the core API group resources: ["configmaps"] diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/templates/grafana-clusterrolebinding.yaml similarity index 80% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrolebinding.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-clusterrolebinding.yaml index 99dada9f4..4fc7267f3 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/clusterrolebinding.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-clusterrolebinding.yaml @@ -1,15 +1,14 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.rbac.create }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if .Values.grafana.rbac.create }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "grafana.fullname" . }}-clusterrolebinding labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- with .Values.annotations }} +{{- with .Values.grafana.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/kubecost/cost-analyzer/templates/grafana-configmap-dashboard-provider.yaml similarity index 69% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/configmap-dashboard-provider.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-configmap-dashboard-provider.yaml index 9b75d5a54..78c7717be 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/configmap-dashboard-provider.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-configmap-dashboard-provider.yaml @@ -1,14 +1,13 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.sidecar.dashboards.enabled }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if .Values.grafana.sidecar.dashboards.enabled }} apiVersion: v1 kind: ConfigMap metadata: labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- with .Values.annotations }} +{{- with .Values.grafana.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} @@ -24,6 +23,6 @@ data: type: file disableDeletion: false options: - path: {{ .Values.sidecar.dashboards.folder }} + path: {{ .Values.grafana.sidecar.dashboards.folder }} {{- end}} {{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/configmap.yaml b/charts/kubecost/cost-analyzer/templates/grafana-configmap.yaml similarity index 67% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/configmap.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-configmap.yaml index f6a54c281..04d614667 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-configmap.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.grafana.enabled }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} apiVersion: v1 kind: ConfigMap metadata: @@ -6,43 +6,31 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} data: -{{- if .Values.plugins }} - plugins: {{ join "," .Values.plugins }} +{{- if .Values.grafana.plugins }} + plugins: {{ join "," .Values.grafana.plugins }} {{- end }} grafana.ini: | -{{- range $key, $value := index .Values "grafana.ini" }} +{{- range $key, $value := index .Values.grafana "grafana.ini" }} [{{ $key }}] {{- range $elem, $elemVal := $value }} {{ $elem }} = {{ $elemVal }} {{- end }} {{- end }} -{{- if .Values.datasources }} - {{- range $key, $value := .Values.datasources }} +{{- if .Values.grafana.datasources }} + {{- range $key, $value := .Values.grafana.datasources }} {{ $key }}: | {{ toYaml $value | trim | indent 4 }} {{- end -}} {{- end }} -{{- if not .Values.datasources }} +{{- if not .Values.grafana.datasources }} datasources.yaml: | apiVersion: 1 datasources: -{{- if .Values.global.thanos.enabled }} - - access: proxy - isDefault: true - name: Thanos - type: prometheus - url: http://{{ .Release.Name }}-thanos-query-frontend-http.{{ .Release.Namespace }}:10902 - jsonData: - timeInterval: 1m - prometheusType: Thanos - prometheusVersion: 0.29.0 - httpMethod: POST -{{- else if .Values.global.prometheus.enabled }} +{{- if .Values.global.prometheus.enabled }} - access: proxy isDefault: true name: Prometheus @@ -66,26 +54,26 @@ data: timeInterval: 1m {{- end -}} {{- end }} -{{- if .Values.dashboardProviders }} - {{- range $key, $value := .Values.dashboardProviders }} +{{- if .Values.grafana.dashboardProviders }} + {{- range $key, $value := .Values.grafana.dashboardProviders }} {{ $key }}: | {{ toYaml $value | indent 4 }} {{- end -}} {{- end -}} -{{- if .Values.dashboards }} +{{- if .Values.grafana.dashboards }} download_dashboards.sh: | #!/usr/bin/env sh set -euf - {{- if .Values.dashboardProviders }} - {{- range $key, $value := .Values.dashboardProviders }} + {{- if .Values.grafana.dashboardProviders }} + {{- range $key, $value := .Values.grafana.dashboardProviders }} {{- range $value.providers }} mkdir -p {{ .options.path }} {{- end }} {{- end }} {{- end }} - {{- range $provider, $dashboards := .Values.dashboards }} + {{- range $provider, $dashboards := .Values.grafana.dashboards }} {{- range $key, $value := $dashboards }} {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} curl -sk \ diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml index 640b6bd31..1f6dce16e 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-metrics-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml index 3b12e5f09..c071de7c5 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-cluster-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml index 644a8ea6c..7ce9c892a 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-deployment-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml index 719fae54b..2b0c16149 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-kubernetes-resource-efficiency-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml index 6ba7163fd..c9c4e79e0 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-label-cost-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml index 33524b7a6..76a2a4c89 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-namespace-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml index aafed64fb..b7d94e211 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-node-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml index 8058c4cc9..8bd3e0d34 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-pod-utilization-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml index bee726f29..876221e43 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboard-prometheus-metrics-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml similarity index 73% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/dashboards-json-configmap.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml index b4f901c2e..c4ad251ce 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/dashboards-json-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-dashboards-json-configmap.yaml @@ -1,6 +1,6 @@ -{{ if .Values.global.grafana.enabled }} -{{- if .Values.dashboards }} - {{- range $provider, $dashboards := .Values.dashboards }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if .Values.grafana.dashboards }} + {{- range $provider, $dashboards := .Values.grafana.dashboards }} --- apiVersion: v1 kind: ConfigMap @@ -9,7 +9,6 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" $ }} - chart: {{ template "grafana.chart" $ }} release: {{ $.Release.Name }} heritage: {{ $.Release.Service }} dashboard-provider: {{ $provider }} @@ -22,4 +21,4 @@ data: {{- end }} {{- end }} {{- end }} -{{ end }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-datasource-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-datasource-template.yaml index d92a95023..ba4ecea8c 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-datasource-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-datasource-template.yaml @@ -32,24 +32,6 @@ data: {{- else }} isDefault: false {{- end }} -{{- if .Values.global.thanos }} -{{- if .Values.global.thanos.enabled }} -{{- if .Values.global.prometheus.enabled }} - url: http://{{ .Release.Name }}-thanos-query-http.{{ .Release.Namespace }}:{{ .Values.thanos.query.http.port }} -{{- else }} - url: {{ .Values.global.thanos.queryService }} -{{- end }} - - access: proxy - name: {{ default "Prometheus" .Values.grafana.sidecar.datasources.dataSourceName}} - isDefault: false - type: prometheus -{{- end }} -{{- if .Values.global.prometheus.enabled }} - url: http://{{ template "cost-analyzer.prometheus.server.name" . }}.{{ .Release.Namespace }} -{{- else }} - url: {{ .Values.global.prometheus.fqdn }} -{{- end }} -{{- end }} {{- end -}} {{- end -}} {{- end -}} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml b/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml similarity index 62% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml index 1ece09a5a..4f11b6194 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/deployment.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-deployment.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.grafana.enabled }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} apiVersion: apps/v1 kind: Deployment metadata: @@ -6,22 +6,21 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} -{{- with .Values.annotations }} +{{- with .Values.grafana.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} spec: - replicas: {{ .Values.replicas }} + replicas: {{ .Values.grafana.replicas }} selector: matchLabels: app: {{ template "grafana.name" . }} release: {{ .Release.Name }} strategy: - type: {{ .Values.deploymentStrategy }} - {{- if ne .Values.deploymentStrategy "RollingUpdate" }} + type: {{ .Values.grafana.deploymentStrategy }} + {{- if ne .Values.grafana.deploymentStrategy "RollingUpdate" }} rollingUpdate: null {{- end }} template: @@ -32,18 +31,18 @@ spec: {{- if .Values.global.additionalLabels }} {{ toYaml .Values.global.additionalLabels | nindent 8 }} {{- end }} - {{- with .Values.podAnnotations }} + {{- with .Values.grafana.podAnnotations }} annotations: {{ toYaml . | indent 8 }} {{- end }} spec: serviceAccountName: {{ template "grafana.serviceAccountName" . }} - {{- if .Values.schedulerName }} - schedulerName: "{{ .Values.schedulerName }}" + {{- if .Values.grafana.schedulerName }} + schedulerName: "{{ .Values.grafana.schedulerName }}" {{- end }} - {{- if .Values.securityContext }} + {{- if .Values.grafana.securityContext }} securityContext: - {{- toYaml .Values.securityContext | nindent 8 }} + {{- toYaml .Values.grafana.securityContext | nindent 8 }} {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} securityContext: {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} @@ -51,14 +50,14 @@ spec: securityContext: {{- toYaml .Values.global.securityContext | nindent 8 }} {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: "{{ .Values.priorityClassName }}" + {{- if .Values.grafana.priorityClassName }} + priorityClassName: "{{ .Values.grafana.priorityClassName }}" {{- end }} - {{- if .Values.dashboards }} + {{- if .Values.grafana.dashboards }} initContainers: - name: download-dashboards - image: "{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}" - imagePullPolicy: {{ .Values.downloadDashboardsImage.pullPolicy }} + image: "{{ .Values.grafana.downloadDashboardsImage.repository }}:{{ .Values.grafana.downloadDashboardsImage.tag }}" + imagePullPolicy: {{ .Values.grafana.downloadDashboardsImage.pullPolicy }} command: ["sh", "/etc/grafana/download_dashboards.sh"] {{- with .Values.global.containerSecurityContext }} securityContext: @@ -70,69 +69,69 @@ spec: subPath: download_dashboards.sh - name: storage mountPath: "/var/lib/grafana" - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} + {{- if .Values.grafana.persistence.subPath }} + subPath: {{ .Values.grafana.persistence.subPath }} {{- end }} - {{- range .Values.extraSecretMounts }} + {{- range .Values.grafana.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} {{- end }} {{- end }} - {{- if .Values.image.pullSecrets }} + {{- if .Values.grafana.image.pullSecrets }} imagePullSecrets: - {{- range .Values.image.pullSecrets }} + {{- range .Values.grafana.image.pullSecrets }} - name: {{ . }} {{- end}} {{- end }} containers: - {{- if .Values.sidecar.dashboards.enabled }} + {{- if .Values.grafana.sidecar.dashboards.enabled }} - name: {{ template "grafana.name" . }}-sc-dashboard - image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" - imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} + image: "{{ .Values.grafana.sidecar.image.repository }}:{{ .Values.grafana.sidecar.image.tag }}" + imagePullPolicy: {{ .Values.grafana.sidecar.image.pullPolicy }} {{- if .Values.global.containerSecurityContext }} securityContext: {{- toYaml .Values.global.containerSecurityContext | nindent 12 -}} {{- end }} env: - name: LABEL - value: "{{ .Values.sidecar.dashboards.label }}" + value: "{{ .Values.grafana.sidecar.dashboards.label }}" - name: FOLDER - value: "{{ .Values.sidecar.dashboards.folder }}" + value: "{{ .Values.grafana.sidecar.dashboards.folder }}" - name: ERROR_THROTTLE_SLEEP - value: "{{ .Values.sidecar.dashboards.error_throttle_sleep }}" - {{- with .Values.sidecar.resources }} + value: "{{ .Values.grafana.sidecar.dashboards.error_throttle_sleep }}" + {{- with .Values.grafana.sidecar.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - name: sc-dashboard-volume - mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + mountPath: {{ .Values.grafana.sidecar.dashboards.folder | quote }} {{- end}} - {{- if .Values.sidecar.datasources.enabled }} + {{- if .Values.grafana.sidecar.datasources.enabled }} - name: {{ template "grafana.name" . }}-sc-datasources - image: "{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" - imagePullPolicy: {{ .Values.sidecar.image.pullPolicy }} + image: "{{ .Values.grafana.sidecar.image.repository }}:{{ .Values.grafana.sidecar.image.tag }}" + imagePullPolicy: {{ .Values.grafana.sidecar.image.pullPolicy }} {{- with .Values.global.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} {{- end }} env: - name: LABEL - value: "{{ .Values.sidecar.datasources.label }}" + value: "{{ .Values.grafana.sidecar.datasources.label }}" - name: FOLDER value: "/etc/grafana/provisioning/datasources" - name: ERROR_THROTTLE_SLEEP - value: "{{ .Values.sidecar.datasources.error_throttle_sleep }}" + value: "{{ .Values.grafana.sidecar.datasources.error_throttle_sleep }}" resources: - {{ toYaml .Values.sidecar.resources | indent 12 }} + {{ toYaml .Values.grafana.sidecar.resources | indent 12 }} volumeMounts: - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" {{- end}} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} + - name: grafana + image: "{{ .Values.grafana.image.repository }}:{{ .Values.grafana.image.tag }}" + imagePullPolicy: {{ .Values.grafana.image.pullPolicy }} {{- with .Values.global.containerSecurityContext }} securityContext: {{- toYaml . | nindent 12 }} @@ -144,8 +143,8 @@ spec: - name: ldap mountPath: "/etc/grafana/ldap.toml" subPath: ldap.toml -{{- if .Values.dashboards }} - {{- range $provider, $dashboards := .Values.dashboards }} +{{- if .Values.grafana.dashboards }} + {{- range $provider, $dashboards := .Values.grafana.dashboards }} {{- range $key, $value := $dashboards }} {{- if hasKey $value "json" }} - name: dashboards-{{ $provider }} @@ -155,46 +154,46 @@ spec: {{- end }} {{- end }} {{- end -}} -{{- if .Values.dashboardsConfigMaps }} - {{- range keys .Values.dashboardsConfigMaps }} +{{- if .Values.grafana.dashboardsConfigMaps }} + {{- range keys .Values.grafana.dashboardsConfigMaps }} - name: dashboards-{{ . }} mountPath: "/var/lib/grafana/dashboards/{{ . }}" {{- end }} {{- end }} -{{- if or .Values.datasources .Values.global.grafana.enabled }} +{{- if or (.Values.grafana.datasources) (include "cost-analyzer.grafanaEnabled" .) }} - name: config mountPath: "/etc/grafana/provisioning/datasources/datasources.yaml" subPath: datasources.yaml {{- end }} -{{- if .Values.dashboardProviders }} +{{- if .Values.grafana.dashboardProviders }} - name: config mountPath: "/etc/grafana/provisioning/dashboards/dashboardproviders.yaml" subPath: dashboardproviders.yaml {{- end }} -{{- if .Values.sidecar.dashboards.enabled }} +{{- if .Values.grafana.sidecar.dashboards.enabled }} - name: sc-dashboard-volume - mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + mountPath: {{ .Values.grafana.sidecar.dashboards.folder | quote }} - name: sc-dashboard-provider mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" subPath: provider.yaml {{- end}} -{{- if .Values.sidecar.datasources.enabled }} +{{- if .Values.grafana.sidecar.datasources.enabled }} - name: sc-datasources-volume mountPath: "/etc/grafana/provisioning/datasources" {{- end}} - name: storage mountPath: "/var/lib/grafana" - {{- if .Values.persistence.subPath }} - subPath: {{ .Values.persistence.subPath }} + {{- if .Values.grafana.persistence.subPath }} + subPath: {{ .Values.grafana.persistence.subPath }} {{- end }} - {{- range .Values.extraSecretMounts }} + {{- range .Values.grafana.extraSecretMounts }} - name: {{ .name }} mountPath: {{ .mountPath }} readOnly: {{ .readOnly }} {{- end }} ports: - name: service - containerPort: {{ .Values.service.port }} + containerPort: {{ .Values.grafana.service.port }} protocol: TCP - name: grafana containerPort: 3000 @@ -210,49 +209,49 @@ spec: secretKeyRef: name: {{ template "grafana.fullname" . }} key: admin-password - {{- if .Values.plugins }} + {{- if .Values.grafana.plugins }} - name: GF_INSTALL_PLUGINS valueFrom: configMapKeyRef: name: {{ template "grafana.fullname" . }} key: plugins {{- end }} - {{- if .Values.smtp.existingSecret }} + {{- if .Values.grafana.smtp.existingSecret }} - name: GF_SMTP_USER valueFrom: secretKeyRef: - name: {{ .Values.smtp.existingSecret }} + name: {{ .Values.grafana.smtp.existingSecret }} key: user - name: GF_SMTP_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.smtp.existingSecret }} + name: {{ .Values.grafana.smtp.existingSecret }} key: password {{- end }} -{{- range $key, $value := .Values.env }} +{{- range $key, $value := .Values.grafana.env }} - name: "{{ $key }}" value: "{{ $value }}" {{- end }} - {{- if .Values.envFromSecret }} + {{- if .Values.grafana.envFromSecret }} envFrom: - secretRef: - name: {{ .Values.envFromSecret }} + name: {{ .Values.grafana.envFromSecret }} {{- end }} livenessProbe: -{{ toYaml .Values.livenessProbe | indent 12 }} +{{ toYaml .Values.grafana.livenessProbe | indent 12 }} readinessProbe: -{{ toYaml .Values.readinessProbe | indent 12 }} +{{ toYaml .Values.grafana.readinessProbe | indent 12 }} resources: -{{ toYaml .Values.resources | indent 12 }} - {{- with .Values.nodeSelector }} +{{ toYaml .Values.grafana.resources | indent 12 }} + {{- with .Values.grafana.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.affinity }} + {{- with .Values.grafana.affinity }} affinity: {{ toYaml . | indent 8 }} {{- end }} - {{- with .Values.tolerations }} + {{- with .Values.grafana.tolerations }} tolerations: {{ toYaml . | indent 8 }} {{- end }} @@ -260,15 +259,15 @@ spec: - name: config configMap: name: {{ template "grafana.fullname" . }} - {{- if .Values.dashboards }} - {{- range keys .Values.dashboards }} + {{- if .Values.grafana.dashboards }} + {{- range keys .Values.grafana.dashboards }} - name: dashboards-{{ . }} configMap: name: {{ template "grafana.fullname" $ }}-dashboards-{{ . }} {{- end }} {{- end }} - {{- if .Values.dashboardsConfigMaps }} - {{- range $provider, $name := .Values.dashboardsConfigMaps }} + {{- if .Values.grafana.dashboardsConfigMaps }} + {{- range $provider, $name := .Values.grafana.dashboardsConfigMaps }} - name: dashboards-{{ $provider }} configMap: name: {{ $name }} @@ -276,8 +275,8 @@ spec: {{- end }} - name: ldap secret: - {{- if .Values.ldap.existingSecret }} - secretName: {{ .Values.ldap.existingSecret }} + {{- if .Values.grafana.ldap.existingSecret }} + secretName: {{ .Values.grafana.ldap.existingSecret }} {{- else }} secretName: {{ template "grafana.fullname" . }} {{- end }} @@ -285,24 +284,24 @@ spec: - key: ldap-toml path: ldap.toml - name: storage - {{- if .Values.persistence.enabled }} + {{- if .Values.grafana.persistence.enabled }} persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (include "grafana.fullname" .) }} + claimName: {{ .Values.grafana.persistence.existingClaim | default (include "grafana.fullname" .) }} {{- else }} emptyDir: {} {{- end -}} - {{- if .Values.sidecar.dashboards.enabled }} + {{- if .Values.grafana.sidecar.dashboards.enabled }} - name: sc-dashboard-volume emptyDir: {} - name: sc-dashboard-provider configMap: name: {{ template "grafana.fullname" . }}-config-dashboards {{- end }} - {{- if .Values.sidecar.datasources.enabled }} + {{- if .Values.grafana.sidecar.datasources.enabled }} - name: sc-datasources-volume emptyDir: {} {{- end -}} - {{- range .Values.extraSecretMounts }} + {{- range .Values.grafana.extraSecretMounts }} - name: {{ .name }} secret: secretName: {{ .secretName }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-ingress.yaml b/charts/kubecost/cost-analyzer/templates/grafana-ingress.yaml new file mode 100644 index 000000000..da2038170 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-ingress.yaml @@ -0,0 +1,47 @@ +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if .Values.grafana.ingress.enabled -}} +{{- $fullName := include "grafana.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.grafana.ingress.labels }} +{{ toYaml .Values.grafana.ingress.labels | indent 4 }} +{{- end }} +{{- with .Values.grafana.ingress.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if .Values.grafana.ingress.tls }} + tls: + {{- range .Values.grafana.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.grafana.ingress.hosts }} + - host: {{ . }} + http: + paths: + - path: {{ $ingressPath }} + pathType: {{ $.Values.grafana.ingress.pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- end }} +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml index 828bfa964..1dd36e393 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-networkcosts-metrics-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml b/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml index 7559e9cc4..e74c75b05 100644 --- a/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-pod-utilization-multi-cluster-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.grafana -}} {{- if .Values.grafana.sidecar -}} {{- if .Values.grafana.sidecar.dashboards -}} -{{- if .Values.grafana.sidecar.dashboards.enabled -}} +{{- if and (.Values.grafana.sidecar.dashboards.enabled ) (eq (include "cost-analyzer.grafanaEnabled" .) "true") -}} apiVersion: v1 kind: ConfigMap metadata: @@ -12,7 +12,7 @@ metadata: labels: {{ include "cost-analyzer.commonLabels" . | nindent 4 }} {{- if $.Values.grafana.sidecar.dashboards.label }} - {{ $.Values.grafana.sidecar.dashboards.label }}: "1" + {{ $.Values.grafana.sidecar.dashboards.label }}: "{{ $.Values.grafana.sidecar.dashboards.labelValue }}" {{- else }} grafana_dashboard: "1" {{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/pvc.yaml b/charts/kubecost/cost-analyzer/templates/grafana-pvc.yaml similarity index 50% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/pvc.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-pvc.yaml index 203ba02f2..d90e7f747 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/pvc.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-pvc.yaml @@ -1,5 +1,5 @@ -{{ if .Values.global.grafana.enabled }} -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +{{- if and .Values.grafana.persistence.enabled (not .Values.grafana.persistence.existingClaim) }} apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -7,21 +7,20 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} - {{- with .Values.persistence.annotations }} + {{- with .Values.grafana.persistence.annotations }} annotations: {{ toYaml . | indent 4 }} {{- end }} spec: accessModes: - {{- range .Values.persistence.accessModes }} + {{- range .Values.grafana.persistence.accessModes }} - {{ . | quote }} {{- end }} resources: requests: - storage: {{ .Values.persistence.size | quote }} - storageClassName: {{ .Values.persistence.storageClassName }} + storage: {{ .Values.grafana.persistence.size | quote }} + storageClassName: {{ .Values.grafana.persistence.storageClassName }} {{- end -}} {{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/secret.yaml b/charts/kubecost/cost-analyzer/templates/grafana-secret.yaml similarity index 50% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/secret.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-secret.yaml index 176a0b869..df8b46dde 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/secret.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-secret.yaml @@ -1,4 +1,4 @@ -{{ if .Values.global.grafana.enabled }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} apiVersion: v1 kind: Secret metadata: @@ -6,18 +6,17 @@ metadata: namespace: {{ .Release.Namespace }} labels: app: {{ template "grafana.name" . }} - chart: {{ template "grafana.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} type: Opaque data: - admin-user: {{ .Values.adminUser | b64enc | quote }} - {{- if .Values.adminPassword }} - admin-password: {{ .Values.adminPassword | b64enc | quote }} + admin-user: {{ .Values.grafana.adminUser | b64enc | quote }} + {{- if .Values.grafana.adminPassword }} + admin-password: {{ .Values.grafana.adminPassword | b64enc | quote }} {{- else }} admin-password: {{ randAlphaNum 40 | b64enc | quote }} {{- end }} - {{- if not .Values.ldap.existingSecret }} - ldap-toml: {{ .Values.ldap.config | b64enc | quote }} + {{- if not .Values.grafana.ldap.existingSecret }} + ldap-toml: {{ .Values.grafana.ldap.config | b64enc | quote }} {{- end }} {{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/grafana-service.yaml b/charts/kubecost/cost-analyzer/templates/grafana-service.yaml new file mode 100644 index 000000000..3bf668ed8 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/grafana-service.yaml @@ -0,0 +1,51 @@ +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "grafana.name" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +{{- if .Values.grafana.service.labels }} +{{ toYaml .Values.grafana.service.labels | indent 4 }} +{{- end }} +{{- with .Values.grafana.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.grafana.service.type "ClusterIP") (empty .Values.grafana.service.type)) }} + type: ClusterIP + {{- if .Values.grafana.service.clusterIP }} + clusterIP: {{ .Values.grafana.service.clusterIP }} + {{end}} +{{- else if eq .Values.grafana.service.type "LoadBalancer" }} + type: {{ .Values.grafana.service.type }} + {{- if .Values.grafana.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.grafana.service.loadBalancerIP }} + {{- end }} + {{- if .Values.grafana.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.grafana.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.grafana.service.type }} +{{- end }} +{{- if .Values.grafana.service.externalIPs }} + externalIPs: +{{ toYaml .Values.grafana.service.externalIPs | indent 4 }} +{{- end }} + ports: + - name: tcp-service + port: {{ .Values.grafana.service.port }} + protocol: TCP + targetPort: 3000 +{{ if (and (eq .Values.grafana.service.type "NodePort") (not (empty .Values.grafana.service.nodePort))) }} + nodePort: {{.Values.grafana.service.nodePort}} +{{ end }} + selector: + app: {{ template "grafana.name" . }} + release: {{ .Release.Name }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/grafana/templates/serviceaccount.yaml b/charts/kubecost/cost-analyzer/templates/grafana-serviceaccount.yaml similarity index 75% rename from charts/kubecost/cost-analyzer/charts/grafana/templates/serviceaccount.yaml rename to charts/kubecost/cost-analyzer/templates/grafana-serviceaccount.yaml index 024fb2dad..46f5e63f1 100644 --- a/charts/kubecost/cost-analyzer/charts/grafana/templates/serviceaccount.yaml +++ b/charts/kubecost/cost-analyzer/templates/grafana-serviceaccount.yaml @@ -1,14 +1,13 @@ -{{ if .Values.global.grafana.enabled }} +{{- if (eq (include "cost-analyzer.grafanaEnabled" .) "true") }} {{- if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount metadata: labels: app: {{ template "grafana.name" . }} - chart: {{ .Chart.Name }}-{{ .Chart.Version }} heritage: {{ .Release.Service }} release: {{ .Release.Name }} name: {{ template "grafana.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} -{{ end }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-agent-secretprovider-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-agent-secretprovider-template.yaml index 40ee87e3e..3ebc1a4b6 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-agent-secretprovider-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-agent-secretprovider-template.yaml @@ -1,5 +1,5 @@ {{- if .Values.agent }} -{{- if .Values.agentCsi.enabled }} +{{- if ((.Values.agentCsi).enabled) }} {{- if .Capabilities.APIVersions.Has "secrets-store.csi.x-k8s.io/v1" }} apiVersion: secrets-store.csi.x-k8s.io/v1 {{- else }} diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-actions-configmap.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-actions-configmap.yaml new file mode 100644 index 000000000..e5c0f7705 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-actions-configmap.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-controller-continuous-cluster-sizing + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +{{- if .Values.clusterController.actionConfigs.clusterRightsize }} +binaryData: + config: | +{{- toJson .Values.clusterController.actionConfigs.clusterRightsize | b64enc | nindent 4 }} +{{- end }} +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-controller-nsturndown-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +{{- if .Values.clusterController.actionConfigs.namespaceTurndown }} +binaryData: +{{- range .Values.clusterController.actionConfigs.namespaceTurndown }} + {{ .name }}: | + {{- toJson . | b64enc | nindent 4 }} +{{- end }} +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: cluster-controller-container-rightsizing-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} +{{- if .Values.clusterController.actionConfigs.containerRightsize }} +binaryData: + config: | +{{- toJson .Values.clusterController.actionConfigs.containerRightsize | b64enc | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml index 78a75700c..ce1691ef5 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-cluster-controller-template.yaml @@ -96,20 +96,6 @@ rules: - get - create - update - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - replicasets - verbs: - - get - - list - - watch - - create - - patch - - update - - delete - apiGroups: - apps resources: @@ -197,29 +183,13 @@ subjects: name: {{ template "kubecost.clusterControllerName" . }} namespace: {{ .Release.Namespace }} --- -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-controller-continuous-cluster-sizing - namespace: {{ .Release.Namespace }} - labels: - {{- include "cost-analyzer.commonLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: cluster-controller-nsturndown-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "cost-analyzer.commonLabels" . | nindent 4 }} ---- apiVersion: apps/v1 kind: Deployment metadata: name: {{ template "kubecost.clusterControllerName" . }} namespace: {{ .Release.Namespace }} labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} + {{- include "cost-analyzer.commonLabels" . | nindent 4 }} spec: strategy: rollingUpdate: @@ -243,7 +213,11 @@ spec: {{- end }} containers: - name: {{ template "kubecost.clusterControllerName" . }} + {{- if eq (typeOf .Values.clusterController.image) "string" }} image: {{ .Values.clusterController.image }} + {{- else }} + image: {{ .Values.clusterController.image.repository }}:{{ .Values.clusterController.image.tag }} + {{- end}} imagePullPolicy: {{ .Values.clusterController.imagePullPolicy }} volumeMounts: - name: cluster-controller-keys @@ -285,6 +259,10 @@ spec: hostPort: 9731 serviceAccount: {{ template "kubecost.clusterControllerName" . }} serviceAccountName: {{ template "kubecost.clusterControllerName" . }} + {{- with .Values.clusterController.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} volumes: - name: cluster-controller-keys secret: diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml index b0562f895..4ea1444be 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-metrics-deployment-template.yaml @@ -58,7 +58,7 @@ spec: volumes: {{- if .Values.agent }} - name: config-store - {{- if .Values.agentCsi.enabled }} + {{- if ((.Values.agentCsi).enabled) }} csi: driver: secrets-store.csi.k8s.io readOnly: true @@ -106,6 +106,13 @@ spec: items: - key: cloud-integration.json path: cloud-integration.json + {{- else if or .Values.kubecostProductConfigs.cloudIntegrationJSON ((.Values.kubecostProductConfigs).athenaProjectID) }} + - name: cloud-integration + secret: + secretName: cloud-integration + items: + - key: cloud-integration.json + path: cloud-integration.json {{- end }} {{- end }} - name: persistent-configs @@ -147,6 +154,8 @@ spec: - image: {{ .Values.kubecostModel.fullImageName }} {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} + {{- else if eq "development" .Chart.AppVersion }} + - image: gcr.io/kubecost1/cost-model-nightly:latest {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} {{ end }} @@ -188,7 +197,7 @@ spec: - name: azure-storage-config mountPath: /var/azure-storage-config {{- end }} - {{- if .Values.kubecostProductConfigs.cloudIntegrationSecret }} + {{- if or (.Values.kubecostProductConfigs.cloudIntegrationSecret) (.Values.kubecostProductConfigs.cloudIntegrationJSON) ((.Values.kubecostProductConfigs).athenaProjectID) }} - name: cloud-integration mountPath: /var/configs/cloud-integration {{- end }} @@ -272,7 +281,7 @@ spec: value: {{ (quote .Values.global.prometheus.insecureSkipVerify) }} {{- end }} {{- if .Values.cloudAgentClusterId }} - - name: CLUSTER_ID + - name: CLUSTER_ID value: {{ .Values.cloudAgentClusterId }} {{- else if and (.Values.prometheus.server.global.external_labels.cluster_id) (not .Values.prometheus.server.clusterIDConfigmap) }} - name: CLUSTER_ID diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-priority-class-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-priority-class-template.yaml index 41c4fd7a9..7a176d72a 100644 --- a/charts/kubecost/cost-analyzer/templates/kubecost-priority-class-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/kubecost-priority-class-template.yaml @@ -1,7 +1,7 @@ {{- if .Values.priority }} {{- if .Values.priority.enabled }} {{- if eq (len .Values.priority.name) 0 }} -apiVersion: {{ include "cost-analyzer.priorityClass.apiVersion" . }} +apiVersion: scheduling.k8s.io/v1 kind: PriorityClass metadata: name: {{ template "cost-analyzer.fullname" . }}-priority diff --git a/charts/kubecost/cost-analyzer/templates/kubecost-saml-secret-template.yaml b/charts/kubecost/cost-analyzer/templates/kubecost-saml-secret-template.yaml new file mode 100644 index 000000000..e9a323057 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/kubecost-saml-secret-template.yaml @@ -0,0 +1,12 @@ +{{- if .Values.saml.enabled }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ .Values.saml.authSecretName | default "kubecost-saml-secret" }} + namespace: {{ .Release.Namespace }} + labels: + {{ include "cost-analyzer.commonLabels" . | nindent 4 }} +stringData: + clientSecret: {{ .Values.saml.authSecret | default (randAlphaNum 32 | quote) }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/model-ingress-template.yaml b/charts/kubecost/cost-analyzer/templates/model-ingress-template.yaml index 55243eedb..b55b2986c 100644 --- a/charts/kubecost/cost-analyzer/templates/model-ingress-template.yaml +++ b/charts/kubecost/cost-analyzer/templates/model-ingress-template.yaml @@ -4,15 +4,7 @@ {{- $serviceName := include "cost-analyzer.serviceName" . -}} {{- $ingressPaths := .Values.kubecostModel.ingress.paths -}} {{- $ingressPathType := .Values.kubecostModel.ingress.pathType -}} -{{- $apiV1 := false -}} -{{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare "^1.19-0" .Capabilities.KubeVersion.GitVersion) }} -{{- $apiV1 = true -}} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} kind: Ingress metadata: name: {{ $fullName }}-model @@ -46,7 +38,6 @@ spec: http: paths: {{- range $ingressPaths }} - {{- if $apiV1 }} - path: {{ . }} pathType: {{ $ingressPathType }} backend: @@ -54,12 +45,6 @@ spec: name: {{ $serviceName }} port: name: tcp-model - {{- else }} - - path: {{ . }} - backend: - serviceName: {{ $serviceName }} - servicePort: tcp-model - {{- end }} {{- end }} {{- end }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-psp.template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-psp.template.yaml deleted file mode 100644 index 1dac8de05..000000000 --- a/charts/kubecost/cost-analyzer/templates/network-costs-psp.template.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{- if .Values.networkCosts }} -{{- if .Values.networkCosts.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} -{{- if .Values.networkCosts.podSecurityPolicy }} -{{- if .Values.networkCosts.podSecurityPolicy.enabled }} -apiVersion: {{ include "cost-analyzer.podSecurityPolicy.apiVersion" . }} -kind: PodSecurityPolicy -metadata: - name: {{ template "cost-analyzer.fullname" . }}-network-costs - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 6 }} -spec: - privileged: true - hostNetwork: true - allowedHostPaths: - {{- if .Values.networkCosts.hostProc }} - - pathPrefix: {{ default "/proc" .Values.networkCosts.hostProc.hostPath }} - readOnly: false - {{- else }} - - pathPrefix: /proc - readOnly: false - {{- end }} - hostPorts: - - min: 1 - max: 65535 - seLinux: - rule: RunAsAny - supplementalGroups: - rule: RunAsAny - runAsUser: - rule: RunAsAny - fsGroup: - rule: RunAsAny - volumes: - - '*' -{{- end }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml deleted file mode 100644 index 1376b66a4..000000000 --- a/charts/kubecost/cost-analyzer/templates/network-costs-role.template.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.networkCosts }} -{{- if .Values.networkCosts.enabled }} -{{- if .Values.networkCosts.podSecurityPolicy }} -{{- if .Values.networkCosts.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ template "cost-analyzer.fullname" . }}-network-costs - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 4 }} - annotations: - {{- with .Values.networkCosts.podSecurityPolicy.annotations }} - {{ toYaml . | indent 4 }} - {{- end }} -rules: -- apiGroups: - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "cost-analyzer.fullname" . }}-network-costs -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml b/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml deleted file mode 100644 index 4992407a3..000000000 --- a/charts/kubecost/cost-analyzer/templates/network-costs-rolebinding.template.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.networkCosts }} -{{- if .Values.networkCosts.enabled }} -{{- if .Values.networkCosts.podSecurityPolicy }} -{{- if .Values.networkCosts.podSecurityPolicy.enabled }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "cost-analyzer.fullname" . }}-network-costs - namespace: {{ .Release.Namespace }} - labels: - {{ include "cost-analyzer.commonLabels" . | nindent 6 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "cost-analyzer.fullname" . }}-network-costs -subjects: -- kind: ServiceAccount - name: {{ template "cost-analyzer.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-configmap.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-configmap.yaml similarity index 66% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-configmap.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-configmap.yaml index 52a6aa517..8f5b8315f 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-configmap.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} +{{- if and .Values.prometheus.alertmanager.enabled (and (empty .Values.prometheus.alertmanager.configMapOverrideName) (empty .Values.prometheus.alertmanager.configFromSecret)) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -9,7 +9,7 @@ metadata: namespace: {{ .Release.Namespace }} data: {{- $root := . -}} -{{- range $key, $value := .Values.alertmanagerFiles }} +{{- range $key, $value := .Values.prometheus.alertmanagerFiles }} {{- if $key | regexMatch ".*\\.ya?ml$" }} {{ $key }}: | {{ toYaml $value | default "{}" | indent 4 }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml new file mode 100644 index 000000000..9520cd2df --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-deployment.yaml @@ -0,0 +1,142 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if and .Values.prometheus.alertmanager.enabled (not .Values.prometheus.alertmanager.statefulSet.enabled) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.prometheus.alertmanager.replicaCount }} + {{- if .Values.prometheus.alertmanager.strategy }} + strategy: +{{ toYaml .Values.prometheus.alertmanager.strategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.prometheus.alertmanager.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.alertmanager.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.prometheus.alertmanager.podLabels}} + {{ toYaml .Values.prometheus.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.prometheus.alertmanager.schedulerName }} + schedulerName: "{{ .Values.prometheus.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.prometheus.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.alertmanager.name }} + image: "{{ .Values.prometheus.alertmanager.image.repository }}:{{ .Values.prometheus.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.prometheus.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/{{ .Values.prometheus.alertmanager.configFileName }} + - --storage.path={{ .Values.prometheus.alertmanager.persistentVolume.mountPath }} + - --cluster.advertise-address=$(POD_IP):6783 + {{- range $key, $value := .Values.prometheus.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.prometheus.alertmanager.baseURL }} + - --web.external-url={{ .Values.prometheus.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.prometheus.alertmanager.prefixURL }}/-/ready + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.prometheus.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.prometheus.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.prometheus.alertmanager.persistentVolume.subPath }}" + {{- range .Values.prometheus.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + + {{- if .Values.prometheus.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.alertmanager.name }}-{{ .Values.prometheus.configmapReload.alertmanager.name }} + image: "{{ .Values.prometheus.configmapReload.alertmanager.image.repository }}:{{ .Values.prometheus.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --watched-dir=/etc/config + - --reload-url=http://127.0.0.1:9093{{ .Values.prometheus.alertmanager.prefixURL }}/-/reload + resources: +{{ toYaml .Values.prometheus.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.prometheus.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.alertmanager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.affinity }} + affinity: +{{ toYaml .Values.prometheus.alertmanager.affinity | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.prometheus.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.prometheus.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.prometheus.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.prometheus.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.prometheus.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} + - name: storage-volume + {{- if .Values.prometheus.alertmanager.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.prometheus.alertmanager.persistentVolume.existingClaim }}{{ .Values.prometheus.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + emptyDir: {} + {{- end -}} +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-ingress.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-ingress.yaml similarity index 52% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-ingress.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-ingress.yaml index e22a76db7..41757e0e1 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-ingress.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-ingress.yaml @@ -1,32 +1,26 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.alertmanager.ingress.enabled -}} {{- $releaseName := .Release.Name -}} {{- $serviceName := include "prometheus.alertmanager.fullname" . }} -{{- $servicePort := .Values.alertmanager.service.servicePort -}} -{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +{{- $servicePort := .Values.prometheus.alertmanager.service.servicePort -}} +{{- $extraPaths := .Values.prometheus.alertmanager.ingress.extraPaths -}} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} kind: Ingress metadata: -{{- if .Values.alertmanager.ingress.annotations }} +{{- if .Values.prometheus.alertmanager.ingress.annotations }} annotations: -{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} +{{ toYaml .Values.prometheus.alertmanager.ingress.annotations | indent 4 }} {{- end }} labels: {{- include "prometheus.alertmanager.labels" . | nindent 4 }} -{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} +{{- range $key, $value := .Values.prometheus.alertmanager.ingress.extraLabels }} {{ $key }}: {{ $value }} {{- end }} name: {{ template "prometheus.alertmanager.fullname" . }} namespace: {{ .Release.Namespace }} spec: rules: - {{- range .Values.alertmanager.ingress.hosts }} + {{- range .Values.prometheus.alertmanager.ingress.hosts }} {{- $url := splitList "/" . }} - host: {{ first $url }} http: @@ -39,9 +33,9 @@ spec: serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} {{- end -}} -{{- if .Values.alertmanager.ingress.tls }} +{{- if .Values.prometheus.alertmanager.ingress.tls }} tls: -{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} +{{ toYaml .Values.prometheus.alertmanager.ingress.tls | indent 4 }} {{- end -}} {{- end -}} {{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-networkpolicy.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-networkpolicy.yaml similarity index 79% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-networkpolicy.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-networkpolicy.yaml index d5471551a..c24a76ae7 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-networkpolicy.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-networkpolicy.yaml @@ -1,6 +1,6 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} -apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "prometheus.alertmanager.fullname" . }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pdb.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pdb.yaml similarity index 62% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pdb.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pdb.yaml index 00e6c000b..123d24ee0 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-pdb.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pdb.yaml @@ -1,10 +1,6 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.alertmanager.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} +{{- if .Values.prometheus.alertmanager.podDisruptionBudget.enabled }} apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} kind: PodDisruptionBudget metadata: name: {{ template "prometheus.alertmanager.fullname" . }} @@ -12,7 +8,7 @@ metadata: labels: {{- include "prometheus.alertmanager.labels" . | nindent 4 }} spec: - maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.prometheus.alertmanager.podDisruptionBudget.maxUnavailable }} selector: matchLabels: {{- include "prometheus.alertmanager.labels" . | nindent 6 }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pvc.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pvc.yaml new file mode 100644 index 000000000..dea65e5e5 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-pvc.yaml @@ -0,0 +1,35 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if not .Values.prometheus.alertmanager.statefulSet.enabled -}} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.alertmanager.persistentVolume.enabled -}} +{{- if not .Values.prometheus.alertmanager.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.prometheus.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.prometheus.alertmanager.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + accessModes: +{{ toYaml .Values.prometheus.alertmanager.persistentVolume.accessModes | indent 4 }} +{{- if .Values.prometheus.alertmanager.persistentVolume.storageClass }} +{{- if (eq "-" .Values.prometheus.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.prometheus.alertmanager.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.prometheus.alertmanager.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.prometheus.alertmanager.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.prometheus.alertmanager.persistentVolume.size }}" +{{- end -}} +{{- end -}} +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service-headless.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service-headless.yaml similarity index 50% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service-headless.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service-headless.yaml index 0a72ead40..2f68f4126 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-service-headless.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service-headless.yaml @@ -1,16 +1,16 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.alertmanager.statefulSet.enabled -}} apiVersion: v1 kind: Service metadata: -{{- if .Values.alertmanager.statefulSet.headless.annotations }} +{{- if .Values.prometheus.alertmanager.statefulSet.headless.annotations }} annotations: -{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} +{{ toYaml .Values.prometheus.alertmanager.statefulSet.headless.annotations | indent 4 }} {{- end }} labels: {{- include "prometheus.alertmanager.labels" . | nindent 4 }} -{{- if .Values.alertmanager.statefulSet.headless.labels }} -{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} +{{- if .Values.prometheus.alertmanager.statefulSet.headless.labels }} +{{ toYaml .Values.prometheus.alertmanager.statefulSet.headless.labels | indent 4 }} {{- end }} name: {{ template "prometheus.alertmanager.fullname" . }}-headless namespace: {{ .Release.Namespace }} @@ -18,10 +18,10 @@ spec: clusterIP: None ports: - name: http - port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} + port: {{ .Values.prometheus.alertmanager.statefulSet.headless.servicePort }} protocol: TCP targetPort: 9093 -{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} +{{- if .Values.prometheus.alertmanager.statefulSet.headless.enableMeshPeer }} - name: meshpeer port: 6783 protocol: TCP diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service.yaml new file mode 100644 index 000000000..838d39ba4 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-service.yaml @@ -0,0 +1,55 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.alertmanager.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.prometheus.alertmanager.service.annotations }} + annotations: +{{ toYaml .Values.prometheus.alertmanager.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.prometheus.alertmanager.service.labels }} +{{ toYaml .Values.prometheus.alertmanager.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: +{{- if .Values.prometheus.alertmanager.service.clusterIP }} + clusterIP: {{ .Values.prometheus.alertmanager.service.clusterIP }} +{{- end }} +{{- if .Values.prometheus.alertmanager.service.externalIPs }} + externalIPs: +{{ toYaml .Values.prometheus.alertmanager.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.prometheus.alertmanager.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.prometheus.alertmanager.service.loadBalancerIP }} +{{- end }} +{{- if .Values.prometheus.alertmanager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.prometheus.alertmanager.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.prometheus.alertmanager.service.servicePort }} + protocol: TCP + targetPort: 9093 + {{- if .Values.prometheus.alertmanager.service.nodePort }} + nodePort: {{ .Values.prometheus.alertmanager.service.nodePort }} + {{- end }} +{{- if .Values.prometheus.alertmanager.service.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- if .Values.prometheus.alertmanager.service.sessionAffinity }} + sessionAffinity: {{ .Values.prometheus.alertmanager.service.sessionAffinity }} +{{- end }} + type: "{{ .Values.prometheus.alertmanager.service.type }}" +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-serviceaccount.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-serviceaccount.yaml similarity index 72% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-serviceaccount.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-serviceaccount.yaml index 521714df3..99257bbf8 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/alertmanager-serviceaccount.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.serviceAccounts.alertmanager.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-statefulset.yaml new file mode 100644 index 000000000..26e05f1fb --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-alertmanager-statefulset.yaml @@ -0,0 +1,155 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if and .Values.prometheus.alertmanager.enabled .Values.prometheus.alertmanager.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.prometheus.alertmanager.replicaCount }} + podManagementPolicy: {{ .Values.prometheus.alertmanager.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.prometheus.alertmanager.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.alertmanager.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + spec: +{{- if .Values.prometheus.alertmanager.affinity }} + affinity: +{{ toYaml .Values.prometheus.alertmanager.affinity | indent 8 }} +{{- end }} +{{- if .Values.prometheus.alertmanager.schedulerName }} + schedulerName: "{{ .Values.prometheus.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.prometheus.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.alertmanager.name }} + image: "{{ .Values.prometheus.alertmanager.image.repository }}:{{ .Values.prometheus.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.prometheus.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.prometheus.alertmanager.persistentVolume.mountPath }} + - --cluster.advertise-address=$(POD_IP):6783 + {{- if .Values.prometheus.alertmanager.statefulSet.headless.enableMeshPeer }} + - --cluster.listen-address=0.0.0.0:6783 + {{- range $n := until (.Values.prometheus.alertmanager.replicaCount | int) }} + - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 + {{- end }} + {{- end }} + {{- range $key, $value := .Values.prometheus.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.prometheus.alertmanager.baseURL }} + - --web.external-url={{ .Values.prometheus.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.prometheus.alertmanager.prefixURL }}/#/status + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.prometheus.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.prometheus.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.prometheus.alertmanager.persistentVolume.subPath }}" + {{- range .Values.prometheus.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.prometheus.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.alertmanager.name }}-{{ .Values.prometheus.configmapReload.alertmanager.name }} + image: "{{ .Values.prometheus.configmapReload.alertmanager.image.repository }}:{{ .Values.prometheus.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --watched-dir=/etc/config + - --reload-url=http://localhost:9093{{ .Values.prometheus.alertmanager.prefixURL }}/-/reload + resources: +{{ toYaml .Values.prometheus.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.prometheus.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.prometheus.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.alertmanager.tolerations | indent 8 }} + {{- end }} + volumes: + - name: config-volume + configMap: + name: {{ if .Values.prometheus.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.prometheus.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- range .Values.prometheus.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} +{{- if .Values.prometheus.alertmanager.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.prometheus.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.prometheus.alertmanager.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.prometheus.alertmanager.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.prometheus.alertmanager.persistentVolume.size }}" + {{- if .Values.prometheus.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.prometheus.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.prometheus.alertmanager.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: {} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml new file mode 100644 index 000000000..14f3f6703 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-daemonset.yaml @@ -0,0 +1,133 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.nodeExporter.enabled -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: +{{- if .Values.prometheus.nodeExporter.deploymentAnnotations }} + annotations: +{{ toYaml .Values.prometheus.nodeExporter.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.nodeExporter.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} + {{- if .Values.prometheus.nodeExporter.updateStrategy }} + updateStrategy: +{{ toYaml .Values.prometheus.nodeExporter.updateStrategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.prometheus.nodeExporter.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.nodeExporter.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} +{{- if .Values.prometheus.nodeExporter.pod.labels }} +{{ toYaml .Values.prometheus.nodeExporter.pod.labels | indent 8 }} +{{- end }} + spec: +{{- if .Values.prometheus.nodeExporter.affinity }} + affinity: +{{ toYaml .Values.prometheus.nodeExporter.affinity | indent 8 }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{- if .Values.prometheus.nodeExporter.dnsPolicy }} + dnsPolicy: "{{ .Values.prometheus.nodeExporter.dnsPolicy }}" +{{- end }} +{{- if .Values.prometheus.nodeExporter.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.nodeExporter.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.nodeExporter.name }} + image: "{{ .Values.prometheus.nodeExporter.image.repository }}:{{ .Values.prometheus.nodeExporter.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.nodeExporter.image.pullPolicy }}" + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.prometheus.nodeExporter.hostNetwork }} + - --web.listen-address=:{{ .Values.prometheus.nodeExporter.service.hostPort }} + {{- end }} + {{- range $key, $value := .Values.prometheus.nodeExporter.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: metrics + {{- if .Values.prometheus.nodeExporter.hostNetwork }} + containerPort: {{ .Values.prometheus.nodeExporter.service.hostPort }} + {{- else }} + containerPort: 9100 + {{- end }} + hostPort: {{ .Values.prometheus.nodeExporter.service.hostPort }} + resources: +{{ toYaml .Values.prometheus.nodeExporter.resources | indent 12 }} + volumeMounts: + - name: proc + mountPath: /host/proc + readOnly: true + - name: sys + mountPath: /host/sys + readOnly: true + {{- range .Values.prometheus.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- range .Values.prometheus.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.prometheus.nodeExporter.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.prometheus.nodeExporter.hostPID }} + hostPID: true + {{- end }} + {{- if .Values.prometheus.nodeExporter.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.nodeExporter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.prometheus.nodeExporter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.nodeExporter.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.nodeExporter.securityContext }} + securityContext: +{{ toYaml .Values.prometheus.nodeExporter.securityContext | indent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- range .Values.prometheus.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.prometheus.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-ocp-scc.yaml similarity index 90% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-ocp-scc.yaml index 62b0ff2aa..e226f9bea 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-ocp-scc.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-ocp-scc.yaml @@ -1,4 +1,4 @@ -{{- if and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (.Values.global.platforms.openshift.scc.nodeExporter) (.Values.nodeExporter.enabled) }} +{{- if and (.Capabilities.APIVersions.Has "security.openshift.io/v1/SecurityContextConstraints") (.Values.global.platforms.openshift.scc.nodeExporter) (.Values.prometheus.nodeExporter.enabled) }} apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml new file mode 100644 index 000000000..1ef342d0e --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-service.yaml @@ -0,0 +1,47 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.nodeExporter.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.prometheus.nodeExporter.service.annotations }} + annotations: +{{ toYaml .Values.prometheus.nodeExporter.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{- if .Values.prometheus.nodeExporter.service.labels }} +{{ toYaml .Values.prometheus.nodeExporter.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.nodeExporter.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: +{{- if .Values.prometheus.nodeExporter.service.clusterIP }} + clusterIP: {{ .Values.prometheus.nodeExporter.service.clusterIP }} +{{- end }} +{{- if .Values.prometheus.nodeExporter.service.externalIPs }} + externalIPs: +{{ toYaml .Values.prometheus.nodeExporter.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.prometheus.nodeExporter.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.prometheus.nodeExporter.service.loadBalancerIP }} +{{- end }} +{{- if .Values.prometheus.nodeExporter.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.prometheus.nodeExporter.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: metrics + port: {{ .Values.prometheus.nodeExporter.service.servicePort }} + protocol: TCP + {{- if .Values.prometheus.nodeExporter.hostNetwork }} + targetPort: {{ .Values.prometheus.nodeExporter.service.hostPort }} + {{- else }} + targetPort: 9100 + {{- end }} + selector: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} + type: "{{ .Values.prometheus.nodeExporter.service.type }}" +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-serviceaccount.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-serviceaccount.yaml similarity index 72% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-serviceaccount.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-serviceaccount.yaml index 42d8e4b6d..3cb68d8e4 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/node-exporter-serviceaccount.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-node-exporter-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} +{{- if and .Values.prometheus.nodeExporter.enabled .Values.prometheus.serviceAccounts.nodeExporter.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml new file mode 100644 index 000000000..18c0630a6 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-deployment.yaml @@ -0,0 +1,100 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.pushgateway.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + {{- if .Values.prometheus.pushgateway.schedulerName }} + schedulerName: "{{ .Values.prometheus.pushgateway.schedulerName }}" + {{- end }} + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + replicas: {{ .Values.prometheus.pushgateway.replicaCount }} + {{- if .Values.prometheus.pushgateway.strategy }} + strategy: +{{ toYaml .Values.prometheus.pushgateway.strategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.prometheus.pushgateway.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.pushgateway.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{- if .Values.prometheus.pushgateway.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.pushgateway.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.pushgateway.name }} + image: "{{ .Values.prometheus.pushgateway.image.repository }}:{{ .Values.prometheus.pushgateway.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.pushgateway.image.pullPolicy }}" + args: + {{- range $key, $value := .Values.prometheus.pushgateway.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + ports: + - containerPort: 9091 + livenessProbe: + httpGet: + {{- if (index .Values.prometheus "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values.prometheus "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy + {{- else }} + path: /-/healthy + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + {{- if (index .Values.prometheus "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values.prometheus "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready + {{- else }} + path: /-/ready + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + resources: +{{ toYaml .Values.prometheus.pushgateway.resources | indent 12 }} + {{- if .Values.prometheus.pushgateway.persistentVolume.enabled }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.prometheus.pushgateway.persistentVolume.mountPath }}" + subPath: "{{ .Values.prometheus.pushgateway.persistentVolume.subPath }}" + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.prometheus.pushgateway.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.pushgateway.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.pushgateway.securityContext }} + securityContext: +{{ toYaml .Values.prometheus.pushgateway.securityContext | indent 8 }} + {{- end }} + {{- if .Values.prometheus.pushgateway.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.pushgateway.tolerations | indent 8 }} + {{- end }} + {{- if .Values.prometheus.pushgateway.affinity }} + affinity: +{{ toYaml .Values.prometheus.pushgateway.affinity | indent 8 }} + {{- end }} + {{- if .Values.prometheus.pushgateway.persistentVolume.enabled }} + volumes: + - name: storage-volume + persistentVolumeClaim: + claimName: {{ if .Values.prometheus.pushgateway.persistentVolume.existingClaim }}{{ .Values.prometheus.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} + {{- end -}} +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-ingress.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-ingress.yaml similarity index 53% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-ingress.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-ingress.yaml index 7c40ca634..2d3f1d283 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-ingress.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-ingress.yaml @@ -1,21 +1,15 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} +{{- if and .Values.prometheus.pushgateway.enabled .Values.prometheus.pushgateway.ingress.enabled -}} {{- $releaseName := .Release.Name -}} {{- $serviceName := include "prometheus.pushgateway.fullname" . }} -{{- $servicePort := .Values.pushgateway.service.servicePort -}} -{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} -{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }} +{{- $servicePort := .Values.prometheus.pushgateway.service.servicePort -}} +{{- $extraPaths := .Values.prometheus.pushgateway.ingress.extraPaths -}} apiVersion: networking.k8s.io/v1 -{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} -apiVersion: networking.k8s.io/v1beta1 -{{ else }} -apiVersion: extensions/v1beta1 -{{ end -}} kind: Ingress metadata: -{{- if .Values.pushgateway.ingress.annotations }} +{{- if .Values.prometheus.pushgateway.ingress.annotations }} annotations: -{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} +{{ toYaml .Values.prometheus.pushgateway.ingress.annotations | indent 4}} {{- end }} labels: {{- include "prometheus.pushgateway.labels" . | nindent 4 }} @@ -23,7 +17,7 @@ metadata: namespace: {{ .Release.Namespace }} spec: rules: - {{- range .Values.pushgateway.ingress.hosts }} + {{- range .Values.prometheus.pushgateway.ingress.hosts }} {{- $url := splitList "/" . }} - host: {{ first $url }} http: @@ -36,9 +30,9 @@ spec: serviceName: {{ $serviceName }} servicePort: {{ $servicePort }} {{- end -}} -{{- if .Values.pushgateway.ingress.tls }} +{{- if .Values.prometheus.pushgateway.ingress.tls }} tls: -{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} +{{ toYaml .Values.prometheus.pushgateway.ingress.tls | indent 4 }} {{- end -}} {{- end -}} {{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-networkpolicy.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-networkpolicy.yaml similarity index 79% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-networkpolicy.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-networkpolicy.yaml index c40baa2ec..b6e41eedf 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-networkpolicy.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-networkpolicy.yaml @@ -1,6 +1,6 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} -apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +{{- if and .Values.prometheus.pushgateway.enabled .Values.networkPolicy.enabled -}} +apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "prometheus.pushgateway.fullname" . }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pdb.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pdb.yaml similarity index 59% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pdb.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pdb.yaml index ad5cc84a0..00f7e4502 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-pdb.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pdb.yaml @@ -1,17 +1,13 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.pushgateway.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} +{{- if .Values.prometheus.pushgateway.podDisruptionBudget.enabled }} apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} kind: PodDisruptionBudget metadata: name: {{ template "prometheus.pushgateway.fullname" . }} labels: {{- include "prometheus.pushgateway.labels" . | nindent 4 }} spec: - maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.prometheus.pushgateway.podDisruptionBudget.maxUnavailable }} selector: matchLabels: {{- include "prometheus.pushgateway.labels" . | nindent 6 }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pvc.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pvc.yaml new file mode 100644 index 000000000..ba22f5921 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-pvc.yaml @@ -0,0 +1,35 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.pushgateway.enabled -}} +{{- if .Values.prometheus.pushgateway.persistentVolume.enabled -}} +{{- if not .Values.prometheus.pushgateway.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.prometheus.pushgateway.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.prometheus.pushgateway.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + accessModes: +{{ toYaml .Values.prometheus.pushgateway.persistentVolume.accessModes | indent 4 }} +{{- if .Values.prometheus.pushgateway.persistentVolume.storageClass }} +{{- if (eq "-" .Values.prometheus.pushgateway.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.prometheus.pushgateway.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.prometheus.pushgateway.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.prometheus.pushgateway.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.prometheus.pushgateway.persistentVolume.size }}" +{{- end -}} +{{- end -}} +{{ end }} +{{- end -}} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-service.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-service.yaml new file mode 100644 index 000000000..3e8811704 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-service.yaml @@ -0,0 +1,43 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.pushgateway.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.prometheus.pushgateway.service.annotations }} + annotations: +{{ toYaml .Values.prometheus.pushgateway.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +{{- if .Values.prometheus.pushgateway.service.labels }} +{{ toYaml .Values.prometheus.pushgateway.service.labels | indent 4}} +{{- end }} + name: {{ template "prometheus.pushgateway.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: +{{- if .Values.prometheus.pushgateway.service.clusterIP }} + clusterIP: {{ .Values.prometheus.pushgateway.service.clusterIP }} +{{- end }} +{{- if .Values.prometheus.pushgateway.service.externalIPs }} + externalIPs: +{{ toYaml .Values.prometheus.pushgateway.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.prometheus.pushgateway.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.prometheus.pushgateway.service.loadBalancerIP }} +{{- end }} +{{- if .Values.prometheus.pushgateway.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.prometheus.pushgateway.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.prometheus.pushgateway.service.servicePort }} + protocol: TCP + targetPort: 9091 + selector: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} + type: "{{ .Values.prometheus.pushgateway.service.type }}" +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-serviceaccount.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-serviceaccount.yaml similarity index 73% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-serviceaccount.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-serviceaccount.yaml index b249d216d..1339e4b6b 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/pushgateway-serviceaccount.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-pushgateway-serviceaccount.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} +{{- if and .Values.prometheus.pushgateway.enabled .Values.prometheus.serviceAccounts.pushgateway.create -}} apiVersion: v1 kind: ServiceAccount metadata: diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrole.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrole.yaml similarity index 69% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrole.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrole.yaml index 7f9758707..367219555 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrole.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrole.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.server.enabled .Values.rbac.create -}} +{{- if and .Values.prometheus.server.enabled .Values.prometheus.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -7,16 +7,6 @@ metadata: {{- include "prometheus.server.labels" . | nindent 4 }} name: {{ template "prometheus.server.fullname" . }} rules: -{{- if .Values.podSecurityPolicy.enabled }} - - apiGroups: - - extensions - resources: - - podsecuritypolicies - verbs: - - use - resourceNames: - - {{ template "prometheus.server.fullname" . }} -{{- end }} - apiGroups: - "" resources: @@ -33,7 +23,7 @@ rules: - list - watch - apiGroups: - - "extensions" + - networking.k8s.io resources: - ingresses/status - ingresses diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrolebinding.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrolebinding.yaml similarity index 86% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrolebinding.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrolebinding.yaml index 995bc248e..e03d8e443 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-clusterrolebinding.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-clusterrolebinding.yaml @@ -1,5 +1,5 @@ {{ if .Values.global.prometheus.enabled }} -{{- if and .Values.server.enabled .Values.rbac.create -}} +{{- if and .Values.prometheus.server.enabled .Values.prometheus.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-configmap.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-configmap.yaml similarity index 61% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-configmap.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-configmap.yaml index 27d1c74ad..ca91b2d4a 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-configmap.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-configmap.yaml @@ -1,6 +1,6 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if (empty .Values.server.configMapOverrideName) -}} +{{- if .Values.prometheus.server.enabled -}} +{{- if (empty .Values.prometheus.server.configMapOverrideName) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -10,24 +10,24 @@ metadata: namespace: {{ .Release.Namespace }} data: {{- $root := . -}} -{{- range $key, $value := .Values.serverFiles }} +{{- range $key, $value := .Values.prometheus.serverFiles }} {{ $key }}: | {{- if eq $key "prometheus.yml" }} global: -{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{ $root.Values.prometheus.server.global | toYaml | trimSuffix "\n" | indent 6 }} {{- if $root.Values.global.amp.enabled }} remote_write: - url: {{ $root.Values.global.amp.remoteWriteService }} sigv4: {{ $root.Values.global.amp.sigv4 | toYaml | indent 8 }} {{- end }} -{{- if $root.Values.server.remoteWrite }} +{{- if $root.Values.prometheus.server.remoteWrite }} remote_write: -{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{ $root.Values.prometheus.server.remoteWrite | toYaml | indent 4 }} {{- end }} -{{- if $root.Values.server.remoteRead }} +{{- if $root.Values.prometheus.server.remoteRead }} remote_read: -{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{ $root.Values.prometheus.server.remoteRead | toYaml | indent 4 }} {{- end }} {{- end }} {{- if eq $key "alerts" }} @@ -45,25 +45,25 @@ data: {{ toYaml $value | default "{}" | indent 4 }} {{- end }} {{- if eq $key "prometheus.yml" -}} -{{- if $root.Values.extraScrapeConfigs }} -{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- if $root.Values.prometheus.extraScrapeConfigs }} +{{ tpl $root.Values.prometheus.extraScrapeConfigs $root | indent 4 }} {{- end -}} -{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} +{{- if or ($root.Values.prometheus.alertmanager.enabled) ($root.Values.prometheus.server.alertmanagers) }} alerting: -{{- if $root.Values.alertRelabelConfigs }} -{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.prometheus.alertRelabelConfigs }} +{{ $root.Values.prometheus.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} {{- end }} alertmanagers: -{{- if $root.Values.server.alertmanagers }} -{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- if $root.Values.prometheus.server.alertmanagers }} +{{ toYaml $root.Values.prometheus.server.alertmanagers | indent 8 }} {{- else }} - kubernetes_sd_configs: - role: pod tls_config: ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token - {{- if $root.Values.alertmanager.prefixURL }} - path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- if $root.Values.prometheus.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.prometheus.alertmanager.prefixURL }} {{- end }} relabel_configs: - source_labels: [__meta_kubernetes_namespace] @@ -76,7 +76,7 @@ data: regex: alertmanager action: keep - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_probe] - regex: {{ index $root.Values.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} + regex: {{ index $root.Values.prometheus.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} action: keep - source_labels: [__meta_kubernetes_pod_container_port_number] regex: diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml new file mode 100644 index 000000000..2151b4f8a --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-deployment.yaml @@ -0,0 +1,253 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.server.enabled -}} +{{- if not .Values.prometheus.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: +{{- if .Values.prometheus.server.deploymentAnnotations }} + annotations: +{{ toYaml .Values.prometheus.server.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.prometheus.server.replicaCount }} + {{- if .Values.prometheus.server.strategy }} + strategy: +{{ toYaml .Values.prometheus.server.strategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.prometheus.server.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.server.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.prometheus.server.podLabels}} + {{ toYaml .Values.prometheus.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.prometheus.server.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.server.priorityClassName }}" +{{- end }} +{{- if .Values.prometheus.server.schedulerName }} + schedulerName: "{{ .Values.prometheus.server.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.prometheus.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.prometheus.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.prometheus.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.server.name }}-{{ .Values.prometheus.configmapReload.prometheus.name }} + image: "{{ .Values.prometheus.configmapReload.prometheus.image.repository }}:{{ .Values.prometheus.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.configmapReload.prometheus.image.pullPolicy }}" + args: + - --watched-dir=/etc/config + - --reload-url=http://127.0.0.1:9090{{ .Values.prometheus.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.prometheus.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraVolumeDirs }} + - --watched-dir={{ . }} + {{- end }} + resources: + {{- toYaml .Values.prometheus.configmapReload.prometheus.resources | nindent 12 }} + securityContext: + {{- if .Values.global.containerSecurityContext }} + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- else }} + {{- toYaml .Values.prometheus.configmapReload.prometheus.containerSecurityContext | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.prometheus.selfsignedCertConfigMapName }} + - name: {{ .Values.prometheus.selfsignedCertConfigMapName }} + mountPath: /etc/ssl/certs/my-cert.pem + subPath: my-cert.pem + readOnly: false + {{- end }} + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.server.name }} + image: "{{ .Values.prometheus.server.image.repository }}:{{ .Values.prometheus.server.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.server.image.pullPolicy }}" + {{- if .Values.prometheus.server.env }} + env: +{{ toYaml .Values.prometheus.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.prometheus.server.retention }} + - --storage.tsdb.retention.time={{ .Values.prometheus.server.retention }} + {{- end }} + {{- if .Values.prometheus.server.retentionSize }} + - --storage.tsdb.retention.size={{ .Values.prometheus.server.retentionSize }} + {{- end }} + - --config.file={{ .Values.prometheus.server.configPath }} + - --storage.tsdb.path={{ .Values.prometheus.server.persistentVolume.mountPath }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.prometheus.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- if .Values.prometheus.server.baseURL }} + - --web.external-url={{ .Values.prometheus.server.baseURL }} + {{- end }} + + {{- range $key, $value := .Values.prometheus.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: {{ .Values.prometheus.server.prefixURL }}/-/ready + port: 9090 + initialDelaySeconds: {{ .Values.prometheus.server.readinessProbeInitialDelay }} + timeoutSeconds: {{ .Values.prometheus.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.prometheus.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.prometheus.server.readinessProbeSuccessThreshold }} + livenessProbe: + httpGet: + path: {{ .Values.prometheus.server.prefixURL }}/-/healthy + port: 9090 + initialDelaySeconds: {{ .Values.prometheus.server.livenessProbeInitialDelay }} + timeoutSeconds: {{ .Values.prometheus.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.prometheus.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.prometheus.server.livenessProbeSuccessThreshold }} + resources: + {{- toYaml .Values.prometheus.server.resources | nindent 12 }} + securityContext: + {{- if .Values.global.containerSecurityContext }} + {{- toYaml .Values.global.containerSecurityContext | nindent 12 }} + {{- else }} + {{- toYaml .Values.prometheus.server.containerSecurityContext | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.prometheus.server.persistentVolume.mountPath }} + subPath: "{{ .Values.prometheus.server.persistentVolume.subPath }}" + {{- range .Values.prometheus.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.prometheus.server.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.prometheus.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.prometheus.server.extraVolumeMounts }} + {{ toYaml .Values.prometheus.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.prometheus.server.sidecarContainers }} + {{- toYaml .Values.prometheus.server.sidecarContainers | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 0 }} + {{- end }} + {{- if .Values.prometheus.server.nodeSelector }} + nodeSelector: + {{- toYaml .Values.prometheus.server.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.server.securityContext }} + securityContext: + {{- if not .Values.prometheus.server.securityContext.fsGroup }} + fsGroupChangePolicy: OnRootMismatch + fsGroup: 1001 + {{- end }} + {{- toYaml .Values.prometheus.server.securityContext | nindent 8 }} + {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} + securityContext: + {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} + {{- else if .Values.global.securityContext }} + securityContext: + {{- toYaml .Values.global.securityContext | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.server.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.prometheus.server.affinity }} + affinity: +{{ toYaml .Values.prometheus.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.prometheus.server.terminationGracePeriodSeconds }} + volumes: + {{- if .Values.prometheus.selfsignedCertConfigMapName }} + - name: {{ .Values.prometheus.selfsignedCertConfigMapName }} + configMap: + name: {{ .Values.prometheus.selfsignedCertConfigMapName }} + {{- end }} + - name: config-volume + configMap: + name: {{ if .Values.prometheus.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.prometheus.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + - name: storage-volume + {{- if .Values.prometheus.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.prometheus.server.persistentVolume.existingClaim }}{{ .Values.prometheus.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.prometheus.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.prometheus.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- if .Values.prometheus.server.extraVolumes }} +{{ toYaml .Values.prometheus.server.extraVolumes | indent 8}} +{{- end }} + {{- range .Values.prometheus.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.prometheus.server.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.prometheus.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ tpl .secretName $ }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} +{{- end -}} +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-ingress.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-ingress.yaml new file mode 100644 index 000000000..18a7835fc --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-ingress.yaml @@ -0,0 +1,45 @@ +{{- if and (.Values.global.prometheus.enabled) (.Values.prometheus.server.enabled) (.Values.prometheus.server.ingress.enabled) }} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.prometheus.server.service.servicePort -}} +{{- $extraPaths := .Values.prometheus.server.ingress.extraPaths -}} +{{- $pathType := .Values.prometheus.server.ingress.pathType -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: +{{- if .Values.prometheus.server.ingress.annotations }} + annotations: +{{ toYaml .Values.prometheus.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.prometheus.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: +{{- if .Values.prometheus.server.ingress.className }} + ingressClassName: {{ .Values.prometheus.server.ingress.className }} +{{- end }} + rules: + {{- range .Values.prometheus.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: /{{ rest $url | join "/" }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- end -}} +{{- if .Values.prometheus.server.ingress.tls }} + tls: +{{ toYaml .Values.prometheus.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-networkpolicy.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-networkpolicy.yaml similarity index 61% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-networkpolicy.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-networkpolicy.yaml index 34ee1fc3d..23b04419c 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-networkpolicy.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-networkpolicy.yaml @@ -1,7 +1,5 @@ -{{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.networkPolicy.enabled }} -apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +{{- if and (.Values.global.prometheus.enabled) (.Values.prometheus.server.enabled) (.Values.networkPolicy.enabled) }} +apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ template "prometheus.server.fullname" . }} @@ -15,6 +13,4 @@ spec: ingress: - ports: - port: 9090 -{{- end }} -{{- end }} -{{ end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pdb.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-pdb.yaml similarity index 59% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pdb.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-pdb.yaml index 0514a234d..52ceeb248 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-pdb.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-pdb.yaml @@ -1,17 +1,13 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.podDisruptionBudget.enabled }} -{{- if .Capabilities.APIVersions.Has "policy/v1" -}} +{{- if .Values.prometheus.server.podDisruptionBudget.enabled }} apiVersion: policy/v1 -{{- else}} -apiVersion: policy/v1beta1 -{{- end }} kind: PodDisruptionBudget metadata: name: {{ template "prometheus.server.fullname" . }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} spec: - maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.prometheus.server.podDisruptionBudget.maxUnavailable }} selector: matchLabels: {{- include "prometheus.server.labels" . | nindent 6 }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-pvc.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-pvc.yaml new file mode 100644 index 000000000..301a33e1a --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-pvc.yaml @@ -0,0 +1,37 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.server.enabled -}} +{{- if not .Values.prometheus.server.statefulSet.enabled -}} +{{- if .Values.prometheus.server.persistentVolume.enabled -}} +{{- if not .Values.prometheus.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.prometheus.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.prometheus.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + accessModes: +{{ toYaml .Values.prometheus.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.prometheus.server.persistentVolume.storageClass }} +{{- if (eq "-" .Values.prometheus.server.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.prometheus.server.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.prometheus.server.persistentVolume.volumeBindingMode }} + volumeBindingModeName: "{{ .Values.prometheus.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.prometheus.server.persistentVolume.size }}" +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service-headless.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-service-headless.yaml similarity index 51% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service-headless.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-service-headless.yaml index 30e57620d..019803d30 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-service-headless.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-service-headless.yaml @@ -1,17 +1,17 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.server.statefulSet.enabled -}} +{{- if .Values.prometheus.server.enabled -}} +{{- if .Values.prometheus.server.statefulSet.enabled -}} apiVersion: v1 kind: Service metadata: -{{- if .Values.server.statefulSet.headless.annotations }} +{{- if .Values.prometheus.server.statefulSet.headless.annotations }} annotations: -{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{ toYaml .Values.prometheus.server.statefulSet.headless.annotations | indent 4 }} {{- end }} labels: {{- include "prometheus.server.labels" . | nindent 4 }} -{{- if .Values.server.statefulSet.headless.labels }} -{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- if .Values.prometheus.server.statefulSet.headless.labels }} +{{ toYaml .Values.prometheus.server.statefulSet.headless.labels | indent 4 }} {{- end }} name: {{ template "prometheus.server.fullname" . }}-headless namespace: {{ .Release.Namespace }} @@ -19,7 +19,7 @@ spec: clusterIP: None ports: - name: http - port: {{ .Values.server.statefulSet.headless.servicePort }} + port: {{ .Values.prometheus.server.statefulSet.headless.servicePort }} protocol: TCP targetPort: 9090 selector: diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-service.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-service.yaml new file mode 100644 index 000000000..69f093c38 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-service.yaml @@ -0,0 +1,62 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.server.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.prometheus.server.service.annotations }} + annotations: +{{ toYaml .Values.prometheus.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.prometheus.server.service.labels }} +{{ toYaml .Values.prometheus.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: +{{- if .Values.prometheus.server.service.clusterIP }} + clusterIP: {{ .Values.prometheus.server.service.clusterIP }} +{{- end }} +{{- if .Values.prometheus.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.prometheus.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.prometheus.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.prometheus.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.prometheus.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.prometheus.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.prometheus.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.prometheus.server.service.nodePort }} + nodePort: {{ .Values.prometheus.server.service.nodePort }} + {{- end }} + {{- if .Values.prometheus.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.prometheus.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.prometheus.server.service.gRPC.nodePort }} + nodePort: {{ .Values.prometheus.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} + selector: + {{- if and .Values.prometheus.server.statefulSet.enabled .Values.prometheus.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ .Release.Name }}-{{ .Values.prometheus.server.name }}-{{ .Values.prometheus.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.prometheus.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.prometheus.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.prometheus.server.service.type }}" +{{- end -}} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-serviceaccount.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-serviceaccount.yaml similarity index 67% rename from charts/kubecost/cost-analyzer/charts/prometheus/templates/server-serviceaccount.yaml rename to charts/kubecost/cost-analyzer/templates/prometheus-server-serviceaccount.yaml index 78e08331b..17ee234bb 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/templates/server-serviceaccount.yaml +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-serviceaccount.yaml @@ -1,6 +1,6 @@ {{ if .Values.global.prometheus.enabled }} -{{- if .Values.server.enabled -}} -{{- if .Values.serviceAccounts.server.create }} +{{- if .Values.prometheus.server.enabled -}} +{{- if .Values.prometheus.serviceAccounts.server.create }} apiVersion: v1 kind: ServiceAccount metadata: @@ -8,7 +8,7 @@ metadata: {{- include "prometheus.server.labels" . | nindent 4 }} name: {{ template "prometheus.serviceAccountName.server" . }} namespace: {{ .Release.Namespace }} - {{- with .Values.serviceAccounts.server.annotations }} + {{- with .Values.prometheus.serviceAccounts.server.annotations }} annotations: {{- . | toYaml | nindent 4 }} {{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml new file mode 100644 index 000000000..dc90334c6 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-statefulset.yaml @@ -0,0 +1,221 @@ +{{ if .Values.global.prometheus.enabled }} +{{- if .Values.prometheus.server.enabled -}} +{{- if .Values.prometheus.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.prometheus.server.statefulSet.annotations }} + annotations: +{{ toYaml .Values.prometheus.server.statefulSet.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.prometheus.server.statefulSet.labels}} + {{ toYaml .Values.prometheus.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.prometheus.server.replicaCount }} + podManagementPolicy: {{ .Values.prometheus.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.prometheus.server.podAnnotations }} + annotations: +{{ toYaml .Values.prometheus.server.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.prometheus.server.statefulSet.labels}} + {{ toYaml .Values.prometheus.server.statefulSet.labels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.prometheus.server.priorityClassName }} + priorityClassName: "{{ .Values.prometheus.server.priorityClassName }}" +{{- end }} +{{- if .Values.prometheus.server.schedulerName }} + schedulerName: "{{ .Values.prometheus.server.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + containers: + {{- if .Values.prometheus.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.server.name }}-{{ .Values.prometheus.configmapReload.prometheus.name }} + image: "{{ .Values.prometheus.configmapReload.prometheus.image.repository }}:{{ .Values.prometheus.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.configmapReload.prometheus.image.pullPolicy }}" + args: + - --watched-dir=/etc/config + - --reload-url=http://127.0.0.1:9090{{ .Values.prometheus.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.prometheus.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraVolumeDirs }} + - --watched-dir={{ . }} + {{- end }} + resources: +{{ toYaml .Values.prometheus.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + - name: {{ template "prometheus.name" . }}-{{ .Values.prometheus.server.name }} + image: "{{ .Values.prometheus.server.image.repository }}:{{ .Values.prometheus.server.image.tag }}" + imagePullPolicy: "{{ .Values.prometheus.server.image.pullPolicy }}" + {{- if .Values.prometheus.server.env }} + env: +{{ toYaml .Values.prometheus.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.prometheus.server.retention }} + - --storage.tsdb.retention.time={{ .Values.prometheus.server.retention }} + {{- end }} + - --config.file={{ .Values.prometheus.server.configPath }} + - --storage.tsdb.path={{ .Values.prometheus.server.persistentVolume.mountPath }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.prometheus.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.prometheus.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.prometheus.server.baseURL }} + - --web.external-url={{ .Values.prometheus.server.baseURL }} + {{- end }} + ports: + - containerPort: 9090 + readinessProbe: + httpGet: + path: {{ .Values.prometheus.server.prefixURL }}/-/ready + port: 9090 + initialDelaySeconds: {{ .Values.prometheus.server.readinessProbeInitialDelay }} + timeoutSeconds: {{ .Values.prometheus.server.readinessProbeTimeout }} + livenessProbe: + httpGet: + path: {{ .Values.prometheus.server.prefixURL }}/-/healthy + port: 9090 + initialDelaySeconds: {{ .Values.prometheus.server.livenessProbeInitialDelay }} + timeoutSeconds: {{ .Values.prometheus.server.livenessProbeTimeout }} + resources: +{{ toYaml .Values.prometheus.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.prometheus.server.persistentVolume.mountPath }} + subPath: "{{ .Values.prometheus.server.persistentVolume.subPath }}" + {{- range .Values.prometheus.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.prometheus.server.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.prometheus.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.prometheus.server.extraVolumeMounts }} + {{ toYaml .Values.prometheus.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.prometheus.server.sidecarContainers }} + {{- toYaml .Values.prometheus.server.sidecarContainers | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.prometheus.imagePullSecrets | indent 2 }} + {{- end }} + {{- if .Values.prometheus.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.prometheus.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.prometheus.server.securityContext }} + securityContext: +{{ toYaml .Values.prometheus.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.prometheus.server.tolerations }} + tolerations: +{{ toYaml .Values.prometheus.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.prometheus.server.affinity }} + affinity: +{{ toYaml .Values.prometheus.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.prometheus.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + configMap: + name: {{ if .Values.prometheus.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.prometheus.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- range .Values.prometheus.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.prometheus.server.extraConfigmapMounts }} + - name: {{ $.Values.prometheus.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.prometheus.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- end }} + {{- range .Values.prometheus.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} +{{- if .Values.prometheus.server.extraVolumes }} +{{ toYaml .Values.prometheus.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.prometheus.server.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.prometheus.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.prometheus.server.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.prometheus.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.prometheus.server.persistentVolume.size }}" + {{- if .Values.prometheus.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.prometheus.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.prometheus.server.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: {} +{{- end }} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/kubecost/cost-analyzer/templates/prometheus-server-vpa.yaml b/charts/kubecost/cost-analyzer/templates/prometheus-server-vpa.yaml new file mode 100644 index 000000000..25a61f253 --- /dev/null +++ b/charts/kubecost/cost-analyzer/templates/prometheus-server-vpa.yaml @@ -0,0 +1,22 @@ +{{- if and (.Values.global.prometheus.enabled) (.Values.prometheus.server.enabled) (.Values.prometheus.server.verticalAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }}-vpa + namespace: {{ .Release.Namespace }} +spec: + targetRef: + apiVersion: apps/v1 +{{- if .Values.prometheus.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.prometheus.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.prometheus.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-binding-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-binding-template.yaml deleted file mode 100644 index 76110e15b..000000000 --- a/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-binding-template.yaml +++ /dev/null @@ -1,34 +0,0 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} -{{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ template "query-service.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{ include "query-service.commonLabels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ template "query-service.serviceAccountName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "query-service.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ template "query-service.serviceAccountName" . }} - labels: - {{ include "query-service.commonLabels" . | nindent 4 }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ template "query-service.serviceAccountName" . }} -subjects: - - kind: ServiceAccount - name: {{ template "query-service.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-template.yaml deleted file mode 100644 index 274e50d4d..000000000 --- a/charts/kubecost/cost-analyzer/templates/query-service-cluster-role-template.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} -{{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - namespace: {{ .Release.Namespace }} - name: {{ template "query-service.serviceAccountName" . }} - labels: - {{ include "query-service.commonLabels" . | nindent 4 }} -rules: -- apiGroups: - - '' - resources: - - "pods/log" - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ template "query-service.serviceAccountName" . }} - labels: - {{ include "query-service.commonLabels" . | nindent 4 }} -rules: - - apiGroups: - - '' - resources: - - configmaps - - deployments - - nodes - - pods - - events - - services - - resourcequotas - - replicationcontrollers - - limitranges - - persistentvolumeclaims - - persistentvolumes - - namespaces - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - - deployments - - daemonsets - - replicasets - verbs: - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - events.k8s.io - resources: - - events - verbs: - - get - - list - - watch -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml deleted file mode 100644 index c36565b3a..000000000 --- a/charts/kubecost/cost-analyzer/templates/query-service-deployment-template.yaml +++ /dev/null @@ -1,186 +0,0 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} -{{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ template "query-service.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "query-service.commonLabels" . | nindent 4 }} -spec: - replicas: {{ .Values.kubecostDeployment.queryServiceReplicas }} - serviceName: "query-service" - selector: - matchLabels: - app.kubernetes.io/name: query-service - app.kubernetes.io/instance: {{ .Release.Name }} - app: query-service - volumeClaimTemplates: - - metadata: - name: database-storage - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.kubecostDeployment.queryService.storageClass }} - resources: - requests: - storage: {{ .Values.kubecostDeployment.queryService.databaseVolumeSize }} - - metadata: - name: persistent-configs - spec: - accessModes: [ "ReadWriteOnce" ] - storageClassName: {{ .Values.kubecostDeployment.queryService.storageClass }} - resources: - requests: - storage: {{ .Values.kubecostDeployment.queryService.configVolumeSize }} - template: - metadata: - labels: - app.kubernetes.io/name: query-service - app.kubernetes.io/instance: {{ .Release.Name }} - app: query-service - {{- with .Values.global.podAnnotations}} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - restartPolicy: Always - {{- if .Values.kubecostDeployment.queryService.securityContext }} - securityContext: - {{- toYaml .Values.kubecostDeployment.queryService.securityContext | nindent 8 }} - {{- else if and (.Values.global.platforms.openshift.enabled) (.Values.global.platforms.openshift.securityContext) }} - securityContext: - {{- toYaml .Values.global.platforms.openshift.securityContext | nindent 8 }} - {{- else if .Values.global.securityContext }} - securityContext: - {{- toYaml .Values.global.securityContext | nindent 8 }} - {{- end }} - serviceAccountName: {{ template "query-service.serviceAccountName" . }} - volumes: - {{- $etlBackupBucketSecret := "" }} - {{- if .Values.kubecostModel.queryServiceConfigSecret }} - {{- $etlBackupBucketSecret = .Values.kubecostModel.queryServiceConfigSecret }} - {{- else if .Values.kubecostModel.federatedStorageConfigSecret }} - {{- $etlBackupBucketSecret = .Values.kubecostModel.federatedStorageConfigSecret }} - {{- else if .Values.kubecostModel.etlBucketConfigSecret }} - {{- $etlBackupBucketSecret = .Values.kubecostModel.etlBucketConfigSecret }} - {{- else if and .Values.global.thanos.enabled (ne (typeOf .Values.kubecostModel.etlBucketConfigSecret) "string") }} - {{- $etlBackupBucketSecret = .Values.thanos.storeSecretName }} - {{- end }} - {{- if $etlBackupBucketSecret }} - - name: etl-bucket-config - secret: - defaultMode: 420 - secretName: {{ $etlBackupBucketSecret }} - {{- end }} - {{- if .Values.kubecostDeployment.queryService.extraVolumes }} - {{- toYaml .Values.kubecostDeployment.queryService.extraVolumes | nindent 8 }} - {{- end }} - containers: - - name: query-service - {{- if .Values.kubecostModel }} - {{- if .Values.kubecostModel.openSourceOnly }} - image: quay.io/kubecost1/kubecost-cost-model:{{ .Values.imageVersion }} - {{- else if .Values.kubecostModel.fullImageName }} - image: {{ .Values.kubecostModel.fullImageName }} - {{- else if .Values.imageVersion }} - image: {{ .Values.kubecostModel.image }}:{{ .Values.imageVersion }} - {{- else }} - image: {{ .Values.kubecostModel.image }}:prod-{{ $.Chart.AppVersion }} - {{ end }} - {{- else }} - image: gcr.io/kubecost1/cost-model:prod-{{ $.Chart.AppVersion }} - {{ end }} - readinessProbe: - httpGet: - path: /healthz - port: 9003 - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 200 - imagePullPolicy: Always - securityContext: - {{- if .Values.kubecostDeployment.queryService.containerSecurityContext }} - {{- toYaml .Values.kubecostDeployment.queryService.containerSecurityContext | nindent 12 -}} - {{- else if .Values.global.containerSecurityContext }} - {{- toYaml .Values.global.containerSecurityContext | nindent 12 -}} - {{- end }} - args: ["query-service"] - ports: - - name: tcp-model - containerPort: 9003 - protocol: TCP - {{- with .Values.kubecostDeployment.queryService.extraPorts }} - {{- toYaml . | nindent 12 }} - {{- end }} - resources: - {{- toYaml .Values.kubecostDeployment.queryService.resources | nindent 12 }} - volumeMounts: - - name: persistent-configs - mountPath: /var/configs - - name: etl-bucket-config - mountPath: /var/configs/etl - - name: database-storage - mountPath: /var/db - {{- if .Values.kubecostDeployment.queryService.extraVolumeMounts }} - {{- toYaml .Values.kubecostDeployment.queryService.extraVolumeMounts | nindent 12 }} - {{- end }} - env: - - name: CONFIG_PATH - value: /var/configs/ - - name: DB_PATH - value: /var/db/ - - name: ETL_FILE_STORE_ENABLED - value: "true" - {{- if $etlBackupBucketSecret }} - - name: ETL_BUCKET_CONFIG - {{- if not .Values.kubecostModel.federatedStorageConfigSecret}} - value: "/var/configs/etl/object-store.yaml" - {{- else }} - value: "/var/configs/etl/federated-store.yaml" - - name: CLUSTER_ID - value: "combined" - - name: FEDERATED_STORE_CONFIG - value: "/var/configs/etl/federated-store.yaml" - - name: FEDERATED_CLUSTER - value: "true" - - name: FEDERATED_PRIMARY_CLUSTER - value: "true" - - name: FEDERATED_REDIRECT_BACKUP - value: "true" - {{- end }} - {{- end }} - - name: ETL_PATH_PREFIX - value: "/var/db" - - name: CLOUD_PROVIDER_API_KEY - value: "AIzaSyDXQPG_MHUEy9neR7stolq6l0ujXmjJlvk" # The GCP Pricing API key.This GCP api key is expected to be here and is limited to accessing google's billing API.' - {{- if .Values.kubecostDeployment.queryService.extraEnv }} - {{- toYaml .Values.kubecostDeployment.queryService.extraEnv | nindent 12 }} - {{- end }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 2 }} - {{- end }} - {{- if .Values.kubecostDeployment.queryService.priority }} - {{- if .Values.kubecostDeployment.queryService.priority.enabled }} - {{- if .Values.kubecostDeployment.queryService.priority.name }} - priorityClassName: {{ .Values.kubecostDeployment.queryService.priority.name }} - {{- else }} - priorityClassName: {{ template "cost-analyzer.fullname" . }}-qsr-priority - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.kubecostDeployment.queryService.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kubecostDeployment.queryService.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.kubecostDeployment.queryService.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - -{{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml deleted file mode 100644 index e93bf6014..000000000 --- a/charts/kubecost/cost-analyzer/templates/query-service-service-account-template.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} -{{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -{{- if .Values.kubecostDeployment.queryService.serviceAccount.create }} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ template "query-service.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{ include "query-service.commonLabels" . | nindent 4 }} -{{- with .Values.kubecostDeployment.queryService.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} -{{- end }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml b/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml deleted file mode 100644 index 160afc034..000000000 --- a/charts/kubecost/cost-analyzer/templates/query-service-service-template.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if and (not .Values.agent) (not .Values.cloudAgent) (.Values.kubecostDeployment) (.Values.kubecostDeployment.queryServiceReplicas) }} -{{- if gt (.Values.kubecostDeployment.queryServiceReplicas | toString | atoi) 0 }} -kind: Service -apiVersion: v1 -metadata: - name: {{ template "query-service.serviceName" . }} - namespace: {{ .Release.Namespace }} - labels: -{{ include "query-service.commonLabels" . | nindent 4 }} -spec: - selector: -{{ include "query-service.selectorLabels" . | nindent 4 }} - type: "ClusterIP" - ports: - - name: tcp-query-service - port: 9003 - targetPort: 9003 - {{- with .Values.kubecostDeployment.queryService.extraPorts }} - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/kubecost/cost-analyzer/values-agent.yaml b/charts/kubecost/cost-analyzer/values-agent.yaml index 2f46281dd..c74ea90b0 100644 --- a/charts/kubecost/cost-analyzer/values-agent.yaml +++ b/charts/kubecost/cost-analyzer/values-agent.yaml @@ -1,3 +1,4 @@ + # Kubecost running as an Agent is designed for external hosting. The current setup deploys a # kubecost-agent pod, low data retention prometheus server + thanos sidecar, and node-exporter. networkCosts: @@ -7,7 +8,8 @@ networkCosts: # amazon-web-services: true # google-cloud-services: true # azure-cloud-services: true - +thanos: + storeSecretName: kubecost-agent-object-store global: thanos: @@ -17,7 +19,7 @@ global: proxy: false # Agent enables specific features designed to enhance the metrics exporter deployment # with enhancements designed for external hosting. -agent: true +# agent: true # agentKeySecretName: kubecost-agent-object-store agentCsi: enabled: false @@ -27,30 +29,21 @@ agentCsi: parameters: {} secretObjects: {} - -# No Grafana configuration is required. -grafana: - sidecar: - dashboards: - enabled: false - datasources: - defaultDatasourceEnabled: false +kubecostFrontend: + enabled: false # Exporter Pod -kubecostMetrics: - exporter: - enabled: true - exportClusterInfo: true - exportClusterCache: true +# kubecostMetrics: +# exporter: +# enabled: true +# exportClusterInfo: true +# exportClusterCache: true # Prometheus defaults to low retention (10h), disables KSM, and attaches a thanos-sidecar # for exporting metrics. prometheus: nodeExporter: enabled: false - kube-state-metrics: - enabled: false - disabled: true extraScrapeConfigs: | - job_name: kubecost-agent honor_labels: true diff --git a/charts/kubecost/cost-analyzer/values-cloud-agent.yaml b/charts/kubecost/cost-analyzer/values-cloud-agent.yaml index 99b596c56..3f2436925 100644 --- a/charts/kubecost/cost-analyzer/values-cloud-agent.yaml +++ b/charts/kubecost/cost-analyzer/values-cloud-agent.yaml @@ -27,19 +27,10 @@ kubecostMetrics: exportClusterInfo: false exportClusterCache: false -# Disable cost-analyzer PSP -podSecurityPolicy: - enabled: false - # Disable KSM and NodeExporter (?) prometheus: - podSecurityPolicy: - enabled: false nodeExporter: enabled: false - kube-state-metrics: - enabled: false - disabled: true extraScrapeConfigs: | - job_name: kubecost-cloud-agent honor_labels: true diff --git a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml index 71bcc2614..bd6f6b116 100644 --- a/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml +++ b/charts/kubecost/cost-analyzer/values-eks-cost-monitoring.yaml @@ -30,9 +30,6 @@ priority: networkPolicy: enabled: false -podSecurityPolicy: - enabled: false - # Enable this flag if you need to install with specific image tags # imageVersion: prod-1.97.0 @@ -51,10 +48,10 @@ kubecostModel: image: public.ecr.aws/kubecost/cost-model imagePullPolicy: Always warmCache: true - warmSavingsCache: true etl: true - # The total number of days the ETL storage will build - etlStoreDurationDays: 120 + # The total number of days the ETL pipelines will build + # Set to 0 to disable daily ETL (not recommended) + etlDailyStoreDurationDays: 120 maxQueryConcurrency: 5 # utcOffset represents a timezone in hours and minutes east (+) or west (-) # of UTC, itself, which is defined as +00:00. @@ -69,6 +66,9 @@ kubecostModel: # cpu: "800m" # memory: "256Mi" +forecasting: + fullImageName: public.ecr.aws/kubecost/kubecost-modeling:e59c4d9 + serviceAccount: create: true # Set this to false if you're bringing your own service account. annotations: {} @@ -113,7 +113,7 @@ prometheus: # clusterIDConfigmap: cluster-id-configmap image: repository: public.ecr.aws/kubecost/prometheus - tag: v2.35.0 + tag: v2.49.1 resources: {} # limits: # cpu: 500m @@ -123,7 +123,7 @@ prometheus: # memory: 512Mi global: scrape_interval: 1m - scrape_timeout: 10s + scrape_timeout: 60s evaluation_interval: 1m external_labels: cluster_id: cluster-one # Each cluster should have a unique ID @@ -141,27 +141,26 @@ prometheus: configmapReload: prometheus: + ## If false, the configmap-reload container will not be deployed - ## enabled: false ## configmap-reload container name - ## name: configmap-reload + ## configmap-reload container image - ## image: repository: public.ecr.aws/kubecost/prometheus-config-reloader - tag: v0.69.1 + tag: v0.71.2 pullPolicy: IfNotPresent + ## Additional configmap-reload container arguments - ## extraArgs: {} + ## Additional configmap-reload volume directories - ## extraVolumeDirs: [] + ## Additional configmap-reload mounts - ## extraConfigmapMounts: [] # - name: prometheus-alerts # mountPath: /etc/alerts.d @@ -173,8 +172,6 @@ prometheus: ## resources: {} - kube-state-metrics: - disabled: false nodeExporter: enabled: false diff --git a/charts/kubecost/cost-analyzer/values-thanos.yaml b/charts/kubecost/cost-analyzer/values-thanos.yaml deleted file mode 100644 index cc7a32b68..000000000 --- a/charts/kubecost/cost-analyzer/values-thanos.yaml +++ /dev/null @@ -1,149 +0,0 @@ -global: - thanos: - enabled: true - -# For Thanos Installs, Allow Higher Concurrency from Cost-Model -# Still may require tweaking for some installs, but the thanos-query-frontend -# will greatly assist in reduction memory bloat in query. -kubecostModel: - maxQueryConcurrency: 5 - # This configuration is applied to thanos only. Expresses the resolution to - # use for longer query ranges. Options: raw, 5m, 1h - Default: raw - maxSourceResolution: 5m - -prometheus: - server: - extraArgs: - storage.tsdb.min-block-duration: 2h - storage.tsdb.max-block-duration: 2h - storage.tsdb.retention: 2w - # these were previously being set by default. - # securityContext: - # runAsNonRoot: true - # runAsUser: 1001 - extraVolumes: - - name: object-store-volume - secret: - # Ensure this secret name matches thanos.storeSecretName - secretName: kubecost-thanos - enableAdminApi: true - sidecarContainers: - - name: thanos-sidecar - image: thanosio/thanos:v0.32.5 - # these were previously being set by default. - # securityContext: - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL - args: - - sidecar - - --log.level=debug - - --tsdb.path=/data/ - - --prometheus.url=http://127.0.0.1:9090 - - --objstore.config-file=/etc/config/object-store.yaml - # Start of time range limit to serve. Thanos sidecar will serve only metrics, which happened - # later than this value. Option can be a constant time in RFC3339 format or time duration - # relative to current time, such as -1d or 2h45m. Valid duration units are ms, s, m, h, d, w, y. - - --min-time=-3h - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - ports: - - name: http - containerPort: 10902 - - name: grpc - containerPort: 10901 - - name: cluster - containerPort: 10900 - volumeMounts: - - name: config-volume - mountPath: /etc/prometheus - - name: storage-volume - mountPath: /data - subPath: "" - - name: object-store-volume - mountPath: /etc/config - -thanos: - store: - enabled: true - grpcSeriesMaxConcurrency: 20 - blockSyncConcurrency: 20 - extraEnv: - - name: GOGC - value: "100" - - name: GODEBUG - value: "madvdontneed=1" - resources: - requests: - memory: "2.5Gi" - query: - enabled: true - timeout: 3m - # Maximum number of queries processed concurrently by query node. - maxConcurrent: 8 - # Maximum number of select requests made concurrently per a query. - maxConcurrentSelect: 2 - resources: - requests: - memory: "2.5Gi" - autoDownsampling: false - extraEnv: - - name: GOGC - value: "100" - - name: GODEBUG - value: "madvdontneed=1" - - # Thanos Query Frontend - queryFrontend: - enabled: true - compressResponses: true - # Downstream Tripper Configuration - downstreamTripper: - enabled: true - idleConnectionTimeout: 90s - responseHeaderTimeout: 2m - tlsHandshakeTimeout: 10s - expectContinueTimeout: 1s - maxIdleConnections: 200 - maxIdleConnectionsPerHost: 100 - maxConnectionsPerHost: 0 - # Response Cache Configuration - # Configure either a max size constraint or max items. - responseCache: - enabled: true - # Maximum memory size of the cache in bytes. A unit suffix (KB, MB, GB) may be applied. - maxSize: 1.25GB - # Maximum number of entries in the cache. - maxSizeItems: 0 - # The expiry duration for the cache. - validity: 2m - extraEnv: - - name: GOGC - value: "100" - - name: GODEBUG - value: "madvdontneed=1" - resources: - requests: - memory: "1.5Gi" - - # Thanos Sidecar Service Discovery - # Disabling removes the prometheus sidecar from querier store discovery. This ensures - # that all clusters read from the same data in remote store. - sidecar: - enabled: true - bucket: - enabled: false - compact: - enabled: true - dataVolume: - persistentVolumeClaim: - claimName: compact-data-volume - storage: 100Gi - # This secret name should match the sidecar configured secret name volume - # in the prometheus.server.extraVolumes entry - storeSecretName: kubecost-thanos diff --git a/charts/kubecost/cost-analyzer/values-windows-node-affinity.yaml b/charts/kubecost/cost-analyzer/values-windows-node-affinity.yaml index 0cb104730..5770f0c12 100644 --- a/charts/kubecost/cost-analyzer/values-windows-node-affinity.yaml +++ b/charts/kubecost/cost-analyzer/values-windows-node-affinity.yaml @@ -14,9 +14,6 @@ prometheus: server: nodeSelector: kubernetes.io/os: linux - kube-state-metrics: - nodeSelector: - kubernetes.io/os: linux nodeExporter: enabled: true affinity: @@ -31,20 +28,3 @@ prometheus: grafana: nodeSelector: kubernetes.io/os: linux - -thanos: - store: - nodeSelector: - kubernetes.io/os: linux - queryFrontend: - nodeSelector: - kubernetes.io/os: linux - query: - nodeSelector: - kubernetes.io/os: linux - compact: - nodeSelector: - kubernetes.io/os: linux - bucket: - nodeSelector: - kubernetes.io/os: linux \ No newline at end of file diff --git a/charts/kubecost/cost-analyzer/values.yaml b/charts/kubecost/cost-analyzer/values.yaml index bffabcacf..95a858753 100644 --- a/charts/kubecost/cost-analyzer/values.yaml +++ b/charts/kubecost/cost-analyzer/values.yaml @@ -7,14 +7,6 @@ global: # queryServiceBasicAuthSecretName: dbsecret # kubectl create secret generic dbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD # queryServiceBearerTokenSecretName: mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN - # Durable storage option, product key required - thanos: - enabled: false - # queryService: http://kubecost-thanos-query-frontend-http.kubecost:{{ .Values.thanos.queryFrontend.http.port }} # an address of the thanos query-frontend endpoint, if different from installed thanos - # queryServiceBasicAuthSecretName: mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=USERNAME --from-file=PASSWORD <---enter basic auth credentials like that - # queryServiceBearerTokenSecretName mcdbsecret # kubectl create secret generic mcdbsecret -n kubecost --from-file=TOKEN - # queryOffset: 3h # The offset to apply to all thanos queries in order to achieve synchronization on all cluster block stores - grafana: enabled: true # If false, Grafana will not be installed domainName: cost-analyzer-grafana.default.svc # example grafana domain Ignored if enabled: true @@ -253,6 +245,13 @@ global: seccompProfile: type: RuntimeDefault +## This flag is only required for users upgrading to a new version of Kubecost. +## The flag is used to ensure users are aware of important +## (potentially breaking) changes included in the new version. +## +upgrade: + toV2: false + # generated at http://kubecost.com/install, used for alerts tracking and free trials kubecostToken: # "" @@ -280,6 +279,8 @@ saml: # isGLUUProvider: false # An additional URL parameter must be appended for GLUU providers # encryptionCertSecret: "kubecost-saml-cert" # k8s secret where the x509 certificate used to encrypt an Okta saml response is stored # decryptionKeySecret: "kubecost-sank-decryption-key" # k8s secret where the private key associated with the encryptionCertSecret is stored + # authSecret: "random-string" # value of SAML secret used to issue tokens, will be autogenerated as random string if not provided + # authSecretName: "kubecost-saml-secret" # name of k8s secret where the authSecret will be stored, defaults to "kubecost-saml-secret" if not provided rbac: enabled: false # groups: @@ -351,10 +352,19 @@ systemProxy: # imagePullSecrets: # - name: "image-pull-secret" +# imageVersion uses the base image name (image:) but overrides the version +# pulled. It should be avoided. If non-default behavior is needed, use +# fullImageName for the relevant component. +# imageVersion: + kubecostFrontend: enabled: true image: "gcr.io/kubecost1/frontend" imagePullPolicy: Always + # fullImageName overrides the default image construction logic. The exact + # image provided (registry, image, tag) will be used for the frontend. + # fullImageName: + # extraEnv: # - name: NGINX_ENTRYPOINT_WORKER_PROCESSES_AUTOTUNE # value: "1" @@ -370,14 +380,14 @@ kubecostFrontend: # Define a readiness probe for the Kubecost frontend container. readinessProbe: enabled: true - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 # Define a liveness probe for the Kubecost frontend container. livenessProbe: enabled: true - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 ipv6: @@ -465,8 +475,10 @@ sigV4Proxy: kubecostModel: image: "gcr.io/kubecost1/cost-model" imagePullPolicy: Always - # set to 'true' to utilize images on the public Quay repository - # openSourceOnly: false + # fullImageName overrides the default image construction logic. The exact + # image provided (registry, image, tag) will be used for cost-model. + # fullImageName: + # extraEnv: # - name: SOME_VARIABLE # value: "some_value" @@ -477,8 +489,6 @@ kubecostModel: outOfClusterPromMetricsEnabled: false # Build local cost allocation cache warmCache: false - # Build local savings cache - warmSavingsCache: true # Run allocation ETL pipelines etl: true # Enable the ETL filestore backing storage @@ -496,10 +506,15 @@ kubecostModel: # For deploying kubecost in a cluster that does not self-monitor etlReadOnlyMode: false + # The name of the Secret containing a bucket config for ETL backup. + # etlBucketConfigSecret: + # The name of the Secret containing a bucket config for Federated storage. + # federatedStorageConfigSecret: + ## Feature to view your out-of-cluster costs and their k8s utilization ## Ref: https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/cloud-costs-explorer cloudCost: - enabled: true + # enabled: true # this logic is always enabled if cloud billing integration is configured. This option is no longer configurable. labelList: IsIncludeList: false # format labels as comma separated string (ex. "label1,label2,label3") @@ -540,14 +555,14 @@ kubecostModel: # Define a readiness probe for the Kubecost cost-model container. readinessProbe: enabled: true - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 # Define a liveness probe for the Kubecost cost-model container. livenessProbe: enabled: true - initialDelaySeconds: 30 + initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 200 extraArgs: [] @@ -624,11 +639,12 @@ tolerations: [] affinity: {} +topologySpreadConstraints: [] + # If true, creates a PriorityClass to be used by the cost-analyzer pod priority: enabled: false name: "" # Provide name of existing priority class only. If left blank, upstream chart will create one from default template. - # value: 1000000 # If true, enable creation of NetworkPolicy resources. networkPolicy: @@ -662,9 +678,6 @@ networkPolicy: # - selectors: # restrict egress to inside cluster # - namespaceSelector: {} -podSecurityPolicy: - enabled: false - ## @param extraVolumes A list of volumes to be added to the pod ## extraVolumes: [] @@ -682,6 +695,10 @@ persistentVolume: labels: {} annotations: {} + # Enables a separate PV specifically for ETL data. This should be avoided, but + # is kept for legacy compatibility. + dbPVEnabled: false + service: type: ClusterIP port: 9090 @@ -693,25 +710,36 @@ service: enabled: false # Makes sure that connections from a client are passed to the same Pod each time, when set to `true`. You should set it when you enabled authentication through OIDC or SAML integration. timeoutSeconds: 10800 -# Enabling long-term durable storage with Postgres requires an enterprise license -remoteWrite: - postgres: - enabled: false - initImage: "gcr.io/kubecost1/sql-init" - initImagePullPolicy: Always - installLocal: true - remotePostgresAddress: "" # ignored if installing locally - ## PriorityClassName - ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass - priorityClassName: "" - persistentVolume: - size: 200Gi - auth: - password: admin # change me - prometheus: - podSecurityPolicy: - enabled: false + rbac: + create: true # Create the RBAC resources for Prometheus. + + ## Define serviceAccount names for components. Defaults to component's fully qualified name. + ## + serviceAccounts: + alertmanager: + create: true + name: + nodeExporter: + create: true + name: + pushgateway: + create: true + name: + server: + create: true + name: + ## Prometheus server ServiceAccount annotations. + ## Can be used for AWS IRSA annotations when using Remote Write mode with Amazon Managed Prometheus. + annotations: {} + + ## Specify an existing ConfigMap to be used by Prometheus when using self-signed certificates. + ## + # selfsignedCertConfigMapName: "" + + imagePullSecrets: + # - name: "image-pull-secret" + extraScrapeConfigs: | - job_name: kubecost honor_labels: true @@ -742,55 +770,1266 @@ prometheus: # NOTE: This does not affect the external_labels set in prometheus config. # clusterIDConfigmap: cluster-id-configmap - resources: {} - # limits: - # cpu: 500m - # memory: 512Mi - # requests: - # cpu: 500m - # memory: 512Mi + ## Prometheus server container name + ## + enabled: true + name: server + sidecarContainers: + strategy: + type: Recreate + rollingUpdate: null + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + tag: v2.49.1 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + global: + ## How frequently to scrape targets by default + ## scrape_interval: 1m + ## How long until a scrape request times out + ## scrape_timeout: 60s + ## How frequently to evaluate rules + ## evaluation_interval: 1m external_labels: cluster_id: cluster-one # Each cluster should have a unique ID - persistentVolume: - size: 32Gi - enabled: true + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: {} + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: {} + + ## Additional Prometheus server container arguments + ## extraArgs: query.max-concurrency: 1 query.max-samples: 100000000 + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + # className: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + ## PathType determines the interpretation of the Path matching + pathType: "Prefix" + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## tolerations: [] - # - key: "key" - # operator: "Equal|Exists" - # value: "value" - # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" - # retention: 50h This must be greater than or equal to etlHourlyStoreDurationHours - # retentionSize: should be significantly greater than the storage used in the number of hours set in etlHourlyStoreDurationHours - alertmanager: - enabled: false + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 32Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + emptyDir: + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Annotations to be added to the Prometheus Server deployment + ## + deploymentAnnotations: {} + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + readinessProbeInitialDelay: 30 + readinessProbeTimeout: 30 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbeTimeout: 30 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployment, based on above configs) + enabled: false + ## Optional. Defaults to "Auto" if not specified. + # updateMode: "Auto" + ## Mandatory. Without, VPA will not be created. + # containerPolicies: + # - containerName: 'prometheus-server' + + ## Security context to be added to server pods + ## + securityContext: {} + # runAsUser: 1001 + # runAsNonRoot: true + # runAsGroup: 1001 + # fsGroup: 1001 + + containerSecurityContext: {} + + service: + annotations: {} + labels: {} + clusterIP: "" + # nodePort: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: 15d # 50h. This must be greater than or equal to etlHourlyStoreDurationHours + # retentionSize: should be significantly greater than the storage used in the number of hours set in etlHourlyStoreDurationHours + + # Install Prometheus Alert Manager + alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: false + + strategy: + type: Recreate + rollingUpdate: null + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + repository: quay.io/prometheus/alertmanager + tag: v0.26.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 1001 + runAsNonRoot: true + runAsGroup: 1001 + fsGroup: 1001 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + + # Define a custom scheduler for Alertmanager pods + # schedulerName: default-scheduler + + ## alertmanager ConfigMap entries + ## + alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + + ## Monitors ConfigMap changes and POSTs to a URL + configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: false + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.71.2 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + ## configmap-reload container securityContext + containerSecurityContext: {} + + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: false + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.71.2 + pullPolicy: IfNotPresent + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # node-export must be disabled if there is an existing daemonset: https://guide.kubecost.com/hc/en-us/articles/4407601830679-Troubleshoot-Install#a-name-node-exporter-a-issue-failedscheduling-kubecost-prometheus-node-exporter nodeExporter: - enabled: true - - # rbac: - # create: true # Create the RBAC resources for Prometheus Node Exporter. - - ## Default disabled since Kubecost already emits KSMv1 metrics. - ## Ref: https://docs.kubecost.com/architecture/ksm-metrics - kubeStateMetrics: + ## If false, node-exporter will not be installed. + ## This is disabled by default in Kubecost 2.0, though it can be enabled as needed. + ## enabled: false - kube-state-metrics: - disabled: true + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## node-exporter dns policy + ## + dnsPolicy: ClusterFirstWithHostNet + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + repository: prom/node-exporter + tag: v1.7.0 + pullPolicy: IfNotPresent + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Set a custom affinity for node-exporter + ## + # affinity: + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Annotations to be added to the node-exporter DaemonSet + ## + deploymentAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + + ## Security context to be added to node-exporter pods + ## + securityContext: {} + # runAsUser: 0 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: None + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + + # Install Prometheus Push Gateway. pushgateway: + ## If false, pushgateway will not be installed + ## enabled: false + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + repository: prom/pushgateway + tag: v1.6.2 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + replicaCount: 1 + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 10m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 1001 + runAsNonRoot: true + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + strategy: + type: Recreate + rollingUpdate: null + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## enabled: true + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + serverFiles: + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + metric_relabel_configs: + - source_labels: [__name__] + regex: (container_cpu_usage_seconds_total|container_memory_working_set_bytes|container_network_receive_errors_total|container_network_transmit_errors_total|container_network_receive_packets_dropped_total|container_network_transmit_packets_dropped_total|container_memory_usage_bytes|container_cpu_cfs_throttled_periods_total|container_cpu_cfs_periods_total|container_fs_usage_bytes|container_fs_limit_bytes|container_cpu_cfs_periods_total|container_fs_inodes_free|container_fs_inodes_total|container_fs_usage_bytes|container_fs_limit_bytes|container_cpu_cfs_throttled_periods_total|container_cpu_cfs_periods_total|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_fs_inodes_free|container_fs_inodes_total|container_fs_usage_bytes|container_fs_limit_bytes|container_spec_cpu_shares|container_spec_memory_limit_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|container_fs_reads_bytes_total|container_network_receive_bytes_total|container_fs_writes_bytes_total|container_fs_reads_bytes_total|cadvisor_version_info|kubecost_pv_info) + action: keep + - source_labels: [container] + target_label: container_name + regex: (.+) + action: replace + - source_labels: [pod] + target_label: pod_name + regex: (.+) + action: replace + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + metric_relabel_configs: + - source_labels: [__name__] + regex: (kubelet_volume_stats_used_bytes) # this metric is in alpha + action: keep + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + - job_name: 'kubernetes-service-endpoints' + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_endpoints_name] + action: keep + regex: (.*node-exporter|kubecost-network-costs) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: kubernetes_name + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: kubernetes_node + metric_relabel_configs: + - source_labels: [__name__] + regex: (container_cpu_allocation|container_cpu_usage_seconds_total|container_fs_limit_bytes|container_fs_writes_bytes_total|container_gpu_allocation|container_memory_allocation_bytes|container_memory_usage_bytes|container_memory_working_set_bytes|container_network_receive_bytes_total|container_network_transmit_bytes_total|DCGM_FI_DEV_GPU_UTIL|deployment_match_labels|kube_daemonset_status_desired_number_scheduled|kube_daemonset_status_number_ready|kube_deployment_spec_replicas|kube_deployment_status_replicas|kube_deployment_status_replicas_available|kube_job_status_failed|kube_namespace_annotations|kube_namespace_labels|kube_node_info|kube_node_labels|kube_node_status_allocatable|kube_node_status_allocatable_cpu_cores|kube_node_status_allocatable_memory_bytes|kube_node_status_capacity|kube_node_status_capacity_cpu_cores|kube_node_status_capacity_memory_bytes|kube_node_status_condition|kube_persistentvolume_capacity_bytes|kube_persistentvolume_status_phase|kube_persistentvolumeclaim_info|kube_persistentvolumeclaim_resource_requests_storage_bytes|kube_pod_container_info|kube_pod_container_resource_limits|kube_pod_container_resource_limits_cpu_cores|kube_pod_container_resource_limits_memory_bytes|kube_pod_container_resource_requests|kube_pod_container_resource_requests_cpu_cores|kube_pod_container_resource_requests_memory_bytes|kube_pod_container_status_restarts_total|kube_pod_container_status_running|kube_pod_container_status_terminated_reason|kube_pod_labels|kube_pod_owner|kube_pod_status_phase|kube_replicaset_owner|kube_statefulset_replicas|kube_statefulset_status_replicas|kubecost_cluster_info|kubecost_cluster_management_cost|kubecost_cluster_memory_working_set_bytes|kubecost_load_balancer_cost|kubecost_network_internet_egress_cost|kubecost_network_region_egress_cost|kubecost_network_zone_egress_cost|kubecost_node_is_spot|kubecost_pod_network_egress_bytes_total|node_cpu_hourly_cost|node_cpu_seconds_total|node_disk_reads_completed|node_disk_reads_completed_total|node_disk_writes_completed|node_disk_writes_completed_total|node_filesystem_device_error|node_gpu_count|node_gpu_hourly_cost|node_memory_Buffers_bytes|node_memory_Cached_bytes|node_memory_MemAvailable_bytes|node_memory_MemFree_bytes|node_memory_MemTotal_bytes|node_network_transmit_bytes_total|node_ram_hourly_cost|node_total_hourly_cost|pod_pvc_allocation|pv_hourly_cost|service_selector_labels|statefulSet_match_labels|kubecost_pv_info|up) + action: keep + + # prometheus.yml: # Sample block -- enable if using an in cluster durable store. # remote_write: # - url: "http://pgprometheus-adapter:9201/write" @@ -835,14 +2074,27 @@ prometheus: labels: daemonset: "true" + # Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager + # useful in H/A prometheus with different external labels but the same alerts + alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + + networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + + ## Module for measuring network costs ## Ref: https://github.com/kubecost/docs/blob/main/network-allocation.md networkCosts: enabled: false - podSecurityPolicy: - enabled: false - # annotations: {} # Add annotations to the PodSecurityPolicy for network-costs. - image: gcr.io/kubecost1/kubecost-network-costs:v0.17.2 + image: + repository: gcr.io/kubecost1/kubecost-network-costs + tag: v0.17.2 imagePullPolicy: Always updateStrategy: type: RollingUpdate @@ -982,8 +2234,6 @@ kubecostDeployment: statefulSet: enabled: false replicas: 1 - leaderFollower: - enabled: false # deploymentStrategy: # rollingUpdate: # maxSurge: 1 @@ -992,82 +2242,117 @@ kubecostDeployment: labels: {} annotations: {} - ## QueryServiceReplicas - ## Ref: https://docs.kubecost.com/install-and-configure/advanced-configuration/query-service-replicas - ## - queryServiceReplicas: 0 - queryService: - serviceAccount: - create: true - annotations: {} - # name: kc-qs-test - securityContext: {} # Define a custom securityContext for the query service. This will take the highest precedence. - # runAsGroup: 1001 - # runAsUser: 1001 - # fsGroup: 1001 - # fsGroupChangePolicy: OnRootMismatch - # runAsNonRoot: false - # seccompProfile: - # type: RuntimeDefault - containerSecurityContext: - allowPrivilegeEscalation: true - readOnlyRootFilesystem: false - capabilities: - drop: - - ALL - resources: - requests: - ## You can use the Kubecost savings report for 'Right-size your - ## container requests' to determine the recommended resource requests - ## once the pod has run for 24 hours. - cpu: 1000m - memory: 500Mi - ## default storage class - storageClass: "" - databaseVolumeSize: 100Gi - configVolumeSize: 1Gi - initImage: {} - # Optional - add extra ports to the query service container. For kubecost development purposes only - not recommended for users. - extraPorts: [] - # - name: debug - # port: 40000 - # targetPort: 40000 - # containerPort: 40000 +## Kubecost Forecasting forecasts future cost patterns based on historical +## patterns observed by Kubecost. +forecasting: + enabled: true + + # fullImageName overrides the default image construction logic. The exact + # image provided (registry, image, tag) will be used for the forecasting + # container. + # Example: fullImageName: gcr.io/kubecost1/forecasting:v0.0.1 + fullImageName: gcr.io/kubecost1/kubecost-modeling:v0.1.2 + + # Resource specification block for the forecasting container. + resources: + requests: + cpu: 200m + memory: 300Mi + limits: + cpu: 1500m + memory: 1Gi + + # Set environment variables for the forecasting container as key/value pairs. + env: + # -t is the worker timeout which primarily affects model training time; + # if it is not high enough, training workers may die mid training + "GUNICORN_CMD_ARGS": "--log-level info -t 1200" + + # Define a priority class for the forecasting Deployment. + priority: + enabled: false + name: "" + + # Define a nodeSelector for the forecasting Deployment. + nodeSelector: {} + + # Define tolerations for the forecasting Deployment. + tolerations: {} + + # Define Pod affinity for the forecasting Deployment. + affinity: {} + + # Define a readiness probe for the forecasting container + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 200 + + # Define a liveness probe for the forecasting container. + livenessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 200 ## The Kubecost Aggregator is a high scale implementation of Kubecost intended ## for large datasets and/or high query load. At present, this should only be ## enabled when recommended by Kubecost staff. ## kubecostAggregator: - enabled: false - replicas: 1 - ## Creates a new pod to retrieve CloudCost data. By default it uses the same - ## serviceaccount as the cost-analyzer pod. A custom serviceaccount can be - ## specified. - cloudCost: - enabled: false - # serviceAccountName: - jaeger: - enabled: false - image: jaegertracing/all-in-one - imageVersion: latest - # containerSecurityContext: + # deployMethod determines how Aggregator is deployed. Current options are + # "singlepod" (within cost-analyzer Pod) "statefulset" (separate + # StatefulSet), and "disabled". Only use "disabled" if this is a secondary + # Federated ETL cluster which does not need to answer queries. + deployMethod: singlepod + + # fullImageName overrides the default image construction logic. The exact + # image provided (registry, image, tag) will be used for aggregator. # fullImageName: + + # For legacy configuration support, `enabled: true` overrides deployMethod + # and causes `deployMethod: "statefulset"` + enabled: false + + # Replicas sets the number of Aggregator replicas. It only has an effect if + # `deployMethod: "statefulset"` + replicas: 1 + + # stagingEmptyDirSizeLimit changes how large the "staging" + # /var/configs/waterfowl emptyDir is. It only takes effect in StatefulSet + # configurations of Aggregator, other configurations are unaffected. + # + # It should be set to approximately 8x the size of the largest bingen file in + # object storage. For example, if your largest bingen file is a daily + # Allocation file with size 300MiB, this value should be set to approximately + # 2400Mi. In most environments, the default should suffice. + stagingEmptyDirSizeLimit: 2Gi + resources: {} + # requests: + # cpu: 1000m + # memory: 1Gi env: "LOG_LEVEL": "info" + "DB_READ_THREADS": "1" + "DB_WRITE_THREADS": "1" + "DB_CONCURRENT_INGESTION_COUNT": "3" persistentConfigsStorage: # default storage class storageClass: "" storageRequest: 1Gi - aggregatorStorage: - # default storage class - storageClass: "" - storageRequest: 20Gi aggregatorDbStorage: # default storage class storageClass: "" storageRequest: 128Gi + + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 200 + # extraEnv: # - name: SOME_VARIABLE # value: "some_value" @@ -1097,6 +2382,38 @@ kubecostAggregator: # containerPort: 40000 securityContext: {} # Define a securityContext for the aggregator pod. This will take highest precedence. + ## Creates a new container/pod to retrieve CloudCost data. By default it uses + ## the same serviceaccount as the cost-analyzer pod. A custom serviceaccount + ## can be specified. + cloudCost: + # The cloudCost component of Aggregator depends on + # kubecostAggregator.deployMethod: + # kA.dM = "singlepod" -> cloudCost is run as container inside cost-analyzer + # kA.dM = "statefulset" -> cloudCost is run as single-replica Deployment + enabled: false + resources: {} + # requests: + # cpu: 1000m + # memory: 1Gi + # refreshRateHours: + # queryWindowDays: + # runWindowDays: + # serviceAccountName: + readinessProbe: + enabled: true + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 200 + + # Jaeger is an optional container attached to wherever the Aggregator + # container is running. It is used for performance investigation. Enable if + # Kubecost Support asks. + jaeger: + enabled: false + image: jaegertracing/all-in-one + imageVersion: latest + # containerSecurityContext: + ## Kubecost Multi-cluster Diagnostics (beta) ## A single view into the health of all agent clusters. Each agent cluster sends ## its diagnostic data to a storage bucket. Future versions may include @@ -1124,11 +2441,59 @@ diagnostics: # Kubecost Cluster Controller for Right Sizing and Cluster Turndown clusterController: enabled: false - image: gcr.io/kubecost1/cluster-controller:v0.13.0 + image: + repository: gcr.io/kubecost1/cluster-controller + tag: v0.14.0 imagePullPolicy: Always ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" + # Set custom tolerations for the cluster controller. + tolerations: [] + actionConfigs: + # this configures the Kubecost Namespace Turndown action + # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#namespace-turndown + namespaceTurndown: + # - name: my-ns-turndown-action + # dryRun: false + # schedule: "0 0 * * *" + # type: Scheduled + # targetObjs: + # - namespace + # keepPatterns: + # - ignorednamespace + # keepLabels: + # turndown: ignore + # params: + # minNamespaceAge: 4h + # this configures the Kubecost Cluster Sizing action + # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#cluster-sizing + clusterRightsize: + # startTime: '2024-01-02T15:04:05Z' + # frequencyMinutes: 1440 + # lastCompleted: '' + # recommendationParams: + # window: 48h + # architecture: '' + # targetUtilization: 0.8 + # minNodeCount: 1 + # allowSharedCore: false + # allowCostIncrease: false + # recommendationType: '' + # this configures the Kubecost Request Sizing action + # for more details, see documentation at https://docs.kubecost.com/using-kubecost/navigating-the-kubecost-ui/savings/savings-actions#automated-request-sizing + containerRightsize: + # workloads: + # - clusterID: cluster-one + # namespace: kube-system + # controllerKind: deployment + # controllerName: kube-dns-autoscaler + # schedule: + # start: 2024-01-30T00:00 + # frequencyMinutes: 1440 + # cpuTarget: 0.8 + # ramTarget: 0.8 + kubescaler: # If true, will cause all (supported) workloads to be have their requests # automatically right-sized on a regular basis. @@ -1181,8 +2546,11 @@ grafana: # namespace_datasources: kubecost # override the default namespace here # namespace_dashboards: kubecost # override the default namespace here rbac: - # Manage the Grafana Pod Security Policy - pspEnabled: false + create: true + + ## Configure grafana datasources + ## ref: http://docs.grafana.org/administration/provisioning/#datasources + ## # datasources: # datasources.yaml: # apiVersion: 1 @@ -1197,49 +2565,297 @@ grafana: # prometheusType: Prometheus # prometheusVersion: 2.35.0 # timeInterval: 1m + + ## Number of replicas for the Grafana deployment + replicas: 1 + + ## Deployment strategy for the Grafana deployment + deploymentStrategy: RollingUpdate + + ## Readiness probe for the Grafana deployment + readinessProbe: + httpGet: + path: /api/health + port: 3000 + + ## Liveness probe for the Grafana deployment + livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + + ## Container image settings for the Grafana deployment + image: + repository: grafana/grafana + tag: 10.3.1 + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + # pullSecrets: + # - myRegistrKeySecretName + + ## Pod-level security context for the Grafana deployment. Recommended let global defaults take effect. + securityContext: {} + # runAsUser: 472 + # fsGroup: 472 + + ## PriorityClassName for the Grafana deployment + priorityClassName: "" + + ## Container image settings for Grafana initContainer used to download dashboards. Will only be used when dashboards are present. + downloadDashboardsImage: + repository: curlimages/curl + tag: latest + pullPolicy: IfNotPresent + + ## Pod Annotations for the Grafana deployment + podAnnotations: {} + + ## Deployment annotations for the Grafana deployment + annotations: {} + + ## Expose the Grafana service to be accessed from outside the cluster (LoadBalancer service). + ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. + service: + type: ClusterIP + port: 80 + annotations: {} + labels: {} + + ## Ingress service for the Grafana deployment + ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + pathType: Prefix + hosts: + - chart-example.local + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + + ## Resource requests and limits for the Grafana deployment + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + ## Node labels for pod assignment of the Grafana deployment + nodeSelector: {} + + ## Tolerations for pod assignment of the Grafana deployment + tolerations: [] + + ## Affinity for pod assignment of the Grafana deployment + affinity: {} + + ## Enable persistence using Persistent Volume Claims of the Grafana deployment + persistence: + enabled: false + # storageClassName: default + # accessModes: + # - ReadWriteOnce + # size: 10Gi + # annotations: {} + # subPath: "" + # existingClaim: + + ## Admin user for Grafana + adminUser: admin + + ## Admin password for Grafana + adminPassword: strongpassword + + ## Use an alternate scheduler for the Grafana deployment + # schedulerName: + + ## Extra environment variables that will be passed onto Grafana deployment pods + env: {} + + ## The name of a secret for Grafana in the same Kubernetes namespace which contain values to be added to the environment + ## This can be useful for auth tokens, etc + envFromSecret: "" + + ## Additional Grafana server secret mounts + ## Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + + ## List of Grafana plugins + plugins: [] + # - digrich-bubblechart-panel + # - grafana-clock-panel + + ## Grafana dashboard providers + ## ref: http://docs.grafana.org/administration/provisioning/#dashboards + ## + ## `path` must be /var/lib/grafana/dashboards/ + ## + dashboardProviders: {} + # dashboardproviders.yaml: + # apiVersion: 1 + # providers: + # - name: 'default' + # orgId: 1 + # folder: '' + # type: file + # disableDeletion: false + # editable: true + # options: + # path: /var/lib/grafana/dashboards/default + + ## Configure Grafana dashboard to import + ## NOTE: To use dashboards you must also enable/configure dashboardProviders + ## ref: https://grafana.com/dashboards + ## + ## dashboards per provider, use provider name as key. + ## + dashboards: {} + # default: + # prometheus-stats: + # gnetId: 3662 + # revision: 2 + # datasource: Prometheus + + ## Reference to external Grafana ConfigMap per provider. Use provider name as key and ConfiMap name as value. + ## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. + ## ConfigMap data example: + ## + ## data: + ## example-dashboard.json: | + ## RAW_JSON + ## + dashboardsConfigMaps: {} + # default: "" + + ## LDAP Authentication for Grafana can be enabled with the following values on grafana.ini + ## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + + ## Grafana's LDAP configuration + ## Templated by the template in _helpers.tpl + ## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled + ## ref: http://docs.grafana.org/installation/configuration/#auth-ldap + ## ref: http://docs.grafana.org/installation/ldap/#configuration + ldap: + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + + ## Grafana's SMTP configuration + ## NOTE: To enable, grafana.ini must be configured with smtp.enabled + ## ref: http://docs.grafana.org/installation/configuration/#smtp + smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana in keys `user` and `password`. + existingSecret: "" + + ## Grafana sidecars that collect the configmaps with specified label and stores the included files them into the respective folders + ## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards sidecar: + image: + repository: kiwigrid/k8s-sidecar + tag: 1.25.3 + pullPolicy: IfNotPresent + resources: {} dashboards: enabled: true # label that the configmaps with dashboards are marked with label: grafana_dashboard + labelValue: "1" # set sidecar ERROR_THROTTLE_SLEEP env var from default 5s to 0s -> fixes https://github.com/kubecost/cost-analyzer-helm-chart/issues/877 annotations: {} error_throttle_sleep: 0 + folder: /tmp/dashboards datasources: # dataSourceFilename: foo.yml # If you need to change the name of the datasource file enabled: false error_throttle_sleep: 0 -# For grafana to be accessible, add the path to root_url. For example, if you run kubecost at www.foo.com:9090/kubecost -# set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL + # label that the configmaps with datasources are marked with + label: grafana_datasource + + ## Grafana's primary configuration + ## NOTE: values in map will be converted to ini format + ## ref: http://docs.grafana.org/installation/configuration/ + ## + ## For grafana to be accessible, add the path to root_url. For example, if you run kubecost at www.foo.com:9090/kubecost + ## set root_url to "%(protocol)s://%(domain)s:%(http_port)s/kubecost/grafana". No change is necessary here if kubecost runs at a root URL grafana.ini: server: serve_from_sub_path: false # Set to false on Grafana v10+ root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana" + paths: + data: /var/lib/grafana/data + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net + auth.anonymous: + enabled: true + org_role: Editor + org_name: Main Org. + serviceAccount: create: true # Set this to false if you're bringing your own service account. annotations: {} # name: kc-test + awsstore: useAwsStore: false - # imageNameAndVersion: gcr.io/kubecost1/awsstore:latest # Name and version of the container image for AWSStore. + imageNameAndVersion: gcr.io/kubecost1/awsstore:latest # Name and version of the container image for AWSStore. createServiceAccount: false ## PriorityClassName ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: "" + # Use a custom nodeSelector for AWSStore. + nodeSelector: {} + # kubernetes.io/arch: amd64 ## Federated ETL Architecture ## Ref: https://docs.kubecost.com/install-and-configure/install/multi-cluster/federated-etl ## federatedETL: + + ## If true, installs the minimal set of components required for a Federated ETL cluster. + agentOnly: false + ## If true, push ETL data to the federated storage bucket federatedCluster: false - ## If true, load ETL data from the combined storage bucket to display data - ## from all monitored clusters. Note, if this is your first time setting up - ## Federated ETL, ensure you see federated ETL data in combined storage before - ## setting this config to true. - primaryCluster: false - ## If true, changes the dir of S3 backup to the Federated combined store. ## Commonly used when transitioning from Thanos to Federated ETL architecture. redirectS3Backup: false @@ -1248,39 +2864,6 @@ federatedETL: ## Prometheus) useMultiClusterDB: false - ## The Federator is responsible for combining each cluster's ETL files located - ## in the federated storage bucket, and placing results in the combined - ## storage bucket. - federator: - enabled: false - - ## Optional. Used when reconciliation is expected to occur on the Primary. - # primaryClusterID: "cluster_id" - - ## Optional. Allowlist of which cluster_ids to federate. If not set, the - ## federator will attempt to federated all clusters pushing to the federated - ## storage. - clusters: [] - - ## Optional. A list of extra volumes to pass to the federator Pod. - # extraVolumes: [] - - ## Optional. A list of extra volume mounts to pass to the federator Pod. - # extraVolumeMounts: [] - - ## Optional. An RFC 3339-formatted string. All ETL files with windows that - ## fall before this time are not processed by the Federator. If this is not - ## set, the Federator will process all files regardless of date. - # federationCutoffDate: "2022-10-18T00:00:00.000Z" - - ## Optional. You can use the Kubecost savings report for 'Right-size your - ## container requests' to determine the recommended resource requests once - ## the pod has run for 24 hours. - resources: {} - # requests: - # cpu: 100m - # memory: 500Mi - ## Kubecost Admission Controller (beta feature) ## To use this feature, ensure you have run the `create-admission-controller.sh` ## script. This generates a k8s secret with TLS keys/certificats and a @@ -1309,109 +2892,158 @@ costEventsAudit: # An optional list of cluster definitions that can be added for frontend access. The local # cluster is *always* included by default, so this list is for non-local clusters. # Ref: https://github.com/kubecost/docs/blob/main/multi-cluster.md -# clusters: -# - name: "Cluster A" -# address: http://cluster-a.kubecost.com:9090 -# # Optional authentication credentials - only basic auth is currently supported. -# auth: -# type: basic -# # Secret name should be a secret formatted based on: https://github.com/kubecost/docs/blob/main/ingress-examples.md -# secretName: cluster-a-auth -# # Or pass auth directly as base64 encoded user:pass -# data: YWRtaW46YWRtaW4= -# # Or user and pass directly -# user: admin -# pass: admin -# - name: "Cluster B" -# address: http://cluster-b.kubecost.com:9090 -# defaultModelPricing: # default monthly resource prices, used predominately for on-prem clusters. Use quotes if setting "0.00" for any item. -# CPU: 28.0 -# spotCPU: 4.86 -# RAM: 3.09 -# spotRAM: 0.65 -# GPU: 693.50 -# spotGPU: 225.0 -# storage: 0.04 -# zoneNetworkEgress: 0.01 -# regionNetworkEgress: 0.01 -# internetNetworkEgress: 0.12 -# enabled: true -# # The cluster profile represents a predefined set of parameters to use when calculating savings. -# # Possible values are: [ development, production, high-availability ] -# clusterProfile: production -# customPricesEnabled: false # This makes the default view custom prices-- generally used for on-premises clusters -# spotLabel: lifecycle -# spotLabelValue: Ec2Spot -# gpuLabel: gpu -# gpuLabelValue: true -# awsServiceKeyName: ACCESSKEYID -# awsServiceKeyPassword: fakepassword # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName -# awsSpotDataRegion: us-east-1 -# awsSpotDataBucket: spot-data-feed-s3-bucket -# awsSpotDataPrefix: dev -# athenaProjectID: "530337586277" # The AWS AccountID where the Athena CUR is. Generally your masterpayer account -# athenaBucketName: "s3://aws-athena-query-results-530337586277-us-east-1" -# athenaRegion: us-east-1 -# athenaDatabase: athenacurcfn_athena_test1 -# athenaTable: "athena_test1" -# athenaWorkgroup: "primary" # The default workgroup in AWS is 'primary' -# masterPayerARN: "" -# projectID: "123456789" # Also known as AccountID on AWS -- the current account/project that this instance of Kubecost is deployed on. -# gcpSecretName: gcp-secret # Name of a secret representing the gcp service key -# gcpSecretKeyName: compute-viewer-kubecost-key.json # Name of the secret's key containing the gcp service key -# bigQueryBillingDataDataset: billing_data.gcp_billing_export_v1_01AC9F_74CF1D_5565A2 -# labelMappingConfigs: # names of k8s labels or annotations used to designate different allocation concepts -# enabled: true -# owner_label: "owner" -# team_label: "team" -# department_label: "dept" -# product_label: "product" -# environment_label: "env" -# namespace_external_label: "kubernetes_namespace" # external labels/tags are used to map external cloud costs to kubernetes concepts -# cluster_external_label: "kubernetes_cluster" -# controller_external_label: "kubernetes_controller" -# product_external_label: "kubernetes_label_app" -# service_external_label: "kubernetes_service" -# deployment_external_label: "kubernetes_deployment" -# owner_external_label: "kubernetes_label_owner" -# team_external_label: "kubernetes_label_team" -# environment_external_label: "kubernetes_label_env" -# department_external_label: "kubernetes_label_department" -# statefulset_external_label: "kubernetes_statefulset" -# daemonset_external_label: "kubernetes_daemonset" -# pod_external_label: "kubernetes_pod" -# grafanaURL: "" -# # Provide a mapping from Account ID to a readable Account Name in a key/value object. Provide Account IDs as they are displayed in CloudCost -# # as the 'key' and the Account Name associated with it as the 'value' -# cloudAccountMapping: -# EXAMPLE_ACCOUNT_ID: EXAMPLE_ACCOUNT_NAME -# clusterName: "" # clusterName is the default context name in settings. -# clusterAccountID: "" # Manually set Account property for assets -# currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, IDR, INR, JPY, NOK, PLN, SEK -# azureBillingRegion: US # Represents 2-letter region code, e.g. West Europe = NL, Canada = CA. ref: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes -# azureSubscriptionID: 0bd50fdf-c923-4e1e-850c-196dd3dcc5d3 -# azureClientID: f2ef6f7d-71fb-47c8-b766-8d63a19db017 -# azureTenantID: 72faf3ff-7a3f-4597-b0d9-7b0b201bb23a -# azureClientPassword: fake key # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName -# azureOfferDurableID: "MS-AZR-0003p" -# discount: "" # percentage discount applied to compute -# negotiatedDiscount: "" # custom negotiated cloud provider discount -# defaultIdle: false -# serviceKeySecretName: "" # Use an existing AWS or Azure secret with format as in aws-service-key-secret.yaml or azure-service-key-secret.yaml. Leave blank if using createServiceKeySecret -# createServiceKeySecret: true # Creates a secret representing your cloud service key based on data in values.yaml. If you are storing unencrypted values, add a secret manually -# sharedNamespaces: "" # namespaces with shared workloads, example value: "kube-system\,ingress-nginx\,kubecost\,monitoring" -# sharedOverhead: "" # value representing a fixed external cost per month to be distributed among aggregations. -# shareTenancyCosts: true # enable or disable sharing costs such as cluster management fees (defaults to "true" on Settings page) -# metricsConfigs: # configuration for metrics emitted by Kubecost -# disabledMetrics: [] # list of metrics that Kubecost will not emit. Note that disabling metrics can lead to unexpected behavior in the cost-model. -# productKey: # apply business or enterprise product license -# key: "" -# enabled: false -# secretname: productkeysecret # create a secret out of a file named productkey.json of format { "key": "kc-b1325234" }. If the secretname is specified, a configmap with the key will not be created -# mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "kc-b1325234" } -# cloudIntegrationSecret: "cloud-integration" -# ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior. -# regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions + # clusters: + # - name: "Cluster A" + # address: http://cluster-a.kubecost.com:9090 + # # Optional authentication credentials - only basic auth is currently supported. + # auth: + # type: basic + # # Secret name should be a secret formatted based on: https://github.com/kubecost/docs/blob/main/ingress-examples.md + # secretName: cluster-a-auth + # # Or pass auth directly as base64 encoded user:pass + # data: YWRtaW46YWRtaW4= + # # Or user and pass directly + # user: admin + # pass: admin + # - name: "Cluster B" + # address: http://cluster-b.kubecost.com:9090 + # defaultModelPricing: # default monthly resource prices, used predominately for on-prem clusters. Use quotes if setting "0.00" for any item. + # CPU: 28.0 + # spotCPU: 4.86 + # RAM: 3.09 + # spotRAM: 0.65 + # GPU: 693.50 + # spotGPU: 225.0 + # storage: 0.04 + # zoneNetworkEgress: 0.01 + # regionNetworkEgress: 0.01 + # internetNetworkEgress: 0.12 + # enabled: true + # # The cluster profile represents a predefined set of parameters to use when calculating savings. + # # Possible values are: [ development, production, high-availability ] + # clusterProfile: production + # customPricesEnabled: false # This makes the default view custom prices-- generally used for on-premises clusters + # spotLabel: lifecycle + # spotLabelValue: Ec2Spot + # gpuLabel: gpu + # gpuLabelValue: true + # awsServiceKeyName: ACCESSKEYID + # awsServiceKeyPassword: fakepassword # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName + # awsSpotDataRegion: us-east-1 + # awsSpotDataBucket: spot-data-feed-s3-bucket + # awsSpotDataPrefix: dev + # athenaProjectID: "530337586277" # The AWS AccountID where the Athena CUR is. Generally your masterpayer account + # athenaBucketName: "s3://aws-athena-query-results-530337586277-us-east-1" + # athenaRegion: us-east-1 + # athenaDatabase: athenacurcfn_athena_test1 + # athenaTable: "athena_test1" + # athenaWorkgroup: "primary" # The default workgroup in AWS is 'primary' + # masterPayerARN: "" + # projectID: "123456789" # Also known as AccountID on AWS -- the current account/project that this instance of Kubecost is deployed on. + # gcpSecretName: gcp-secret # Name of a secret representing the gcp service key + # gcpSecretKeyName: compute-viewer-kubecost-key.json # Name of the secret's key containing the gcp service key + # bigQueryBillingDataDataset: billing_data.gcp_billing_export_v1_01AC9F_74CF1D_5565A2 + # labelMappingConfigs: # names of k8s labels or annotations used to designate different allocation concepts + # enabled: true + # owner_label: "owner" + # team_label: "team" + # department_label: "dept" + # product_label: "product" + # environment_label: "env" + # namespace_external_label: "kubernetes_namespace" # external labels/tags are used to map external cloud costs to kubernetes concepts + # cluster_external_label: "kubernetes_cluster" + # controller_external_label: "kubernetes_controller" + # product_external_label: "kubernetes_label_app" + # service_external_label: "kubernetes_service" + # deployment_external_label: "kubernetes_deployment" + # owner_external_label: "kubernetes_label_owner" + # team_external_label: "kubernetes_label_team" + # environment_external_label: "kubernetes_label_env" + # department_external_label: "kubernetes_label_department" + # statefulset_external_label: "kubernetes_statefulset" + # daemonset_external_label: "kubernetes_daemonset" + # pod_external_label: "kubernetes_pod" + # grafanaURL: "" + # # Provide a mapping from Account ID to a readable Account Name in a key/value object. Provide Account IDs as they are displayed in CloudCost + # # as the 'key' and the Account Name associated with it as the 'value' + # cloudAccountMapping: + # EXAMPLE_ACCOUNT_ID: EXAMPLE_ACCOUNT_NAME + # clusterName: "" # clusterName is the default context name in settings. + # clusterAccountID: "" # Manually set Account property for assets + # currencyCode: "USD" # official support for USD, AUD, BRL, CAD, CHF, CNY, DKK, EUR, GBP, IDR, INR, JPY, NOK, PLN, SEK + # azureBillingRegion: US # Represents 2-letter region code, e.g. West Europe = NL, Canada = CA. ref: https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes + # azureSubscriptionID: 0bd50fdf-c923-4e1e-850c-196dd3dcc5d3 + # azureClientID: f2ef6f7d-71fb-47c8-b766-8d63a19db017 + # azureTenantID: 72faf3ff-7a3f-4597-b0d9-7b0b201bb23a + # azureClientPassword: fake key # Only use if your values.yaml are stored encrypted. Otherwise provide an existing secret via serviceKeySecretName + # azureOfferDurableID: "MS-AZR-0003p" + # discount: "" # percentage discount applied to compute + # negotiatedDiscount: "" # custom negotiated cloud provider discount + # defaultIdle: false + # serviceKeySecretName: "" # Use an existing AWS or Azure secret with format as in aws-service-key-secret.yaml or azure-service-key-secret.yaml. Leave blank if using createServiceKeySecret + # createServiceKeySecret: true # Creates a secret representing your cloud service key based on data in values.yaml. If you are storing unencrypted values, add a secret manually + # sharedNamespaces: "" # namespaces with shared workloads, example value: "kube-system\,ingress-nginx\,kubecost\,monitoring" + # sharedOverhead: "" # value representing a fixed external cost per month to be distributed among aggregations. + # shareTenancyCosts: true # enable or disable sharing costs such as cluster management fees (defaults to "true" on Settings page) + # metricsConfigs: # configuration for metrics emitted by Kubecost + # disabledMetrics: [] # list of metrics that Kubecost will not emit. Note that disabling metrics can lead to unexpected behavior in the cost-model. + # productKey: # apply business or enterprise product license + # key: "" + # enabled: false + # secretname: productkeysecret # create a secret out of a file named productkey.json of format { "key": "kc-b1325234" }. If the secretname is specified, a configmap with the key will not be created + # mountPath: "/some/custom/path/productkey.json" # (use instead of secretname) declare the path at which the product key file is mounted (eg. by a secrets provisioner). The file must be of format { "key": "kc-b1325234" } + + ## Specify an existing Kubernetes Secret holding the cloud integration information. This Secret must contain + ## a key with name `cloud-integration.json` and the contents must be in a specific format. It is expected + ## to exist in the release Namespace. This is mutually exclusive with cloudIntegrationJSON where only one must be defined. + # cloudIntegrationSecret: "cloud-integration" + + ## Specify the cloud integration information in JSON form if pointing to an existing Secret is not desired or you'd rather + ## define the cloud integration information directly in the values file. This will result in a new Secret being created + ## named `cloud-integration` in the release Namespace. It is mutually exclusive with the cloudIntegrationSecret where only one must be defined. + # cloudIntegrationJSON: |- + # { + # "aws": [ + # { + # "athenaBucketName": "s3://AWS_cloud_integration_athenaBucketName", + # "athenaRegion": "AWS_cloud_integration_athenaRegion", + # "athenaDatabase": "AWS_cloud_integration_athenaDatabase", + # "athenaTable": "AWS_cloud_integration_athenaBucketName", + # "projectID": "AWS_cloud_integration_athena_projectID", + # "serviceKeyName": "AWS_cloud_integration_athena_serviceKeyName", + # "serviceKeySecret": "AWS_cloud_integration_athena_serviceKeySecret" + # } + # ], + # "azure": [ + # { + # "azureSubscriptionID": "my-subscription-id", + # "azureStorageAccount": "my-storage-account", + # "azureStorageAccessKey": "my-storage-access-key", + # "azureStorageContainer": "my-storage-container" + # } + # ], + # "gcp": [ + # { + # "projectID": "my-project-id", + # "billingDataDataset": "detailedbilling.my-billing-dataset", + # "key": { + # "type": "service_account", + # "project_id": "my-project-id", + # "private_key_id": "my-private-key-id", + # "private_key": "my-pem-encoded-private-key", + # "client_email": "my-service-account-name@my-project-id.iam.gserviceaccount.com", + # "client_id": "my-client-id", + # "auth_uri": "auth-uri", + # "token_uri": "token-uri", + # "auth_provider_x509_cert_url": "my-x509-provider-cert", + # "client_x509_cert_url": "my-x509-cert-url" + # } + # } + # ] + # } + + # ingestPodUID: false # Enables using UIDs to uniquely ID pods. This requires either Kubecost's replicated KSM metrics, or KSM v2.1.0+. This may impact performance, and changes the default cost-model allocation behavior. + # regionOverrides: "region1,region2,region3" # list of regions which will override default costmodel provider regions # -- Array of extra K8s manifests to deploy ## Note: Supports use of custom Helm templates diff --git a/charts/kuma/kuma/Chart.yaml b/charts/kuma/kuma/Chart.yaml index 99862cc6e..7a93dbcea 100644 --- a/charts/kuma/kuma/Chart.yaml +++ b/charts/kuma/kuma/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/namespace: kuma-system catalog.cattle.io/release-name: kuma apiVersion: v2 -appVersion: 2.5.1 +appVersion: 2.6.0 description: A Helm chart for the Kuma Control Plane home: https://github.com/kumahq/kuma icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg @@ -20,4 +20,4 @@ maintainers: name: nickolaev name: kuma type: application -version: 2.5.1 +version: 2.6.0 diff --git a/charts/kuma/kuma/README.md b/charts/kuma/kuma/README.md index 52e005421..c1d3b3f2d 100644 --- a/charts/kuma/kuma/README.md +++ b/charts/kuma/kuma/README.md @@ -2,7 +2,7 @@ A Helm chart for the Kuma Control Plane -![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.5.1](https://img.shields.io/badge/Version-2.5.1-informational?style=flat-square) ![AppVersion: 2.5.1](https://img.shields.io/badge/AppVersion-2.5.1-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-build-informational?style=flat-square) ![AppVersion: 2.6.0](https://img.shields.io/badge/AppVersion-2.6.0-build-informational?style=flat-square) **Homepage:** @@ -22,7 +22,7 @@ A Helm chart for the Kuma Control Plane | controlPlane.extraLabels | object | `{}` | Labels to add to resources in addition to default labels | | controlPlane.logLevel | string | `"info"` | Kuma CP log level: one of off,info,debug | | controlPlane.logOutputPath | string | `""` | Kuma CP log output path: Defaults to /dev/stdout | -| controlPlane.mode | string | `"standalone"` | Kuma CP modes: one of standalone,zone,global | +| controlPlane.mode | string | `"zone"` | Kuma CP modes: one of zone,global | | controlPlane.zone | string | `nil` | Kuma CP zone, if running multizone | | controlPlane.kdsGlobalAddress | string | `""` | Only used in `zone` mode | | controlPlane.replicas | int | `1` | Number of replicas of the Kuma CP. Ignored when autoscaling is enabled | @@ -46,7 +46,7 @@ A Helm chart for the Kuma Control Plane | controlPlane.service.enabled | bool | `true` | Whether to create a service resource. | | controlPlane.service.name | string | `nil` | Optionally override of the Kuma Control Plane Service's name | | controlPlane.service.type | string | `"ClusterIP"` | Service type of the Kuma Control Plane | -| controlPlane.service.annotations | object | `{}` | Additional annotations to put on the Kuma Control Plane | +| controlPlane.service.annotations | object | `{"prometheus.io/port":"5680","prometheus.io/scrape":"true"}` | Annotations to put on the Kuma Control Plane | | controlPlane.ingress.enabled | bool | `false` | Install K8s Ingress resource that exposes GUI and API | | controlPlane.ingress.ingressClassName | string | `nil` | IngressClass defines which controller will implement the resource | | controlPlane.ingress.hostname | string | `nil` | Ingress hostname | @@ -117,6 +117,7 @@ A Helm chart for the Kuma Control Plane | cni.resources.limits.memory | string | `"100Mi"` | | | cni.podSecurityContext | object | `{}` | Security context at the pod level for cni | | cni.containerSecurityContext | object | `{"readOnlyRootFilesystem":true,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0}` | Security context at the container level for cni | +| dataPlane.dnsLogging | bool | `false` | If true, then turn on CoreDNS query logging | | dataPlane.image.repository | string | `"kuma-dp"` | The Kuma DP image repository | | dataPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma DP ImagePullPolicy | | dataPlane.image.tag | string | `nil` | Kuma DP Image Tag. When not specified, the value is copied from global.tag | diff --git a/charts/kuma/kuma/crds/kuma.io_circuitbreakers.yaml b/charts/kuma/kuma/crds/kuma.io_circuitbreakers.yaml index 8a0af998e..449e4eb81 100644 --- a/charts/kuma/kuma/crds/kuma.io_circuitbreakers.yaml +++ b/charts/kuma/kuma/crds/kuma.io_circuitbreakers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: circuitbreakers.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_containerpatches.yaml b/charts/kuma/kuma/crds/kuma.io_containerpatches.yaml index 5fbde85cf..654bbf928 100644 --- a/charts/kuma/kuma/crds/kuma.io_containerpatches.yaml +++ b/charts/kuma/kuma/crds/kuma.io_containerpatches.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: containerpatches.kuma.io spec: group: kuma.io @@ -23,14 +23,19 @@ spec: sidecar containers. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: type: string @@ -62,9 +67,9 @@ spec: description: Path is a jsonpatch path string. type: string value: - description: Value must be a string representing a valid json - object used by replace and add operations. String has to be - escaped with " to be valid a json object. + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. type: string required: - op @@ -94,9 +99,9 @@ spec: description: Path is a jsonpatch path string. type: string value: - description: Value must be a string representing a valid json - object used by replace and add operations. String has to be - escaped with " to be valid a json object. + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. type: string required: - op diff --git a/charts/kuma/kuma/crds/kuma.io_dataplaneinsights.yaml b/charts/kuma/kuma/crds/kuma.io_dataplaneinsights.yaml index 79a541f21..b184e1955 100644 --- a/charts/kuma/kuma/crds/kuma.io_dataplaneinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_dataplaneinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dataplaneinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_dataplanes.yaml b/charts/kuma/kuma/crds/kuma.io_dataplanes.yaml index 1f0088638..9d0be07cd 100644 --- a/charts/kuma/kuma/crds/kuma.io_dataplanes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_dataplanes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: dataplanes.kuma.io spec: group: kuma.io @@ -40,17 +40,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_externalservices.yaml b/charts/kuma/kuma/crds/kuma.io_externalservices.yaml index 02be62004..038ea3f7a 100644 --- a/charts/kuma/kuma/crds/kuma.io_externalservices.yaml +++ b/charts/kuma/kuma/crds/kuma.io_externalservices.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: externalservices.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_faultinjections.yaml b/charts/kuma/kuma/crds/kuma.io_faultinjections.yaml index 5eeef6418..93ce367fc 100644 --- a/charts/kuma/kuma/crds/kuma.io_faultinjections.yaml +++ b/charts/kuma/kuma/crds/kuma.io_faultinjections.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: faultinjections.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_healthchecks.yaml b/charts/kuma/kuma/crds/kuma.io_healthchecks.yaml index c138c08e7..9599e09dd 100644 --- a/charts/kuma/kuma/crds/kuma.io_healthchecks.yaml +++ b/charts/kuma/kuma/crds/kuma.io_healthchecks.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: healthchecks.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml b/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml index 411c1bb2c..df9919d58 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshaccesslogs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshaccesslogs.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -48,8 +53,9 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' properties: backends: items: @@ -59,10 +65,16 @@ spec: file based access logs properties: format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators properties: json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' items: properties: key: @@ -72,8 +84,10 @@ spec: type: object type: array omitEmptyValues: + default: false type: boolean plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' type: string type: enum: @@ -86,6 +100,8 @@ spec: path: description: Path to a file that logs will be written to + example: /tmp/access.log + minLength: 1 type: string required: - path @@ -94,8 +110,12 @@ spec: description: Defines an OpenTelemetry logging backend. properties: attributes: - description: Attributes can contain placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Attributes can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' items: properties: key: @@ -105,9 +125,17 @@ spec: type: object type: array body: - description: Body is a raw string or an OTLP any - value as described at https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body - It can contain placeholders available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' x-kubernetes-preserve-unknown-fields: true endpoint: description: Endpoint of OpenTelemetry collector. @@ -123,12 +151,20 @@ spec: properties: address: description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 type: string format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators properties: json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' items: properties: key: @@ -138,8 +174,10 @@ spec: type: object type: array omitEmptyValues: + default: false type: boolean plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' type: string type: enum: @@ -164,8 +202,9 @@ spec: type: array type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. + description: |- + TargetRef is a reference to the resource that represents a group of + clients. properties: kind: description: Kind of the referenced resource @@ -182,15 +221,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -198,9 +249,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. properties: kind: description: Kind of the referenced resource @@ -217,14 +269,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -233,8 +298,9 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: backends: items: @@ -244,10 +310,16 @@ spec: file based access logs properties: format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators properties: json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' items: properties: key: @@ -257,8 +329,10 @@ spec: type: object type: array omitEmptyValues: + default: false type: boolean plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' type: string type: enum: @@ -271,6 +345,8 @@ spec: path: description: Path to a file that logs will be written to + example: /tmp/access.log + minLength: 1 type: string required: - path @@ -279,8 +355,12 @@ spec: description: Defines an OpenTelemetry logging backend. properties: attributes: - description: Attributes can contain placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Attributes can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' items: properties: key: @@ -290,9 +370,17 @@ spec: type: object type: array body: - description: Body is a raw string or an OTLP any - value as described at https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body - It can contain placeholders available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' x-kubernetes-preserve-unknown-fields: true endpoint: description: Endpoint of OpenTelemetry collector. @@ -308,12 +396,20 @@ spec: properties: address: description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 type: string format: - description: Format of access logs. Placeholders - available on https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators properties: json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' items: properties: key: @@ -323,8 +419,10 @@ spec: type: object type: array omitEmptyValues: + default: false type: boolean plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' type: string type: enum: @@ -349,8 +447,9 @@ spec: type: array type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -367,15 +466,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml b/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml index ffae58e55..3c6a01d82 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshcircuitbreakers.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshcircuitbreakers.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,228 +54,216 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' properties: connectionLimits: - description: ConnectionLimits contains configuration of - each circuit breaking limit, which when exceeded makes - the circuit breaker to become open (no traffic is allowed - like no current is allowed in the circuits when physical + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical circuit breaker ir open) properties: maxConnectionPools: - description: The maximum number of connection pools - per cluster that are concurrently supported at once. - Set this for clusters which create a large number - of connection pools. + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. format: int32 type: integer maxConnections: - description: The maximum number of connections allowed - to be made to the upstream cluster. + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. format: int32 type: integer maxPendingRequests: - description: The maximum number of pending requests - that are allowed to the upstream cluster. This limit - is applied as a connection limit for non-HTTP traffic. + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. format: int32 type: integer maxRequests: - description: The maximum number of parallel requests - that are allowed to be made to the upstream cluster. - This limit does not apply to non-HTTP traffic. + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. format: int32 type: integer maxRetries: - description: The maximum number of parallel retries - that will be allowed to the upstream cluster. + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. format: int32 type: integer type: object outlierDetection: - description: OutlierDetection contains the configuration - of the process of dynamically determining whether some - number of hosts in an upstream cluster are performing - unlike the others and removing them from the healthy load - balancing set. Performance might be along different axes - such as consecutive failures, temporal success rate, temporal - latency, etc. Outlier detection is a form of passive health - checking. + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected. + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. type: string detectors: description: Contains configuration for supported outlier detectors properties: failurePercentage: - description: Failure Percentage based outlier detection - functions similarly to success rate detection, - in that it relies on success rate data from each - host in a cluster. However, rather than compare - those values to the mean success rate of the cluster - as a whole, they are compared to a flat user-configured - threshold. This threshold is configured via the + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the outlierDetection.failurePercentageThreshold field. - The other configuration fields for failure percentage - based detection are similar to the fields for - success rate detection. As with success rate detection, - detection will not be performed for a host if - its request volume over the aggregation interval - is less than the outlierDetection.detectors.failurePercentage.requestVolume - value. Detection also will not be performed for - a cluster if the number of hosts with the minimum - required request volume in an interval is less - than the outlierDetection.detectors.failurePercentage.minimumHosts - value. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. properties: minimumHosts: - description: The minimum number of hosts in - a cluster in order to perform failure percentage-based - ejection. If the total number of hosts in - the cluster is less than this value, failure - percentage-based ejection will not be performed. + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. format: int32 type: integer requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration above) to - perform failure percentage-based ejection - for this host. If the volume is lower than - this setting, failure percentage-based ejection - will not be performed for this host. + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. format: int32 type: integer threshold: - description: The failure percentage to use when - determining failure percentage-based outlier - detection. If the failure percentage of a - given host is greater than or equal to this - value, it will be ejected. + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. format: int32 type: integer type: object gatewayFailures: - description: In the default mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and local origin - failures, such as timeout, TCP reset etc. In split - mode (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and is supported - only by the http router. + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. properties: consecutive: - description: The number of consecutive gateway - failures (502, 503, 504 status codes) before - a consecutive gateway failure ejection occurs. + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. format: int32 type: integer type: object localOriginFailures: - description: 'This detection type is enabled only - when outlierDetection.splitExternalLocalOriginErrors - is true and takes into account only locally originated - errors (timeout, reset, etc). If Envoy repeatedly - cannot connect to an upstream host or communication - with the upstream host is repeatedly interrupted, - it will be ejected. Various locally originated - problems are detected: timeout, TCP reset, ICMP - errors, etc. This detection type is supported - by http router and tcp proxy.' + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. properties: consecutive: - description: The number of consecutive locally - originated failures before ejection occurs. - Parameter takes effect only when splitExternalAndLocalErrors + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors is set to true. format: int32 type: integer type: object successRate: - description: 'Success Rate based outlier detection - aggregates success rate data from every host in - a cluster. Then at given intervals ejects hosts - based on statistical outlier detection. Success - Rate outlier detection will not be calculated - for a host if its request volume over the aggregation - interval is less than the outlierDetection.detectors.successRate.requestVolume - value. Moreover, detection will not be performed - for a cluster if the number of hosts with the - minimum required request volume in an interval - is less than the outlierDetection.detectors.successRate.minimumHosts - value. In the default configuration mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - all types of errors: locally and externally originated. - In split mode (outlierDetection.splitExternalLocalOriginErrors - is true), locally originated errors and externally - originated (transaction) errors are counted and - treated separately.' + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. properties: minimumHosts: - description: The number of hosts in a cluster - that must have enough request volume to detect - success rate outliers. If the number of hosts - is less than this setting, outlier detection - via success rate statistics is not performed + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed for any host in the cluster. format: int32 type: integer requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration configured - in outlierDetection section) to include this - host in success rate based outlier detection. - If the volume is lower than this setting, - outlier detection via success rate statistics - is not performed for that host. + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. format: int32 type: integer standardDeviationFactor: anyOf: - type: integer - type: string - description: 'This factor is used to determine - the ejection threshold for success rate outlier - ejection. The ejection threshold is the difference - between the mean success rate, and the product - of this factor and the standard deviation - of the mean success rate: mean - (standard_deviation - * success_rate_standard_deviation_factor). - Either int or decimal represented as string.' + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. x-kubernetes-int-or-string: true type: object totalFailures: - description: 'In the default mode (outlierDetection.splitExternalAndLocalErrors - is false) this detection type takes into account - all generated errors: locally originated and externally - originated (transaction) errors. In split mode - (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - only externally originated (transaction) errors, - ignoring locally originated errors. If an upstream - host is an HTTP-server, only 5xx types of error - are taken into account (see Consecutive Gateway - Failure for exceptions). Properly formatted responses, - even when they carry an operational error (like - index not found, access denied) are not taken - into account.' + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. properties: consecutive: - description: The number of consecutive server-side - error responses (for HTTP traffic, 5xx responses; - for TCP traffic, connection failures; for - Redis, failure to respond PONG; etc.) before - a consecutive total failure ejection occurs. + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. format: int32 type: integer type: object @@ -280,28 +273,29 @@ spec: won't take any effect type: boolean interval: - description: The time interval between ejection analysis - sweeps. This can result in both new ejections and - hosts being returned to service. + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. format: int32 type: integer splitExternalAndLocalErrors: - description: 'Determines whether to distinguish local - origin failures from external errors. If set to true - the following configuration parameters are taken into - account: detectors.localOriginFailures.consecutive' + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive type: boolean type: object type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -318,15 +312,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -334,9 +340,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined in place. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in place. properties: kind: description: Kind of the referenced resource @@ -353,244 +360,246 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: - description: To list makes a match between the consumed services and - corresponding configurations + description: |- + To list makes a match between the consumed services and corresponding + configurations items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' properties: connectionLimits: - description: ConnectionLimits contains configuration of - each circuit breaking limit, which when exceeded makes - the circuit breaker to become open (no traffic is allowed - like no current is allowed in the circuits when physical + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical circuit breaker ir open) properties: maxConnectionPools: - description: The maximum number of connection pools - per cluster that are concurrently supported at once. - Set this for clusters which create a large number - of connection pools. + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. format: int32 type: integer maxConnections: - description: The maximum number of connections allowed - to be made to the upstream cluster. + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. format: int32 type: integer maxPendingRequests: - description: The maximum number of pending requests - that are allowed to the upstream cluster. This limit - is applied as a connection limit for non-HTTP traffic. + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. format: int32 type: integer maxRequests: - description: The maximum number of parallel requests - that are allowed to be made to the upstream cluster. - This limit does not apply to non-HTTP traffic. + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. format: int32 type: integer maxRetries: - description: The maximum number of parallel retries - that will be allowed to the upstream cluster. + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. format: int32 type: integer type: object outlierDetection: - description: OutlierDetection contains the configuration - of the process of dynamically determining whether some - number of hosts in an upstream cluster are performing - unlike the others and removing them from the healthy load - balancing set. Performance might be along different axes - such as consecutive failures, temporal success rate, temporal - latency, etc. Outlier detection is a form of passive health - checking. + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. properties: baseEjectionTime: - description: The base time that a host is ejected for. - The real time is equal to the base time multiplied - by the number of times the host has been ejected. + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. type: string detectors: description: Contains configuration for supported outlier detectors properties: failurePercentage: - description: Failure Percentage based outlier detection - functions similarly to success rate detection, - in that it relies on success rate data from each - host in a cluster. However, rather than compare - those values to the mean success rate of the cluster - as a whole, they are compared to a flat user-configured - threshold. This threshold is configured via the + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the outlierDetection.failurePercentageThreshold field. - The other configuration fields for failure percentage - based detection are similar to the fields for - success rate detection. As with success rate detection, - detection will not be performed for a host if - its request volume over the aggregation interval - is less than the outlierDetection.detectors.failurePercentage.requestVolume - value. Detection also will not be performed for - a cluster if the number of hosts with the minimum - required request volume in an interval is less - than the outlierDetection.detectors.failurePercentage.minimumHosts - value. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. properties: minimumHosts: - description: The minimum number of hosts in - a cluster in order to perform failure percentage-based - ejection. If the total number of hosts in - the cluster is less than this value, failure - percentage-based ejection will not be performed. + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. format: int32 type: integer requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration above) to - perform failure percentage-based ejection - for this host. If the volume is lower than - this setting, failure percentage-based ejection - will not be performed for this host. + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. format: int32 type: integer threshold: - description: The failure percentage to use when - determining failure percentage-based outlier - detection. If the failure percentage of a - given host is greater than or equal to this - value, it will be ejected. + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. format: int32 type: integer type: object gatewayFailures: - description: In the default mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and local origin - failures, such as timeout, TCP reset etc. In split - mode (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - a subset of 5xx errors, called "gateway errors" - (502, 503 or 504 status code) and is supported - only by the http router. + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. properties: consecutive: - description: The number of consecutive gateway - failures (502, 503, 504 status codes) before - a consecutive gateway failure ejection occurs. + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. format: int32 type: integer type: object localOriginFailures: - description: 'This detection type is enabled only - when outlierDetection.splitExternalLocalOriginErrors - is true and takes into account only locally originated - errors (timeout, reset, etc). If Envoy repeatedly - cannot connect to an upstream host or communication - with the upstream host is repeatedly interrupted, - it will be ejected. Various locally originated - problems are detected: timeout, TCP reset, ICMP - errors, etc. This detection type is supported - by http router and tcp proxy.' + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. properties: consecutive: - description: The number of consecutive locally - originated failures before ejection occurs. - Parameter takes effect only when splitExternalAndLocalErrors + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors is set to true. format: int32 type: integer type: object successRate: - description: 'Success Rate based outlier detection - aggregates success rate data from every host in - a cluster. Then at given intervals ejects hosts - based on statistical outlier detection. Success - Rate outlier detection will not be calculated - for a host if its request volume over the aggregation - interval is less than the outlierDetection.detectors.successRate.requestVolume - value. Moreover, detection will not be performed - for a cluster if the number of hosts with the - minimum required request volume in an interval - is less than the outlierDetection.detectors.successRate.minimumHosts - value. In the default configuration mode (outlierDetection.splitExternalLocalOriginErrors - is false) this detection type takes into account - all types of errors: locally and externally originated. - In split mode (outlierDetection.splitExternalLocalOriginErrors - is true), locally originated errors and externally - originated (transaction) errors are counted and - treated separately.' + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. properties: minimumHosts: - description: The number of hosts in a cluster - that must have enough request volume to detect - success rate outliers. If the number of hosts - is less than this setting, outlier detection - via success rate statistics is not performed + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed for any host in the cluster. format: int32 type: integer requestVolume: - description: The minimum number of total requests - that must be collected in one interval (as - defined by the interval duration configured - in outlierDetection section) to include this - host in success rate based outlier detection. - If the volume is lower than this setting, - outlier detection via success rate statistics - is not performed for that host. + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. format: int32 type: integer standardDeviationFactor: anyOf: - type: integer - type: string - description: 'This factor is used to determine - the ejection threshold for success rate outlier - ejection. The ejection threshold is the difference - between the mean success rate, and the product - of this factor and the standard deviation - of the mean success rate: mean - (standard_deviation - * success_rate_standard_deviation_factor). - Either int or decimal represented as string.' + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. x-kubernetes-int-or-string: true type: object totalFailures: - description: 'In the default mode (outlierDetection.splitExternalAndLocalErrors - is false) this detection type takes into account - all generated errors: locally originated and externally - originated (transaction) errors. In split mode - (outlierDetection.splitExternalLocalOriginErrors - is true) this detection type takes into account - only externally originated (transaction) errors, - ignoring locally originated errors. If an upstream - host is an HTTP-server, only 5xx types of error - are taken into account (see Consecutive Gateway - Failure for exceptions). Properly formatted responses, - even when they carry an operational error (like - index not found, access denied) are not taken - into account.' + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. properties: consecutive: - description: The number of consecutive server-side - error responses (for HTTP traffic, 5xx responses; - for TCP traffic, connection failures; for - Redis, failure to respond PONG; etc.) before - a consecutive total failure ejection occurs. + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. format: int32 type: integer type: object @@ -600,28 +609,29 @@ spec: won't take any effect type: boolean interval: - description: The time interval between ejection analysis - sweeps. This can result in both new ejections and - hosts being returned to service. + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. type: string maxEjectionPercent: - description: The maximum % of an upstream cluster that - can be ejected due to outlier detection. Defaults - to 10% but will eject at least one host regardless - of the value. + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. format: int32 type: integer splitExternalAndLocalErrors: - description: 'Determines whether to distinguish local - origin failures from external errors. If set to true - the following configuration parameters are taken into - account: detectors.localOriginFailures.consecutive' + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive type: boolean type: object type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -638,15 +648,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshes.yaml b/charts/kuma/kuma/crds/kuma.io_meshes.yaml index 7e1848086..5b7a9fd65 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshes.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml b/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml index be0a3a7ca..4150c0fdd 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshfaultinjections.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshfaultinjections.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,8 +54,9 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: http: description: Http allows to define list of Http faults between @@ -60,10 +66,10 @@ spec: of faults between dataplanes. properties: abort: - description: Abort defines a configuration of not - delivering requests to destination service and replacing - the responses from destination dataplane by predefined - status code + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code properties: httpStatus: description: HTTP status code which will be returned @@ -74,9 +80,9 @@ spec: anyOf: - type: integer - type: string - description: Percentage of requests on which abort - will be injected, has to be either int or decimal - represented as string. + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. x-kubernetes-int-or-string: true required: - httpStatus @@ -90,9 +96,9 @@ spec: anyOf: - type: integer - type: string - description: Percentage of requests on which delay - will be injected, has to be either int or decimal - represented as string. + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. x-kubernetes-int-or-string: true value: description: The duration during which the response @@ -103,20 +109,22 @@ spec: - value type: object responseBandwidth: - description: ResponseBandwidth defines a configuration - to limit the speed of responding to the requests + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests properties: limit: - description: Limit is represented by value measure - in gbps, mbps, kbps or bps, e.g. 10kbps + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps type: string percentage: anyOf: - type: integer - type: string - description: Percentage of requests on which response - bandwidth limit will be either int or decimal - represented as string. + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. x-kubernetes-int-or-string: true required: - limit @@ -126,8 +134,9 @@ spec: type: array type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -144,15 +153,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -160,9 +181,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -179,16 +201,161 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshServiceSubset + - MeshHTTPRoute + type: string + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array required: - targetRef type: object diff --git a/charts/kuma/kuma/crds/kuma.io_meshgatewayinstances.yaml b/charts/kuma/kuma/crds/kuma.io_meshgatewayinstances.yaml index b0056e5ad..afa0c4789 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshgatewayinstances.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshgatewayinstances.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshgatewayinstances.kuma.io spec: group: kuma.io @@ -19,18 +19,24 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: MeshGatewayInstance represents a managed instance of a dataplane - proxy for a Kuma Gateway. + description: |- + MeshGatewayInstance represents a managed instance of a dataplane proxy for a Kuma + Gateway. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -86,29 +92,37 @@ spec: type: object replicas: default: 1 - description: Replicas is the number of dataplane proxy replicas to - create. For now this is a fixed number, but in the future it could - be automatically scaled based on metrics. + description: |- + Replicas is the number of dataplane proxy replicas to create. For + now this is a fixed number, but in the future it could be + automatically scaled based on metrics. format: int32 minimum: 1 type: integer resources: - description: Resources specifies the compute resources for the proxy - container. The default can be set in the control plane config. + description: |- + Resources specifies the compute resources for the proxy container. + The default can be set in the control plane config. properties: claims: - description: "Claims lists the names of resources, defined in - spec.resourceClaims, that are used by this container. \n This - is an alpha field and requires enabling the DynamicResourceAllocation - feature gate. \n This field is immutable. It can only be set - for containers." + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + + This field is immutable. It can only be set for containers. items: description: ResourceClaim references one entry in PodSpec.ResourceClaims. properties: name: - description: Name must match the name of one entry in pod.spec.resourceClaims - of the Pod where this field is used. It makes that resource - available inside a container. + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. type: string required: - name @@ -124,8 +138,9 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute resources - allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object requests: additionalProperties: @@ -134,11 +149,11 @@ spec: - type: string pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ type: object type: object serviceTemplate: @@ -170,11 +185,12 @@ spec: type: object serviceType: default: LoadBalancer - description: ServiceType specifies the type of managed Service that - will be created to expose the dataplane proxies to traffic from - outside the cluster. The ports to expose will be taken from the - matching Gateway resource. If there is no matching Gateway, the - managed Service will be deleted. + description: |- + ServiceType specifies the type of managed Service that will be + created to expose the dataplane proxies to traffic from outside + the cluster. The ports to expose will be taken from the matching Gateway + resource. If there is no matching Gateway, the managed Service will + be deleted. enum: - LoadBalancer - ClusterIP @@ -183,55 +199,58 @@ spec: tags: additionalProperties: type: string - description: Tags specifies the Kuma tags that are propagated to the - managed dataplane proxies. These tags should include exactly one - `kuma.io/service` tag, and should match exactly one Gateway resource. + description: |- + Tags specifies the Kuma tags that are propagated to the managed + dataplane proxies. These tags should include exactly one + `kuma.io/service` tag, and should match exactly one Gateway + resource. type: object type: object status: - description: MeshGatewayInstanceStatus holds information about the status - of the gateway instance. + description: |- + MeshGatewayInstanceStatus holds information about the status of the gateway + instance. properties: conditions: description: Conditions is an array of gateway instance conditions. items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -245,11 +264,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -265,41 +285,54 @@ spec: - type x-kubernetes-list-type: map loadBalancer: - description: LoadBalancer contains the current status of the load-balancer, + description: |- + LoadBalancer contains the current status of the load-balancer, if one is present. properties: ingress: - description: Ingress is a list containing ingress points for the - load-balancer. Traffic intended for the service should be sent - to these ingress points. + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. items: - description: 'LoadBalancerIngress represents the status of a - load-balancer ingress point: traffic intended for the service - should be sent to an ingress point.' + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. properties: hostname: - description: Hostname is set for load-balancer ingress points - that are DNS based (typically AWS load-balancers) + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) type: string ip: - description: IP is set for load-balancer ingress points - that are IP based (typically GCE or OpenStack load-balancers) + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. type: string ports: - description: Ports is a list of records of service ports - If used, every port defined in the service should have - an entry in it + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it items: properties: error: - description: 'Error is to record the problem with - the service port The format of the error shall comply - with the following rules: - built-in error values - shall be specified in this file and those shall - use CamelCase names - cloud provider specific error - values must have names that comply with the format - foo.example.com/CamelCase. --- The regex it matches - is (dns1123SubdomainFmt/)?(qualifiedNameFmt)' + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + --- + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -310,9 +343,9 @@ spec: type: integer protocol: default: TCP - description: 'Protocol is the protocol of the service - port of which status is recorded here The supported - values are: "TCP", "UDP", "SCTP"' + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" type: string required: - port diff --git a/charts/kuma/kuma/crds/kuma.io_meshgatewayroutes.yaml b/charts/kuma/kuma/crds/kuma.io_meshgatewayroutes.yaml index 81ffb9b48..15156ae47 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshgatewayroutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshgatewayroutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshgatewayroutes.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_meshgateways.yaml b/charts/kuma/kuma/crds/kuma.io_meshgateways.yaml index 76eba91ac..5ec1b4267 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshgateways.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshgateways.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshgateways.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml b/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml index f97352a7d..20a819786 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshhealthchecks.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshhealthchecks.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43,9 +48,10 @@ spec: description: Spec is the specification of the Kuma MeshHealthCheck resource. properties: targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -62,14 +68,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -78,36 +97,37 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: alwaysLogHealthCheckFailures: - description: If set to true, health check failure events - will always be logged. If set to false, only the initial - health check failure event will be logged. The default - value is false. + description: |- + If set to true, health check failure events will always be logged. If set + to false, only the initial health check failure event will be logged. The + default value is false. type: boolean eventLogPath: - description: Specifies the path to the file where Envoy - can log health check events. If empty, no event log will - be written. + description: |- + Specifies the path to the file where Envoy can log health check events. + If empty, no event log will be written. type: string failTrafficOnPanic: - description: If set to true, Envoy will not consider any - hosts when the cluster is in 'panic mode'. Instead, the - cluster will fail all requests as if all hosts are unhealthy. - This can help avoid potentially overwhelming a failing + description: |- + If set to true, Envoy will not consider any hosts when the cluster is in + 'panic mode'. Instead, the cluster will fail all requests as if all hosts + are unhealthy. This can help avoid potentially overwhelming a failing service. type: boolean grpc: - description: GrpcHealthCheck defines gRPC configuration - which will instruct the service the health check will - be made for is a gRPC service. + description: |- + GrpcHealthCheck defines gRPC configuration which will instruct the service + the health check will be made for is a gRPC service. properties: authority: - description: The value of the :authority header in the - gRPC health check request, by default name of the - cluster this health check is associated with + description: |- + The value of the :authority header in the gRPC health check request, + by default name of the cluster this health check is associated with type: string disabled: description: If true the GrpcHealthCheck is disabled @@ -121,10 +141,10 @@ spec: anyOf: - type: integer - type: string - description: Allows to configure panic threshold for Envoy - cluster. If not specified, the default is 50%. To disable - panic mode, set to 0%. Either int or decimal represented - as string. + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. x-kubernetes-int-or-string: true healthyThreshold: default: 1 @@ -133,9 +153,9 @@ spec: format: int32 type: integer http: - description: HttpHealthCheck defines HTTP configuration - which will instruct the service the health check will - be made for is an HTTP service. + description: |- + HttpHealthCheck defines HTTP configuration which will instruct the service + the health check will be made for is an HTTP service. properties: disabled: description: If true the HttpHealthCheck is disabled @@ -149,12 +169,14 @@ spec: type: array path: default: / - description: The HTTP path which will be requested during - the health check (ie. /health) + description: |- + The HTTP path which will be requested during the health check + (ie. /health) type: string requestHeadersToAdd: - description: The list of HTTP headers which should be - added to each health check request + description: |- + The list of HTTP headers which should be added to each health check + request properties: add: items: @@ -197,59 +219,57 @@ spec: type: object type: object initialJitter: - description: If specified, Envoy will start health checking - after a random time in ms between 0 and initialJitter. - This only applies to the first health check. + description: |- + If specified, Envoy will start health checking after a random time in + ms between 0 and initialJitter. This only applies to the first health + check. type: string interval: default: 1m description: Interval between consecutive health checks. type: string intervalJitter: - description: If specified, during every interval Envoy will - add IntervalJitter to the wait time. + description: |- + If specified, during every interval Envoy will add IntervalJitter to the + wait time. type: string intervalJitterPercent: - description: If specified, during every interval Envoy will - add IntervalJitter * IntervalJitterPercent / 100 to the - wait time. If IntervalJitter and IntervalJitterPercent - are both set, both of them will be used to increase the - wait time. + description: |- + If specified, during every interval Envoy will add IntervalJitter * + IntervalJitterPercent / 100 to the wait time. If IntervalJitter and + IntervalJitterPercent are both set, both of them will be used to + increase the wait time. format: int32 type: integer noTrafficInterval: - description: The "no traffic interval" is a special health - check interval that is used when a cluster has never had - traffic routed to it. This lower interval allows cluster - information to be kept up to date, without sending a potentially - large amount of active health checking traffic for no - reason. Once a cluster has been used for traffic routing, - Envoy will shift back to using the standard health check - interval that is defined. Note that this interval takes - precedence over any other. The default value for "no traffic - interval" is 60 seconds. + description: |- + The "no traffic interval" is a special health check interval that is used + when a cluster has never had traffic routed to it. This lower interval + allows cluster information to be kept up to date, without sending a + potentially large amount of active health checking traffic for no reason. + Once a cluster has been used for traffic routing, Envoy will shift back + to using the standard health check interval that is defined. Note that + this interval takes precedence over any other. The default value for "no + traffic interval" is 60 seconds. type: string reuseConnection: description: Reuse health check connection between health checks. Default is true. type: boolean tcp: - description: TcpHealthCheck defines configuration for specifying - bytes to send and expected response during the health - check + description: |- + TcpHealthCheck defines configuration for specifying bytes to send and + expected response during the health check properties: disabled: description: If true the TcpHealthCheck is disabled type: boolean receive: - description: List of Base64 encoded blocks of strings - expected as a response. When checking the response, - "fuzzy" matching is performed such that each block - must be found, and in the order specified, but not - necessarily contiguous. If not provided or empty, - checks will be performed as "connect only" and be - marked as successful when TCP connection is successfully - established. + description: |- + List of Base64 encoded blocks of strings expected as a response. When checking the response, + "fuzzy" matching is performed such that each block must be found, and + in the order specified, but not necessarily contiguous. + If not provided or empty, checks will be performed as "connect only" and be marked as successful when TCP connection is successfully established. items: type: string type: array @@ -264,14 +284,16 @@ spec: type: string unhealthyThreshold: default: 5 - description: Number of consecutive unhealthy checks before - considering a host unhealthy. + description: |- + Number of consecutive unhealthy checks before considering a host + unhealthy. format: int32 type: integer type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -288,15 +310,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml b/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml index 23e575e7e..fdb83f834 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshhttproutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshhttproutes.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43,9 +48,10 @@ spec: description: Spec is the specification of the Kuma MeshHTTPRoute resource. properties: targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -62,14 +68,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -77,14 +96,25 @@ spec: configuration. items: properties: + hostnames: + description: |- + Hostnames is only valid when targeting MeshGateway and limits the + effects of the rules to requests to this hostname. + Given hostnames must intersect with the hostname of the listeners the + route attaches to. + items: + type: string + type: array rules: - description: Rules contains the routing rules applies to a combination - of top-level targetRef and the targetRef in this entry. + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. items: properties: default: - description: Default holds routing rules that can be merged - with rules from other policies. + description: |- + Default holds routing rules that can be merged with rules from other + policies. properties: backendRefs: items: @@ -106,15 +136,26 @@ spec: to identify cross mesh resources. type: string name: - description: 'Name of the referenced resource. - Can only be used with kinds: `MeshService`, - `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of - proxies by tags. Can only be used with kinds + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` type: object weight: @@ -127,11 +168,10 @@ spec: items: properties: requestHeaderModifier: - description: Only one action is supported per - header name. Configuration to set or add multiple - values for a header must use RFC 7230 header - value formatting, separating each value with - a comma. + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. properties: add: items: @@ -200,26 +240,36 @@ spec: use to identify cross mesh resources. type: string name: - description: 'Name of the referenced - resource. Can only be used with kinds: - `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset - of proxies by tags. Can only be used - with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object percentage: anyOf: - type: integer - type: string - description: Percentage of requests to mirror. - If not specified, all requests to the - target cluster will be mirrored. + description: |- + Percentage of requests to mirror. If not specified, all requests + to the target cluster will be mirrored. x-kubernetes-int-or-string: true required: - backendRef @@ -227,26 +277,24 @@ spec: requestRedirect: properties: hostname: - description: "PreciseHostname is the fully - qualified domain name of a network host. - This matches the RFC 1123 definition of - a hostname with 1 notable exception that + description: |- + PreciseHostname is the fully qualified domain name of a network host. This + matches the RFC 1123 definition of a hostname with 1 notable exception that numeric IP addresses are not allowed. - \n Note that as per RFC1035 and RFC1123, - a *label* must consist of lower case alphanumeric - characters or '-', and must start and - end with an alphanumeric character. No - other punctuation is allowed." + + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string path: - description: Path defines parameters used - to modify the path of the incoming request. - The modified path is then used to construct - the location header. When empty, the request - path is used as-is. + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the location header. + When empty, the request path is used as-is. properties: replaceFullPath: type: string @@ -261,10 +309,10 @@ spec: - type type: object port: - description: Port is the port to be used - in the value of the `Location` header - in the response. When empty, port (if - specified) of the request is used. + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. format: int32 maximum: 65535 minimum: 1 @@ -287,11 +335,10 @@ spec: type: integer type: object responseHeaderModifier: - description: Only one action is supported per - header name. Configuration to set or add multiple - values for a header must use RFC 7230 header - value formatting, separating each value with - a comma. + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. properties: add: items: @@ -347,6 +394,11 @@ spec: type: string urlRewrite: properties: + hostToBackendHostname: + description: |- + HostToBackendHostname rewrites the hostname to the hostname of the + upstream host. This option is only available when targeting MeshGateways. + type: boolean hostname: description: Hostname is the value to be used to replace the host header value @@ -377,20 +429,21 @@ spec: type: array type: object matches: - description: Matches describes how to match HTTP requests - this rule should be applied to. + description: |- + Matches describes how to match HTTP requests this rule should be applied + to. items: properties: headers: items: - description: HeaderMatch describes how to select - an HTTP route by matching HTTP request headers. + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. properties: name: - description: Name is the name of the HTTP - Header to be matched. Name MUST be lower - case as they will be handled with case insensitivity - (See https://tools.ietf.org/html/rfc7230#section-3.2). + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). maxLength: 256 minLength: 1 pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ @@ -435,9 +488,9 @@ spec: - RegularExpression type: string value: - description: Exact or prefix matches must be - an absolute path. A prefix matches only if - separated by a slash or the entire path. + description: |- + Exact or prefix matches must be an absolute path. A prefix matches only + if separated by a slash or the entire path. minLength: 1 type: string required: @@ -445,9 +498,9 @@ spec: - value type: object queryParams: - description: QueryParams matches based on HTTP URL - query parameters. Multiple matches are ANDed together - such that all listed matches must succeed. + description: |- + QueryParams matches based on HTTP URL query parameters. Multiple matches + are ANDed together such that all listed matches must succeed. items: properties: name: @@ -475,8 +528,9 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource that represents - a group of request destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + request destinations. properties: kind: description: Kind of the referenced resource @@ -493,15 +547,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object type: object diff --git a/charts/kuma/kuma/crds/kuma.io_meshinsights.yaml b/charts/kuma/kuma/crds/kuma.io_meshinsights.yaml index f9c307168..c72f08ed9 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml b/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml index 83d193e81..023ce1768 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshloadbalancingstrategies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshloadbalancingstrategies.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44,9 +49,10 @@ spec: resource. properties: targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -63,14 +69,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -79,42 +98,51 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: loadBalancer: description: LoadBalancer allows to specify load balancing algorithm. properties: leastRequest: - description: LeastRequest selects N random available - hosts as specified in 'choiceCount' (2 by default) + description: |- + LeastRequest selects N random available hosts as specified in 'choiceCount' (2 by default) and picks the host which has the fewest active requests properties: + activeRequestBias: + anyOf: + - type: integer + - type: string + description: |- + ActiveRequestBias refers to dynamic weights applied when hosts have varying load + balancing weights. A higher value here aggressively reduces the weight of endpoints + that are currently handling active requests. In essence, the higher the ActiveRequestBias + value, the more forcefully it reduces the load balancing weight of endpoints that are + actively serving requests. + x-kubernetes-int-or-string: true choiceCount: - description: ChoiceCount is the number of random - healthy hosts from which the host with the fewest - active requests will be chosen. Defaults to 2 - so that Envoy performs two-choice selection if - the field is not set. + description: |- + ChoiceCount is the number of random healthy hosts from which the host with + the fewest active requests will be chosen. Defaults to 2 so that Envoy performs + two-choice selection if the field is not set. format: int32 minimum: 2 type: integer type: object maglev: - description: Maglev implements consistent hashing to - upstream hosts. Maglev can be used as a drop in replacement - for the ring hash load balancer any place in which + description: |- + Maglev implements consistent hashing to upstream hosts. Maglev can be used as + a drop in replacement for the ring hash load balancer any place in which consistent hashing is desired. properties: hashPolicies: - description: HashPolicies specify a list of request/connection - properties that are used to calculate a hash. - These hash policies are executed in the specified - order. If a hash policy has the “terminal” attribute - set to true, and there is already a hash generated, - the hash is returned immediately, ignoring the - rest of the hash policy list. + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. items: properties: connection: @@ -145,12 +173,10 @@ spec: filterState: properties: key: - description: The name of the Object in - the per-request filterState, which is - an Envoy::Hashable object. If there - is no data associated with the key, - or the stored object is not Envoy::Hashable, - no hash will be produced. + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. minLength: 1 type: string required: @@ -170,25 +196,21 @@ spec: queryParameter: properties: name: - description: The name of the URL query - parameter that will be used to obtain - the hash key. If the parameter is not - present, no hash will be produced. Query - parameter names are case-sensitive. + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. minLength: 1 type: string required: - name type: object terminal: - description: 'Terminal is a flag that short-circuits - the hash computing. This field provides - a ‘fallback’ style of configuration: “if - a terminal policy doesn’t work, fallback - to rest of the policy list”, it saves time - when the terminal policy works. If true, - and there is already a hash computed, ignore - rest of the list of hash polices.' + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. type: boolean type: enum: @@ -203,51 +225,45 @@ spec: type: object type: array tableSize: - description: The table size for Maglev hashing. - Maglev aims for “minimal disruption” rather than - an absolute guarantee. Minimal disruption means - that when the set of upstream hosts change, a - connection will likely be sent to the same upstream - as it was before. Increasing the table size reduces - the amount of disruption. The table size must - be prime number limited to 5000011. If it is not - specified, the default is 65537. + description: |- + The table size for Maglev hashing. Maglev aims for “minimal disruption” + rather than an absolute guarantee. Minimal disruption means that when + the set of upstream hosts change, a connection will likely be sent + to the same upstream as it was before. Increasing the table size reduces + the amount of disruption. The table size must be prime number limited to 5000011. + If it is not specified, the default is 65537. format: int32 maximum: 5000011 minimum: 1 type: integer type: object random: - description: Random selects a random available host. - The random load balancer generally performs better - than round-robin if no health checking policy is configured. - Random selection avoids bias towards the host in the - set that comes after a failed host. + description: |- + Random selects a random available host. The random load balancer generally + performs better than round-robin if no health checking policy is configured. + Random selection avoids bias towards the host in the set that comes after a failed host. type: object ringHash: - description: RingHash implements consistent hashing - to upstream hosts. Each host is mapped onto a circle - (the “ring”) by hashing its address; each request - is then routed to a host by hashing some property - of the request, and finding the nearest corresponding - host clockwise around the ring. + description: |- + RingHash implements consistent hashing to upstream hosts. Each host is mapped + onto a circle (the “ring”) by hashing its address; each request is then routed + to a host by hashing some property of the request, and finding the nearest + corresponding host clockwise around the ring. properties: hashFunction: - description: HashFunction is a function used to - hash hosts onto the ketama ring. The value defaults - to XX_HASH. Available values – XX_HASH, MURMUR_HASH_2. + description: |- + HashFunction is a function used to hash hosts onto the ketama ring. + The value defaults to XX_HASH. Available values – XX_HASH, MURMUR_HASH_2. enum: - XXHash - MurmurHash2 type: string hashPolicies: - description: HashPolicies specify a list of request/connection - properties that are used to calculate a hash. - These hash policies are executed in the specified - order. If a hash policy has the “terminal” attribute - set to true, and there is already a hash generated, - the hash is returned immediately, ignoring the - rest of the hash policy list. + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. items: properties: connection: @@ -278,12 +294,10 @@ spec: filterState: properties: key: - description: The name of the Object in - the per-request filterState, which is - an Envoy::Hashable object. If there - is no data associated with the key, - or the stored object is not Envoy::Hashable, - no hash will be produced. + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. minLength: 1 type: string required: @@ -303,25 +317,21 @@ spec: queryParameter: properties: name: - description: The name of the URL query - parameter that will be used to obtain - the hash key. If the parameter is not - present, no hash will be produced. Query - parameter names are case-sensitive. + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. minLength: 1 type: string required: - name type: object terminal: - description: 'Terminal is a flag that short-circuits - the hash computing. This field provides - a ‘fallback’ style of configuration: “if - a terminal policy doesn’t work, fallback - to rest of the policy list”, it saves time - when the terminal policy works. If true, - and there is already a hash computed, ignore - rest of the list of hash polices.' + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. type: boolean type: enum: @@ -336,28 +346,27 @@ spec: type: object type: array maxRingSize: - description: Maximum hash ring size. Defaults to - 8M entries, and limited to 8M entries, but can - be lowered to further constrain resource use. + description: |- + Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, + but can be lowered to further constrain resource use. format: int32 maximum: 8000000 minimum: 1 type: integer minRingSize: - description: Minimum hash ring size. The larger - the ring is (that is, the more hashes there are - for each provided host) the better the request - distribution will reflect the desired weights. - Defaults to 1024 entries, and limited to 8M entries. + description: |- + Minimum hash ring size. The larger the ring is (that is, + the more hashes there are for each provided host) the better the request distribution + will reflect the desired weights. Defaults to 1024 entries, and limited to 8M entries. format: int32 maximum: 8000000 minimum: 1 type: integer type: object roundRobin: - description: RoundRobin is a load balancing algorithm - that distributes requests across available upstream - hosts in round-robin order. + description: |- + RoundRobin is a load balancing algorithm that distributes requests + across available upstream hosts in round-robin order. type: object type: enum: @@ -375,8 +384,8 @@ spec: locality aware load balancing. properties: crossZone: - description: CrossZone defines locality aware load balancing - priorities when dataplane proxies inside local zone + description: |- + CrossZone defines locality aware load balancing priorities when dataplane proxies inside local zone are unavailable properties: failover: @@ -420,14 +429,12 @@ spec: type: object type: array failoverThreshold: - description: 'FailoverThreshold defines the percentage - of live destination dataplane proxies below which - load balancing to the next priority starts. Example: - If you configure failoverThreshold to 70, and - you have deployed 10 destination dataplane proxies. - Load balancing to next priority will start when - number of live destination dataplane proxies drops - below 7. Default 50' + description: |- + FailoverThreshold defines the percentage of live destination dataplane proxies below which load balancing to the + next priority starts. + Example: If you configure failoverThreshold to 70, and you have deployed 10 destination dataplane proxies. + Load balancing to next priority will start when number of live destination dataplane proxies drops below 7. + Default 50 properties: percentage: anyOf: @@ -439,9 +446,9 @@ spec: type: object type: object disabled: - description: Disabled allows to disable locality-aware - load balancing. When disabled requests are distributed - across all endpoints regardless of locality. + description: |- + Disabled allows to disable locality-aware load balancing. + When disabled requests are distributed across all endpoints regardless of locality. type: boolean localZone: description: LocalZone defines locality aware load balancing @@ -457,22 +464,13 @@ spec: is configured type: string weight: - description: 'Weight of the tag used for load - balancing. The bigger the weight the bigger - the priority. Percentage of local traffic - load balanced to tag is computed by dividing - weight by sum of weights from all tags. - For example with two affinity tags first - with weight 80 and second with weight 20, - then 80% of traffic will be redirected to - the first tag, and 20% of traffic will be - redirected to second one. Setting weights - is not mandatory. When weights are not set - control plane will compute default weight - based on list order. Default: If you do - not specify weight we will adjust them so - that 90% traffic goes to first tag, 9% to - next, and 1% to third and so on.' + description: |- + Weight of the tag used for load balancing. The bigger the weight the bigger the priority. + Percentage of local traffic load balanced to tag is computed by dividing weight by sum of weights from all tags. + For example with two affinity tags first with weight 80 and second with weight 20, + then 80% of traffic will be redirected to the first tag, and 20% of traffic will be redirected to second one. + Setting weights is not mandatory. When weights are not set control plane will compute default weight based on list order. + Default: If you do not specify weight we will adjust them so that 90% traffic goes to first tag, 9% to next, and 1% to third and so on. format: int32 type: integer required: @@ -483,8 +481,9 @@ spec: type: object type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -501,15 +500,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml b/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml new file mode 100644 index 000000000..fe9eac6be --- /dev/null +++ b/charts/kuma/kuma/crds/kuma.io_meshmetrics.yaml @@ -0,0 +1,205 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.14.0 + name: meshmetrics.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshMetric + listKind: MeshMetricList + plural: meshmetrics + singular: meshmetric + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshMetric resource. + properties: + default: + description: MeshMetric configuration. + properties: + applications: + description: Applications is a list of application that Dataplane + Proxy will scrape + items: + properties: + address: + description: Address on which an application listens. + type: string + name: + description: Name of the application to scrape + type: string + path: + default: /metrics/prometheus + description: Path on which an application expose HTTP endpoint + with metrics. + type: string + port: + description: Port on which an application expose HTTP endpoint + with metrics. + format: int32 + type: integer + required: + - port + type: object + type: array + backends: + description: Backends list that will be used to collect metrics. + items: + properties: + openTelemetry: + description: OpenTelemetry backend configuration + properties: + endpoint: + description: Endpoint for OpenTelemetry collector + type: string + required: + - endpoint + type: object + prometheus: + description: Prometheus backend configuration. + properties: + clientId: + description: ClientId of the Prometheus backend. Needed + when using MADS for DP discovery. + type: string + path: + default: /metrics + description: Path on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + type: string + port: + default: 5670 + description: Port on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + format: int32 + type: integer + tls: + description: Configuration of TLS for prometheus listener. + properties: + mode: + default: Disabled + description: Configuration of TLS for Prometheus + listener. + enum: + - Disabled + - ProvidedTLS + - ActiveMTLSBackend + type: string + required: + - mode + type: object + required: + - path + - port + type: object + type: + description: Type of the backend that will be used to collect + metrics. At the moment only Prometheus backend is available. + enum: + - Prometheus + - OpenTelemetry + type: string + required: + - type + type: object + type: array + sidecar: + description: Sidecar metrics collection configuration + properties: + includeUnused: + default: false + description: |- + IncludeUnused if false will scrape only metrics that has been by sidecar (counters incremented + at least once, gauges changed at least once, and histograms added to at + least once). If true will scrape all metrics (even the ones with zeros). + type: boolean + regex: + description: Regex that will be used to filter sidecar metrics. + It uses Google RE2 engine https://github.com/google/re2 + type: string + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshServiceSubset + - MeshHTTPRoute + type: string + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml b/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml index 42b4cd47c..5d86a0bd6 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshproxypatches.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshproxypatches.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43,7 +48,8 @@ spec: description: Spec is the specification of the Kuma MeshProxyPatch resource. properties: default: - description: Default is a configuration specific to the group of destinations + description: |- + Default is a configuration specific to the group of destinations referenced in 'targetRef'. properties: appendModifications: @@ -56,8 +62,9 @@ spec: resource. properties: jsonPatches: - description: JsonPatches specifies list of jsonpatches - to apply to on Envoy's Cluster resource + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Cluster + resource items: description: JsonPatchBlock is one json patch operation block. @@ -95,22 +102,23 @@ spec: description: Name of the cluster to match. type: string origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. + description: |- + Origin is the name of the component or plugin that generated the resource. + + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. ingress - resources generated for Zone Ingress. egress - resources generated for Zone Egress. gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." + + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. type: string type: object operation: @@ -128,14 +136,14 @@ spec: - operation type: object httpFilter: - description: HTTPFilter is a modification of Envoy HTTP - Filter available in HTTP Connection Manager in a Listener - resource. + description: |- + HTTPFilter is a modification of Envoy HTTP Filter + available in HTTP Connection Manager in a Listener resource. properties: jsonPatches: - description: JsonPatches specifies list of jsonpatches - to apply to on Envoy's HTTP Filter available in HTTP - Connection Manager in a Listener resource. + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + HTTP Filter available in HTTP Connection Manager in a Listener resource. items: description: JsonPatchBlock is one json patch operation block. @@ -182,22 +190,23 @@ spec: "envoy.filters.http.local_ratelimit" type: string origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. + description: |- + Origin is the name of the component or plugin that generated the resource. + + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. ingress - resources generated for Zone Ingress. egress - resources generated for Zone Egress. gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." + + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. type: string type: object operation: @@ -222,8 +231,9 @@ spec: resource. properties: jsonPatches: - description: JsonPatches specifies list of jsonpatches - to apply to on Envoy's Listener resource + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Listener + resource items: description: JsonPatchBlock is one json patch operation block. @@ -261,22 +271,23 @@ spec: description: Name of the listener to match. type: string origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. + description: |- + Origin is the name of the component or plugin that generated the resource. + + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. ingress - resources generated for Zone Ingress. egress - resources generated for Zone Egress. gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." + + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. type: string tags: additionalProperties: @@ -303,8 +314,9 @@ spec: filter. properties: jsonPatches: - description: JsonPatches specifies list of jsonpatches - to apply to on Envoy Listener's filter. + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy Listener's + filter. items: description: JsonPatchBlock is one json patch operation block. @@ -351,22 +363,23 @@ spec: "envoy.filters.network.ratelimit" type: string origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. + description: |- + Origin is the name of the component or plugin that generated the resource. + + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. ingress - resources generated for Zone Ingress. egress - resources generated for Zone Egress. gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." + + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. type: string type: object operation: @@ -387,12 +400,14 @@ spec: - operation type: object virtualHost: - description: VirtualHost is a modification of Envoy's VirtualHost + description: |- + VirtualHost is a modification of Envoy's VirtualHost referenced in HTTP Connection Manager in a Listener resource. properties: jsonPatches: - description: JsonPatches specifies list of jsonpatches - to apply to on Envoy's VirtualHost resource + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + VirtualHost resource items: description: JsonPatchBlock is one json patch operation block. @@ -430,22 +445,23 @@ spec: description: Name of the VirtualHost to match. type: string origin: - description: "Origin is the name of the component - or plugin that generated the resource. \n Here - is the list of well-known origins: inbound - resources - generated for handling incoming traffic. outbound - - resources generated for handling outgoing traffic. - transparent - resources generated for transparent - proxy functionality. prometheus - resources generated - when Prometheus metrics are enabled. direct-access - - resources generated for Direct Access functionality. + description: |- + Origin is the name of the component or plugin that generated the resource. + + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. ingress - resources generated for Zone Ingress. egress - resources generated for Zone Egress. gateway - resources generated for MeshGateway. - \n The list is not complete, because policy plugins - can introduce new resources. For example MeshTrace - plugin can create Cluster with \"mesh-trace\" - origin." + + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. type: string routeConfigurationName: description: Name of the RouteConfiguration resource @@ -473,9 +489,10 @@ spec: - appendModifications type: object targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -492,14 +509,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml b/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml index abfd51f34..1be95be73 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshratelimits.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshratelimits.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -48,16 +53,18 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' properties: local: description: LocalConf defines local http or/and tcp rate limit configuration properties: http: - description: LocalHTTP defines confguration of local - HTTP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + description: |- + LocalHTTP defines confguration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter properties: disabled: description: Define if rate limiting should be disabled. @@ -124,9 +131,9 @@ spec: is accounted for. type: string num: - description: Number of units per interval (depending - on usage it can be a number of requests, or - a number of connections). + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). format: int32 type: integer required: @@ -135,8 +142,9 @@ spec: type: object type: object tcp: - description: LocalTCP defines confguration of local - TCP rate limiting https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter properties: connectionRate: description: Defines how many connections are allowed @@ -147,9 +155,9 @@ spec: is accounted for. type: string num: - description: Number of units per interval (depending - on usage it can be a number of requests, or - a number of connections). + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). format: int32 type: integer required: @@ -157,15 +165,17 @@ spec: - num type: object disabled: - description: 'Define if rate limiting should be - disabled. Default: false' + description: |- + Define if rate limiting should be disabled. + Default: false type: boolean type: object type: object type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. + description: |- + TargetRef is a reference to the resource that represents a group of + clients. properties: kind: description: Kind of the referenced resource @@ -182,15 +192,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -198,9 +220,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -217,16 +240,201 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines confguration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshServiceSubset + - MeshHTTPRoute + type: string + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array required: - targetRef type: object diff --git a/charts/kuma/kuma/crds/kuma.io_meshretries.yaml b/charts/kuma/kuma/crds/kuma.io_meshretries.yaml index d724395a3..307a44326 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshretries.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshretries.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshretries.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43,9 +48,10 @@ spec: description: Spec is the specification of the Kuma MeshRetry resource. properties: targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -62,14 +68,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -78,63 +97,63 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: grpc: description: GRPC defines a configuration of retries for GRPC traffic properties: backOff: - description: BackOff is a configuration of durations - which will be used in exponential backoff strategy - between retries. + description: |- + BackOff is a configuration of durations which will be used in an exponential + backoff strategy between retries. properties: baseInterval: - description: BaseInterval is an amount of time which - should be taken between retries. Must be greater - than zero. Values less than 1 ms are rounded up - to 1 ms. Default is 25ms. + default: 25ms + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. type: string maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 10 times the "BaseInterval". + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". type: string type: object numRetries: - description: NumRetries is the number of attempts that - will be made on failed (and retriable) requests. + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. format: int32 type: integer perTryTimeout: - description: PerTryTimeout is the amount of time after - which retry attempt should timeout. Setting this timeout - to 0 will disable it. Default is 15s. + description: |- + PerTryTimeout is the maximum amount of time each retry attempt can take + before it times out. If not set, the global request timeout for the route + will be used. Setting this value to 0 will disable the per-try timeout. type: string rateLimitedBackOff: - description: RateLimitedBackOff is a configuration of - backoff which will be used when the upstream returns - one of the headers configured. + description: |- + RateLimitedBackOff is a configuration of backoff which will be used when + the upstream returns one of the headers configured. properties: maxInterval: + default: 300s description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 300 seconds. + time which will be taken between retries. type: string resetHeaders: - description: ResetHeaders specifies the list of - headers (like Retry-After or X-RateLimit-Reset) - to match against the response. Headers are tried - in order, and matched case-insensitive. The first - header to be parsed successfully is used. If no - headers match the default exponential BackOff - is used instead. + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. items: properties: format: - description: The format of the reset header, - either Seconds or UnixTimestamp. + description: The format of the reset header. enum: - Seconds - UnixTimestamp @@ -152,10 +171,21 @@ spec: type: array type: object retryOn: - description: 'RetryOn is a list of conditions which - will cause a retry. Available values are: [Canceled, - DeadlineExceeded, Internal, ResourceExhausted, Unavailable].' + description: RetryOn is a list of conditions which will + cause a retry. + example: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable items: + enum: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable type: string type: array type: object @@ -164,45 +194,47 @@ spec: HTTP traffic properties: backOff: - description: BackOff is a configuration of durations - which will be used in exponential backoff strategy - between retries + description: |- + BackOff is a configuration of durations which will be used in exponential + backoff strategy between retries. properties: baseInterval: - description: BaseInterval is an amount of time which - should be taken between retries. Must be greater - than zero. Values less than 1 ms are rounded up - to 1 ms. Default is 25ms. + default: 25ms + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. type: string maxInterval: - description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 10 times the "BaseInterval". + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". type: string type: object hostSelection: - description: HostSelection is a list of predicates that - dictate how hosts should be selected when requests - are retried. + description: |- + HostSelection is a list of predicates that dictate how hosts should be selected + when requests are retried. items: properties: predicate: description: Type is requested predicate mode. - Available values are OmitPreviousHosts, OmitHostsWithTags, - and OmitPreviousPriorities. + enum: + - OmitPreviousHosts + - OmitHostsWithTags + - OmitPreviousPriorities type: string tags: additionalProperties: type: string - description: Tags is a map of metadata to match - against for selecting the omitted hosts. Required - if Type is OmitHostsWithTags + description: |- + Tags is a map of metadata to match against for selecting the omitted hosts. Required if Type is + OmitHostsWithTags type: object updateFrequency: - description: UpdateFrequency is how often the - priority load should be updated based on previously - attempted priorities. Used for OmitPreviousPriorities. - Default is 2 if not set. + default: 2 + description: |- + UpdateFrequency is how often the priority load should be updated based on previously attempted priorities. + Used for OmitPreviousPriorities. format: int32 type: integer required: @@ -210,46 +242,46 @@ spec: type: object type: array hostSelectionMaxAttempts: - description: HostSelectionMaxAttempts is the maximum - number of times host selection will be reattempted - before giving up, at which point the host that was - last selected will be routed to. If unspecified, this - will default to retrying once. + description: |- + HostSelectionMaxAttempts is the maximum number of times host selection will be + reattempted before giving up, at which point the host that was last selected will + be routed to. If unspecified, this will default to retrying once. format: int64 type: integer numRetries: - description: NumRetries is the number of attempts that - will be made on failed (and retriable) requests + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. format: int32 type: integer perTryTimeout: - description: PerTryTimeout is the amount of time after - which retry attempt should timeout. Setting this timeout - to 0 will disable it. Default is 15s. + description: |- + PerTryTimeout is the amount of time after which retry attempt should time out. + If left unspecified, the global route timeout for the request will be used. + Consequently, when using a 5xx based retry policy, a request that times out + will not be retried as the total timeout budget would have been exhausted. + Setting this timeout to 0 will disable it. type: string rateLimitedBackOff: - description: RateLimitedBackOff is a configuration of - backoff which will be used when the upstream returns - one of the headers configured. + description: |- + RateLimitedBackOff is a configuration of backoff which will be used + when the upstream returns one of the headers configured. properties: maxInterval: + default: 300s description: MaxInterval is a maximal amount of - time which will be taken between retries. Default - is 300 seconds. + time which will be taken between retries. type: string resetHeaders: - description: ResetHeaders specifies the list of - headers (like Retry-After or X-RateLimit-Reset) - to match against the response. Headers are tried - in order, and matched case-insensitive. The first - header to be parsed successfully is used. If no - headers match the default exponential BackOff - is used instead. + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. items: properties: format: - description: The format of the reset header, - either Seconds or UnixTimestamp. + description: The format of the reset header. enum: - Seconds - UnixTimestamp @@ -267,18 +299,18 @@ spec: type: array type: object retriableRequestHeaders: - description: RetriableRequestHeaders is an HTTP headers - which must be present in the request for retries to - be attempted. + description: |- + RetriableRequestHeaders is an HTTP headers which must be present in the request + for retries to be attempted. items: - description: HeaderMatch describes how to select an - HTTP route by matching HTTP request headers. + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. properties: name: - description: Name is the name of the HTTP Header - to be matched. Name MUST be lower case as they - will be handled with case insensitivity (See - https://tools.ietf.org/html/rfc7230#section-3.2). + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). maxLength: 256 minLength: 1 pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ @@ -303,19 +335,19 @@ spec: type: object type: array retriableResponseHeaders: - description: RetriableResponseHeaders is an HTTP response - headers that trigger a retry if present in the response. - A retry will be triggered if any of the header matches - match the upstream response headers. + description: |- + RetriableResponseHeaders is an HTTP response headers that trigger a retry + if present in the response. A retry will be triggered if any of the header + matches the upstream response headers. items: - description: HeaderMatch describes how to select an - HTTP route by matching HTTP request headers. + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. properties: name: - description: Name is the name of the HTTP Header - to be matched. Name MUST be lower case as they - will be handled with case insensitivity (See - https://tools.ietf.org/html/rfc7230#section-3.2). + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). maxLength: 256 minLength: 1 pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ @@ -340,13 +372,33 @@ spec: type: object type: array retryOn: - description: 'RetryOn is a list of conditions which - will cause a retry. Available values are: [5XX, GatewayError, - Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited, - RefusedStream, Http3PostConnectFailure, HttpMethodConnect, - HttpMethodDelete, HttpMethodGet, HttpMethodHead, HttpMethodOptions, - HttpMethodPatch, HttpMethodPost, HttpMethodPut, HttpMethodTrace]. - Also, any HTTP status code (500, 503, etc).' + description: |- + RetryOn is a list of conditions which will cause a retry. Available values are: + [5XX, GatewayError, Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited, + RefusedStream, Http3PostConnectFailure, HttpMethodConnect, HttpMethodDelete, + HttpMethodGet, HttpMethodHead, HttpMethodOptions, HttpMethodPatch, + HttpMethodPost, HttpMethodPut, HttpMethodTrace]. + Also, any HTTP status code (500, 503, etc.). + example: + - 5XX + - GatewayError + - Reset + - Retriable4xx + - ConnectFailure + - EnvoyRatelimited + - RefusedStream + - Http3PostConnectFailure + - HttpMethodConnect + - HttpMethodDelete + - HttpMethodGet + - HttpMethodHead + - HttpMethodOptions + - HttpMethodPatch + - HttpMethodPost + - HttpMethodPut + - HttpMethodTrace + - "500" + - "503" items: type: string type: array @@ -356,16 +408,17 @@ spec: TCP traffic properties: maxConnectAttempt: - description: MaxConnectAttempt is a maximal amount of - TCP connection attempts which will be made before - giving up + description: |- + MaxConnectAttempt is a maximal amount of TCP connection attempts + which will be made before giving up format: int32 type: integer type: object type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -382,15 +435,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml b/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml index 1bc3081aa..962413f0d 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtcproutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshtcproutes.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43,9 +48,10 @@ spec: description: Spec is the specification of the Kuma MeshTCPRoute resource. properties: targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined in-place. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. properties: kind: description: Kind of the referenced resource @@ -62,29 +68,45 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: - description: To list makes a match between the consumed services and - corresponding configurations + description: |- + To list makes a match between the consumed services and corresponding + configurations items: properties: rules: - description: Rules contains the routing rules applies to a combination - of top-level targetRef and the targetRef in this entry. + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. items: properties: default: - description: Default holds routing rules that can be merged - with rules from other policies. + description: |- + Default holds routing rules that can be merged with rules from other + policies. properties: backendRefs: items: @@ -106,15 +128,26 @@ spec: to identify cross mesh resources. type: string name: - description: 'Name of the referenced resource. - Can only be used with kinds: `MeshService`, - `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of - proxies by tags. Can only be used with kinds + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` type: object weight: @@ -133,8 +166,9 @@ spec: maxItems: 1 type: array targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -151,15 +185,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml b/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml index c55e957a8..57f875b39 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtimeouts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshtimeouts.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -48,12 +53,13 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' properties: connectionTimeout: - description: ConnectionTimeout specifies the amount of time - proxy will wait for an TCP connection to be established. + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. Default value is 5 seconds. Cannot be set to 0. type: string http: @@ -61,42 +67,47 @@ spec: timeouts properties: maxConnectionDuration: - description: MaxConnectionDuration is the time after - which a connection will be drained and/or closed, - starting from when it was first established. Setting - this timeout to 0 will disable it. Disabled by default. + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. type: string maxStreamDuration: - description: MaxStreamDuration is the maximum time that - a stream’s lifetime will span. Setting this timeout - to 0 will disable it. Disabled by default. + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. type: string requestTimeout: - description: RequestTimeout The amount of time that - proxy will wait for the entire request to be received. - The timer is activated when the request is initiated, - and is disarmed when the last byte of the request - is sent, OR when the response is initiated. Setting - this timeout to 0 will disable it. Default is 15s. + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. type: string streamIdleTimeout: - description: StreamIdleTimeout is the amount of time - that proxy will allow a stream to exist with no activity. - Setting this timeout to 0 will disable it. Default - is 30m + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m type: string type: object idleTimeout: - description: IdleTimeout is defined as the period in which - there are no bytes sent or received on connection Setting - this timeout to 0 will disable it. Be cautious when disabling - it because it can lead to connection leaking. Default - value is 1h. + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. type: string type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. + description: |- + TargetRef is a reference to the resource that represents a group of + clients. properties: kind: description: Kind of the referenced resource @@ -113,15 +124,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -129,9 +152,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -148,14 +172,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object to: @@ -164,12 +201,13 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of destinations referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' properties: connectionTimeout: - description: ConnectionTimeout specifies the amount of time - proxy will wait for an TCP connection to be established. + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. Default value is 5 seconds. Cannot be set to 0. type: string http: @@ -177,42 +215,47 @@ spec: timeouts properties: maxConnectionDuration: - description: MaxConnectionDuration is the time after - which a connection will be drained and/or closed, - starting from when it was first established. Setting - this timeout to 0 will disable it. Disabled by default. + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. type: string maxStreamDuration: - description: MaxStreamDuration is the maximum time that - a stream’s lifetime will span. Setting this timeout - to 0 will disable it. Disabled by default. + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. type: string requestTimeout: - description: RequestTimeout The amount of time that - proxy will wait for the entire request to be received. - The timer is activated when the request is initiated, - and is disarmed when the last byte of the request - is sent, OR when the response is initiated. Setting - this timeout to 0 will disable it. Default is 15s. + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. type: string streamIdleTimeout: - description: StreamIdleTimeout is the amount of time - that proxy will allow a stream to exist with no activity. - Setting this timeout to 0 will disable it. Default - is 30m + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m type: string type: object idleTimeout: - description: IdleTimeout is defined as the period in which - there are no bytes sent or received on connection Setting - this timeout to 0 will disable it. Be cautious when disabling - it because it can lead to connection leaking. Default - value is 1h. + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. type: string type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of destinations. + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. properties: kind: description: Kind of the referenced resource @@ -229,15 +272,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml b/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml index 0e8b08c9d..ad47f508c 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtraces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshtraces.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -46,10 +51,11 @@ spec: description: MeshTrace configuration. properties: backends: - description: A one element array of backend definition. Envoy - allows configuring only 1 backend, so the natural way of representing - that would be just one object. Unfortunately due to the reasons - explained in MADR 009-tracing-policy this has to be a one element + description: |- + A one element array of backend definition. + Envoy allows configuring only 1 backend, so the natural way of + representing that would be just one object. Unfortunately due to the + reasons explained in MADR 009-tracing-policy this has to be a one element array for now. items: description: Only one of zipkin, datadog or openTelemetry can @@ -59,17 +65,18 @@ spec: description: Datadog backend configuration. properties: splitService: - description: 'Determines if datadog service name should - be split based on traffic direction and destination. - For example, with `splitService: true` and a `backend` - service that communicates with a couple of databases, - you would get service names like `backend_INBOUND`, - `backend_OUTBOUND_db1`, and `backend_OUTBOUND_db2` - in Datadog. Default: false' + default: false + description: |- + Determines if datadog service name should be split based on traffic + direction and destination. For example, with `splitService: true` and a + `backend` service that communicates with a couple of databases, you would + get service names like `backend_INBOUND`, `backend_OUTBOUND_db1`, and + `backend_OUTBOUND_db2` in Datadog. type: boolean url: - description: Address of Datadog collector, only host - and port are allowed (no paths, fragments etc.) + description: |- + Address of Datadog collector, only host and port are allowed (no paths, + fragments etc.) type: string required: - url @@ -96,18 +103,23 @@ spec: properties: apiVersion: default: httpJson - description: 'Version of the API. values: httpJson, - httpProto. Default: httpJson see https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66' + description: |- + Version of the API. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66 enum: - httpJson - httpProto type: string sharedSpanContext: - description: 'Determines whether client and server spans - will share the same span context. Default: true. https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63' + default: true + description: |- + Determines whether client and server spans will share the same span + context. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63 type: boolean traceId128bit: - description: 'Generate 128bit traces. Default: false' + default: false + description: Generate 128bit traces. type: boolean url: description: Address of Zipkin collector. @@ -118,60 +130,71 @@ spec: required: - type type: object + maxItems: 1 type: array sampling: - description: Sampling configuration. Sampling is the process by - which a decision is made on whether to process/export a span - or not. + description: |- + Sampling configuration. + Sampling is the process by which a decision is made on whether to + process/export a span or not. properties: client: anyOf: - type: integer - type: string - description: 'Target percentage of requests that will be force - traced if the ''x-client-trace-id'' header is set. Default: - 100% Mirror of client_sampling in Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133 - Either int or decimal represented as string.' + default: 100% + description: |- + Target percentage of requests that will be force traced if the + 'x-client-trace-id' header is set. Mirror of client_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133 + Either int or decimal represented as string. x-kubernetes-int-or-string: true overall: anyOf: - type: integer - type: string - description: 'Target percentage of requests will be traced - after all other sampling checks have been applied (client, - force tracing, random sampling). This field functions as - an upper limit on the total configured sampling rate. For - instance, setting client_sampling to 100% but overall_sampling - to 1% will result in only 1% of client requests with the - appropriate headers to be force traced. Default: 100% Mirror - of overall_sampling in Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150 - Either int or decimal represented as string.' + default: 100% + description: |- + Target percentage of requests will be traced + after all other sampling checks have been applied (client, force tracing, + random sampling). This field functions as an upper limit on the total + configured sampling rate. For instance, setting client_sampling to 100% + but overall_sampling to 1% will result in only 1% of client requests with + the appropriate headers to be force traced. Mirror of + overall_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150 + Either int or decimal represented as string. x-kubernetes-int-or-string: true random: anyOf: - type: integer - type: string - description: 'Target percentage of requests that will be randomly - selected for trace generation, if not requested by the client - or not forced. Default: 100% Mirror of random_sampling in - Envoy https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140 - Either int or decimal represented as string.' + default: 100% + description: |- + Target percentage of requests that will be randomly selected for trace + generation, if not requested by the client or not forced. + Mirror of random_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140 + Either int or decimal represented as string. x-kubernetes-int-or-string: true type: object tags: - description: Custom tags configuration. You can add custom tags - to traces based on headers or literal values. + description: |- + Custom tags configuration. You can add custom tags to traces based on + headers or literal values. items: - description: Custom tags configuration. Only one of literal - or header can be used. + description: |- + Custom tags configuration. + Only one of literal or header can be used. properties: header: description: Tag taken from a header. properties: default: - description: Default value to use if header is missing. - If the default is missing and there is no value the - tag will not be included. + description: |- + Default value to use if header is missing. + If the default is missing and there is no value the tag will not be + included. type: string name: description: Name of the header. @@ -191,9 +214,10 @@ spec: type: array type: object targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -210,14 +234,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml b/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml index 3ab56942e..65474d719 100644 --- a/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml +++ b/charts/kuma/kuma/crds/kuma.io_meshtrafficpermissions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: meshtrafficpermissions.kuma.io spec: group: kuma.io @@ -28,14 +28,19 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -49,8 +54,9 @@ spec: items: properties: default: - description: Default is a configuration specific to the group - of clients referenced in 'targetRef' + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' properties: action: description: 'Action defines a behavior for the specified @@ -62,8 +68,9 @@ spec: type: string type: object targetRef: - description: TargetRef is a reference to the resource that represents - a group of clients. + description: |- + TargetRef is a reference to the resource that represents a group of + clients. properties: kind: description: Kind of the referenced resource @@ -80,15 +87,27 @@ spec: cross mesh resources. type: string name: - description: 'Name of the referenced resource. Can only - be used with kinds: `MeshService`, `MeshServiceSubset` - and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by - tags. Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: @@ -96,9 +115,10 @@ spec: type: object type: array targetRef: - description: TargetRef is a reference to the resource the policy takes - an effect on. The resource could be either a real store object or - virtual resource defined inplace. + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. properties: kind: description: Kind of the referenced resource @@ -115,14 +135,27 @@ spec: mesh resources. type: string name: - description: 'Name of the referenced resource. Can only be used - with kinds: `MeshService`, `MeshServiceSubset` and `MeshGatewayRoute`' + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array tags: additionalProperties: type: string - description: Tags used to select a subset of proxies by tags. - Can only be used with kinds `MeshSubset` and `MeshServiceSubset` + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` type: object type: object required: diff --git a/charts/kuma/kuma/crds/kuma.io_proxytemplates.yaml b/charts/kuma/kuma/crds/kuma.io_proxytemplates.yaml index 111d4450f..7d598fb0c 100644 --- a/charts/kuma/kuma/crds/kuma.io_proxytemplates.yaml +++ b/charts/kuma/kuma/crds/kuma.io_proxytemplates.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: proxytemplates.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_ratelimits.yaml b/charts/kuma/kuma/crds/kuma.io_ratelimits.yaml index cc6fa13fa..458280883 100644 --- a/charts/kuma/kuma/crds/kuma.io_ratelimits.yaml +++ b/charts/kuma/kuma/crds/kuma.io_ratelimits.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: ratelimits.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_retries.yaml b/charts/kuma/kuma/crds/kuma.io_retries.yaml index 865df1b2f..040efe058 100644 --- a/charts/kuma/kuma/crds/kuma.io_retries.yaml +++ b/charts/kuma/kuma/crds/kuma.io_retries.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: retries.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_serviceinsights.yaml b/charts/kuma/kuma/crds/kuma.io_serviceinsights.yaml index 135eaedda..69a4f709b 100644 --- a/charts/kuma/kuma/crds/kuma.io_serviceinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_serviceinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: serviceinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_timeouts.yaml b/charts/kuma/kuma/crds/kuma.io_timeouts.yaml index b2f8b3d60..659998990 100644 --- a/charts/kuma/kuma/crds/kuma.io_timeouts.yaml +++ b/charts/kuma/kuma/crds/kuma.io_timeouts.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: timeouts.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_trafficlogs.yaml b/charts/kuma/kuma/crds/kuma.io_trafficlogs.yaml index c74f9a90f..e299ef299 100644 --- a/charts/kuma/kuma/crds/kuma.io_trafficlogs.yaml +++ b/charts/kuma/kuma/crds/kuma.io_trafficlogs.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: trafficlogs.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_trafficpermissions.yaml b/charts/kuma/kuma/crds/kuma.io_trafficpermissions.yaml index b9469c8c9..087eecec1 100644 --- a/charts/kuma/kuma/crds/kuma.io_trafficpermissions.yaml +++ b/charts/kuma/kuma/crds/kuma.io_trafficpermissions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: trafficpermissions.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_trafficroutes.yaml b/charts/kuma/kuma/crds/kuma.io_trafficroutes.yaml index 1e3158363..6fdb809cf 100644 --- a/charts/kuma/kuma/crds/kuma.io_trafficroutes.yaml +++ b/charts/kuma/kuma/crds/kuma.io_trafficroutes.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: trafficroutes.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_traffictraces.yaml b/charts/kuma/kuma/crds/kuma.io_traffictraces.yaml index f85ababd9..7f9832df7 100644 --- a/charts/kuma/kuma/crds/kuma.io_traffictraces.yaml +++ b/charts/kuma/kuma/crds/kuma.io_traffictraces.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: traffictraces.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_virtualoutbounds.yaml b/charts/kuma/kuma/crds/kuma.io_virtualoutbounds.yaml index a5fe905e0..c158f29bd 100644 --- a/charts/kuma/kuma/crds/kuma.io_virtualoutbounds.yaml +++ b/charts/kuma/kuma/crds/kuma.io_virtualoutbounds.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: virtualoutbounds.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_zoneegresses.yaml b/charts/kuma/kuma/crds/kuma.io_zoneegresses.yaml index b202d0fb8..2dbcea457 100644 --- a/charts/kuma/kuma/crds/kuma.io_zoneegresses.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zoneegresses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zoneegresses.kuma.io spec: group: kuma.io @@ -16,22 +16,33 @@ spec: singular: zoneegress scope: Namespaced versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: @@ -42,3 +53,4 @@ spec: type: object served: true storage: true + subresources: {} diff --git a/charts/kuma/kuma/crds/kuma.io_zoneegressinsights.yaml b/charts/kuma/kuma/crds/kuma.io_zoneegressinsights.yaml index 50c7f6864..58a995697 100644 --- a/charts/kuma/kuma/crds/kuma.io_zoneegressinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zoneegressinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zoneegressinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_zoneingresses.yaml b/charts/kuma/kuma/crds/kuma.io_zoneingresses.yaml index 0754071e2..8f3e83575 100644 --- a/charts/kuma/kuma/crds/kuma.io_zoneingresses.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zoneingresses.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zoneingresses.kuma.io spec: group: kuma.io @@ -16,22 +16,33 @@ spec: singular: zoneingress scope: Namespaced versions: - - name: v1alpha1 + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: @@ -42,3 +53,4 @@ spec: type: object served: true storage: true + subresources: {} diff --git a/charts/kuma/kuma/crds/kuma.io_zoneingressinsights.yaml b/charts/kuma/kuma/crds/kuma.io_zoneingressinsights.yaml index 87d2c06ab..66a51ae5f 100644 --- a/charts/kuma/kuma/crds/kuma.io_zoneingressinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zoneingressinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zoneingressinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_zoneinsights.yaml b/charts/kuma/kuma/crds/kuma.io_zoneinsights.yaml index fa149598a..28e26eaf7 100644 --- a/charts/kuma/kuma/crds/kuma.io_zoneinsights.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zoneinsights.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zoneinsights.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/crds/kuma.io_zones.yaml b/charts/kuma/kuma/crds/kuma.io_zones.yaml index bcd73a05b..e750c6388 100644 --- a/charts/kuma/kuma/crds/kuma.io_zones.yaml +++ b/charts/kuma/kuma/crds/kuma.io_zones.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.13.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: zones.kuma.io spec: group: kuma.io @@ -21,17 +21,23 @@ spec: openAPIV3Schema: properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string mesh: - description: Mesh is the name of the Kuma mesh this resource belongs to. + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. It may be omitted for cluster-scoped resources. type: string metadata: diff --git a/charts/kuma/kuma/templates/_helpers.tpl b/charts/kuma/kuma/templates/_helpers.tpl index b209a99bd..b71b3f8bc 100644 --- a/charts/kuma/kuma/templates/_helpers.tpl +++ b/charts/kuma/kuma/templates/_helpers.tpl @@ -217,6 +217,10 @@ env: value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }} - name: KUMA_INJECTOR_INIT_CONTAINER_IMAGE value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }} +{{- if .Values.dataPlane.dnsLogging }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING + value: "true" +{{- end }} - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE value: /var/run/secrets/kuma.io/tls-cert/ca.crt - name: KUMA_DEFAULTS_SKIP_MESH_CREATION diff --git a/charts/kuma/kuma/templates/cp-deployment.yaml b/charts/kuma/kuma/templates/cp-deployment.yaml index 5bf073105..61bb2d27f 100644 --- a/charts/kuma/kuma/templates/cp-deployment.yaml +++ b/charts/kuma/kuma/templates/cp-deployment.yaml @@ -19,9 +19,7 @@ {{ fail $msg }} {{ end }} {{ if eq .Values.controlPlane.mode "zone" }} - {{ if empty .Values.controlPlane.zone }} - {{ fail "Can't have controlPlane.zone to be empty when controlPlane.mode=='zone'" }} - {{ else }} + {{ if not (empty .Values.controlPlane.zone) }} {{ if gt (len .Values.controlPlane.zone) 253 }} {{ fail "controlPlane.zone must be no more than 253 characters" }} {{ else }} @@ -30,9 +28,7 @@ {{ end }} {{ end }} {{ end }} - {{ if empty .Values.controlPlane.kdsGlobalAddress }} - {{ fail "controlPlane.kdsGlobalAddress can't be empty when controlPlane.mode=='zone', needs to be the global control-plane address" }} - {{ else }} + {{ if not (empty .Values.controlPlane.kdsGlobalAddress) }} {{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }} {{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }} {{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }} diff --git a/charts/kuma/kuma/templates/cp-service.yaml b/charts/kuma/kuma/templates/cp-service.yaml index ab05755c8..3b9c3e31f 100644 --- a/charts/kuma/kuma/templates/cp-service.yaml +++ b/charts/kuma/kuma/templates/cp-service.yaml @@ -6,11 +6,11 @@ metadata: namespace: {{ .Release.Namespace }} labels: {{ include "kuma.cpLabels" . | nindent 4 }} annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "5680" {{- range $key, $value := .Values.controlPlane.service.annotations }} + {{- if $value }} {{ $key }}: {{ $value | quote }} {{- end }} + {{- end }} spec: type: {{ .Values.controlPlane.service.type }} ports: diff --git a/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml b/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml index 6d7e4b275..c249ba15d 100644 --- a/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml +++ b/charts/kuma/kuma/templates/cp-webhooks-and-secrets.yaml @@ -136,7 +136,7 @@ webhooks: values: ["kube-system"] - key: kuma.io/sidecar-injection operator: In - values: ["enabled"] + values: ["enabled", "true"] clientConfig: caBundle: {{ $caBundle }} service: @@ -180,30 +180,6 @@ webhooks: resources: - pods sideEffects: None - - name: kuma-injector.kuma.io - admissionReviewVersions: ["v1"] - failurePolicy: Ignore {{/* Failure policy is hardcoded as Ignore because any other mode will cause CP to be unable to start after all instances are down */}} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: ["kube-system"] - clientConfig: - caBundle: {{ $caBundle }} - service: - namespace: {{ .Release.Namespace }} - name: {{ include "kuma.controlPlane.serviceName" . }} - path: /inject-sidecar - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None {{- end }} --- apiVersion: admissionregistration.k8s.io/v1 diff --git a/charts/kuma/kuma/values.yaml b/charts/kuma/kuma/values.yaml index 3a3a61c22..d2f9a3242 100644 --- a/charts/kuma/kuma/values.yaml +++ b/charts/kuma/kuma/values.yaml @@ -36,8 +36,8 @@ controlPlane: # -- Kuma CP log output path: Defaults to /dev/stdout logOutputPath: "" - # -- Kuma CP modes: one of standalone,zone,global - mode: "standalone" + # -- Kuma CP modes: one of zone,global + mode: "zone" # -- (string) Kuma CP zone, if running multizone zone: @@ -140,8 +140,10 @@ controlPlane: # -- Service type of the Kuma Control Plane type: ClusterIP - # -- Additional annotations to put on the Kuma Control Plane - annotations: { } + # -- Annotations to put on the Kuma Control Plane + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "5680" # Kuma API and GUI ingress settings. Useful if you want to expose the # API and GUI of Kuma outside the k8s cluster. @@ -381,6 +383,8 @@ cni: runAsGroup: 0 dataPlane: + # -- If true, then turn on CoreDNS query logging + dnsLogging: false image: # -- The Kuma DP image repository repository: "kuma-dp" @@ -724,6 +728,7 @@ plugins: meshhealthchecks: {} meshhttproutes: {} meshloadbalancingstrategies: {} + meshmetrics: {} meshproxypatches: {} meshratelimits: {} meshretries: {} diff --git a/charts/loft/loft/Chart.yaml b/charts/loft/loft/Chart.yaml index 55233c235..d781bde87 100644 --- a/charts/loft/loft/Chart.yaml +++ b/charts/loft/loft/Chart.yaml @@ -28,4 +28,4 @@ name: loft sources: - https://github.com/loft-sh/loft type: application -version: 3.3.3 +version: 3.3.4 diff --git a/charts/metallb/metallb/Chart.lock b/charts/metallb/metallb/Chart.lock index 425c50fdc..630f1f826 100644 --- a/charts/metallb/metallb/Chart.lock +++ b/charts/metallb/metallb/Chart.lock @@ -1,6 +1,9 @@ dependencies: - name: crds repository: "" - version: 0.13.12 -digest: sha256:bc3d2abdac552d6a886bd1d533eef9a432e5809a0dda4a85c7de4fdf2094cdb0 -generated: "2023-10-20T16:56:55.333731157+02:00" + version: 0.14.3 +- name: frr-k8s + repository: https://metallb.github.io/frr-k8s + version: 0.0.8 +digest: sha256:175725c494156eecae069340d366284a1503fb2977cbe7df0f196b468599a592 +generated: "2024-01-30T17:45:01.476353104+01:00" diff --git a/charts/metallb/metallb/Chart.yaml b/charts/metallb/metallb/Chart.yaml index 0d84a1f91..6fafa64f1 100644 --- a/charts/metallb/metallb/Chart.yaml +++ b/charts/metallb/metallb/Chart.yaml @@ -5,12 +5,16 @@ annotations: catalog.cattle.io/namespace: metallb-system catalog.cattle.io/release-name: metallb apiVersion: v2 -appVersion: v0.13.12 +appVersion: v0.14.3 dependencies: - condition: crds.enabled name: crds repository: file://./charts/crds - version: 0.13.12 + version: 0.14.3 +- condition: frrk8s.enabled + name: frr-k8s + repository: file://./charts/frr-k8s + version: 0.0.8 description: A network load-balancer implementation for Kubernetes using standard routing protocols home: https://metallb.universe.tf @@ -20,4 +24,4 @@ name: metallb sources: - https://github.com/metallb/metallb type: application -version: 0.13.12 +version: 0.14.3 diff --git a/charts/metallb/metallb/README.md b/charts/metallb/metallb/README.md index 11bbe7d37..fd21de582 100644 --- a/charts/metallb/metallb/README.md +++ b/charts/metallb/metallb/README.md @@ -17,6 +17,7 @@ Kubernetes: `>= 1.19.0-0` | Repository | Name | Version | |------------|------|---------| | | crds | 0.0.0 | +| https://metallb.github.io/frr-k8s | frr-k8s | 0.0.8 | ## Values @@ -24,6 +25,7 @@ Kubernetes: `>= 1.19.0-0` |-----|------|---------|-------------| | controller.affinity | object | `{}` | | | controller.enabled | bool | `true` | | +| controller.extraContainers | list | `[]` | | | controller.image.pullPolicy | string | `nil` | | | controller.image.repository | string | `"quay.io/metallb/controller"` | | | controller.image.tag | string | `nil` | | @@ -53,9 +55,12 @@ Kubernetes: `>= 1.19.0-0` | controller.serviceAccount.create | bool | `true` | | | controller.serviceAccount.name | string | `""` | | | controller.strategy.type | string | `"RollingUpdate"` | | +| controller.tlsCipherSuites | string | `""` | | +| controller.tlsMinVersion | string | `"VersionTLS12"` | | | controller.tolerations | list | `[]` | | | crds.enabled | bool | `true` | | | crds.validationFailurePolicy | string | `"Fail"` | | +| frrk8s.enabled | bool | `false` | | | fullnameOverride | string | `""` | | | imagePullSecrets | list | `[]` | | | loadBalancerClass | string | `""` | | @@ -111,6 +116,7 @@ Kubernetes: `>= 1.19.0-0` | speaker.affinity | object | `{}` | | | speaker.enabled | bool | `true` | | | speaker.excludeInterfaces.enabled | bool | `true` | | +| speaker.extraContainers | list | `[]` | | | speaker.frr.enabled | bool | `true` | | | speaker.frr.image.pullPolicy | string | `nil` | | | speaker.frr.image.repository | string | `"quay.io/frrouting/frr"` | | @@ -130,6 +136,7 @@ Kubernetes: `>= 1.19.0-0` | speaker.livenessProbe.timeoutSeconds | int | `1` | | | speaker.logLevel | string | `"info"` | Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` | | speaker.memberlist.enabled | bool | `true` | | +| speaker.memberlist.mlBindAddrOverride | string | `""` | | | speaker.memberlist.mlBindPort | int | `7946` | | | speaker.memberlist.mlSecretKeyPath | string | `"/etc/ml_secret_key"` | | | speaker.nodeSelector | object | `{}` | | @@ -144,6 +151,7 @@ Kubernetes: `>= 1.19.0-0` | speaker.reloader.resources | object | `{}` | | | speaker.resources | object | `{}` | | | speaker.runtimeClassName | string | `""` | | +| speaker.securityContext | object | `{}` | | | speaker.serviceAccount.annotations | object | `{}` | | | speaker.serviceAccount.create | bool | `true` | | | speaker.serviceAccount.name | string | `""` | | diff --git a/charts/metallb/metallb/charts/crds/Chart.yaml b/charts/metallb/metallb/charts/crds/Chart.yaml index 255ac2b0b..6ee31afc6 100644 --- a/charts/metallb/metallb/charts/crds/Chart.yaml +++ b/charts/metallb/metallb/charts/crds/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: v0.13.12 +appVersion: v0.14.3 description: MetalLB CRDs home: https://metallb.universe.tf icon: https://metallb.universe.tf/images/logo/metallb-white.png @@ -7,4 +7,4 @@ name: crds sources: - https://github.com/metallb/metallb type: application -version: 0.13.12 +version: 0.14.3 diff --git a/charts/metallb/metallb/charts/crds/templates/crds.yaml b/charts/metallb/metallb/charts/crds/templates/crds.yaml index 9b415acf9..febfc04c8 100644 --- a/charts/metallb/metallb/charts/crds/templates/crds.yaml +++ b/charts/metallb/metallb/charts/crds/templates/crds.yaml @@ -2,220 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: addresspools.metallb.io -spec: - group: metallb.io - names: - kind: AddressPool - listKind: AddressPoolList - plural: addresspools - singular: addresspool - scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1alpha1", "v1beta1"] - clientConfig: - # this is a valid pem format, otherwise the apiserver will reject the deletion of the crds - # with "unable to parse bytes as PEM block", The controller will patch it with the right content after it starts - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - service: - namespace: {{ .Release.Namespace }} - name: metallb-webhook-service - path: /convert - versions: - - deprecated: true - deprecationWarning: metallb.io v1alpha1 AddressPool is deprecated - name: v1alpha1 - schema: - openAPIV3Schema: - description: AddressPool is the Schema for the addresspools API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AddressPoolSpec defines the desired state of AddressPool. - properties: - addresses: - description: A list of IP address ranges over which MetalLB has authority. - You can list multiple ranges in a single pool, they will all share - the same settings. Each range can be either a CIDR prefix, or an - explicit start-end range of IPs. - items: - type: string - type: array - autoAssign: - default: true - description: AutoAssign flag used to prevent MetallB from automatic - allocation for a pool. - type: boolean - bgpAdvertisements: - description: When an IP is allocated from this pool, how should it - be translated into BGP announcements? - items: - properties: - aggregationLength: - default: 32 - description: The aggregation-length advertisement option lets - you “roll up” the /32s into a larger prefix. - format: int32 - minimum: 1 - type: integer - aggregationLengthV6: - default: 128 - description: Optional, defaults to 128 (i.e. no aggregation) - if not specified. - format: int32 - type: integer - communities: - description: BGP communities - items: - type: string - type: array - localPref: - description: BGP LOCAL_PREF attribute which is used by BGP best - path algorithm, Path with higher localpref is preferred over - one with lower localpref. - format: int32 - type: integer - type: object - type: array - protocol: - description: Protocol can be used to select how the announcement is - done. - enum: - - layer2 - - bgp - type: string - required: - - addresses - - protocol - type: object - status: - description: AddressPoolStatus defines the observed state of AddressPool. - type: object - required: - - spec - type: object - served: true - storage: false - subresources: - status: {} - - deprecated: true - deprecationWarning: metallb.io v1beta1 AddressPool is deprecated, consider using - IPAddressPool - name: v1beta1 - schema: - openAPIV3Schema: - description: AddressPool represents a pool of IP addresses that can be allocated - to LoadBalancer services. AddressPool is deprecated and being replaced by - IPAddressPool. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AddressPoolSpec defines the desired state of AddressPool. - properties: - addresses: - description: A list of IP address ranges over which MetalLB has authority. - You can list multiple ranges in a single pool, they will all share - the same settings. Each range can be either a CIDR prefix, or an - explicit start-end range of IPs. - items: - type: string - type: array - autoAssign: - default: true - description: AutoAssign flag used to prevent MetallB from automatic - allocation for a pool. - type: boolean - bgpAdvertisements: - description: Drives how an IP allocated from this pool should translated - into BGP announcements. - items: - properties: - aggregationLength: - default: 32 - description: The aggregation-length advertisement option lets - you “roll up” the /32s into a larger prefix. - format: int32 - minimum: 1 - type: integer - aggregationLengthV6: - default: 128 - description: Optional, defaults to 128 (i.e. no aggregation) - if not specified. - format: int32 - type: integer - communities: - description: BGP communities to be associated with the given - advertisement. - items: - type: string - type: array - localPref: - description: BGP LOCAL_PREF attribute which is used by BGP best - path algorithm, Path with higher localpref is preferred over - one with lower localpref. - format: int32 - type: integer - type: object - type: array - protocol: - description: Protocol can be used to select how the announcement is - done. - enum: - - layer2 - - bgp - type: string - required: - - addresses - - protocol - type: object - status: - description: AddressPoolStatus defines the observed state of AddressPool. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: bfdprofiles.metallb.io spec: @@ -227,95 +14,86 @@ spec: singular: bfdprofile scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: BFDProfile represents the settings of the bfd session that can - be optionally associated with a BGP session. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BFDProfileSpec defines the desired state of BFDProfile. - properties: - detectMultiplier: - description: Configures the detection multiplier to determine packet - loss. The remote transmission interval will be multiplied by this - value to determine the connection loss detection timer. - format: int32 - maximum: 255 - minimum: 2 - type: integer - echoInterval: - description: Configures the minimal echo receive transmission interval - that this system is capable of handling in milliseconds. Defaults - to 50ms - format: int32 - maximum: 60000 - minimum: 10 - type: integer - echoMode: - description: Enables or disables the echo transmission mode. This - mode is disabled by default, and not supported on multi hops setups. - type: boolean - minimumTtl: - description: 'For multi hop sessions only: configure the minimum expected - TTL for an incoming BFD control packet.' - format: int32 - maximum: 254 - minimum: 1 - type: integer - passiveMode: - description: 'Mark session as passive: a passive session will not - attempt to start the connection and will wait for control packets - from peer before it begins replying.' - type: boolean - receiveInterval: - description: The minimum interval that this system is capable of receiving - control packets in milliseconds. Defaults to 300ms. - format: int32 - maximum: 60000 - minimum: 10 - type: integer - transmitInterval: - description: The minimum transmission interval (less jitter) that - this system wants to use to send BFD control packets in milliseconds. - Defaults to 300ms - format: int32 - maximum: 60000 - minimum: 10 - type: integer - type: object - status: - description: BFDProfileStatus defines the observed state of BFDProfile. - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + - additionalPrinterColumns: + - jsonPath: .spec.passiveMode + name: Passive Mode + type: boolean + - jsonPath: .spec.transmitInterval + name: Transmit Interval + type: integer + - jsonPath: .spec.receiveInterval + name: Receive Interval + type: integer + - jsonPath: .spec.detectMultiplier + name: Multiplier + type: integer + name: v1beta1 + schema: + openAPIV3Schema: + description: BFDProfile represents the settings of the bfd session that can be optionally associated with a BGP session. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BFDProfileSpec defines the desired state of BFDProfile. + properties: + detectMultiplier: + description: Configures the detection multiplier to determine packet loss. The remote transmission interval will be multiplied by this value to determine the connection loss detection timer. + format: int32 + maximum: 255 + minimum: 2 + type: integer + echoInterval: + description: Configures the minimal echo receive transmission interval that this system is capable of handling in milliseconds. Defaults to 50ms + format: int32 + maximum: 60000 + minimum: 10 + type: integer + echoMode: + description: Enables or disables the echo transmission mode. This mode is disabled by default, and not supported on multi hops setups. + type: boolean + minimumTtl: + description: 'For multi hop sessions only: configure the minimum expected TTL for an incoming BFD control packet.' + format: int32 + maximum: 254 + minimum: 1 + type: integer + passiveMode: + description: 'Mark session as passive: a passive session will not attempt to start the connection and will wait for control packets from peer before it begins replying.' + type: boolean + receiveInterval: + description: The minimum interval that this system is capable of receiving control packets in milliseconds. Defaults to 300ms. + format: int32 + maximum: 60000 + minimum: 10 + type: integer + transmitInterval: + description: The minimum transmission interval (less jitter) that this system wants to use to send BFD control packets in milliseconds. Defaults to 300ms + format: int32 + maximum: 60000 + minimum: 10 + type: integer + type: object + status: + description: BFDProfileStatus defines the observed state of BFDProfile. + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: bgpadvertisements.metallb.io spec: @@ -327,196 +105,164 @@ spec: singular: bgpadvertisement scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: BGPAdvertisement allows to advertise the IPs coming from the - selected IPAddressPools via BGP, setting the parameters of the BGP Advertisement. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement. - properties: - aggregationLength: - default: 32 - description: The aggregation-length advertisement option lets you - “roll up” the /32s into a larger prefix. Defaults to 32. Works for - IPv4 addresses. - format: int32 - minimum: 1 - type: integer - aggregationLengthV6: - default: 128 - description: The aggregation-length advertisement option lets you - “roll up” the /128s into a larger prefix. Defaults to 128. Works - for IPv6 addresses. - format: int32 - type: integer - communities: - description: The BGP communities to be associated with the announcement. - Each item can be a community of the form 1234:1234 or the name of - an alias defined in the Community CRD. - items: - type: string - type: array - ipAddressPoolSelectors: - description: A selector for the IPAddressPools which would get advertised - via this advertisement. If no IPAddressPool is selected by this - or by the list, the advertisement is applied to all the IPAddressPools. - items: - description: A label selector is a label query over a set of resources. - The result of matchLabels and matchExpressions are ANDed. An empty - label selector matches all objects. A null label selector matches - no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: + - additionalPrinterColumns: + - jsonPath: .spec.ipAddressPools + name: IPAddressPools + type: string + - jsonPath: .spec.ipAddressPoolSelectors + name: IPAddressPool Selectors + type: string + - jsonPath: .spec.peers + name: Peers + type: string + - jsonPath: .spec.nodeSelectors + name: Node Selectors + priority: 10 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: BGPAdvertisement allows to advertise the IPs coming from the selected IPAddressPools via BGP, setting the parameters of the BGP Advertisement. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPAdvertisementSpec defines the desired state of BGPAdvertisement. + properties: + aggregationLength: + default: 32 + description: The aggregation-length advertisement option lets you “roll up” the /32s into a larger prefix. Defaults to 32. Works for IPv4 addresses. + format: int32 + minimum: 1 + type: integer + aggregationLengthV6: + default: 128 + description: The aggregation-length advertisement option lets you “roll up” the /128s into a larger prefix. Defaults to 128. Works for IPv6 addresses. + format: int32 + type: integer + communities: + description: The BGP communities to be associated with the announcement. Each item can be a standard community of the form 1234:1234, a large community of the form large:1234:1234:1234 or the name of an alias defined in the Community CRD. + items: + type: string + type: array + ipAddressPoolSelectors: + description: A selector for the IPAddressPools which would get advertised via this advertisement. If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - type: array - ipAddressPools: - description: The list of IPAddressPools to advertise via this advertisement, - selected by name. - items: - type: string - type: array - localPref: - description: The BGP LOCAL_PREF attribute which is used by BGP best - path algorithm, Path with higher localpref is preferred over one - with lower localpref. - format: int32 - type: integer - nodeSelectors: - description: NodeSelectors allows to limit the nodes to announce as - next hops for the LoadBalancer IP. When empty, all the nodes having are - announced as next hops. - items: - description: A label selector is a label query over a set of resources. - The result of matchLabels and matchExpressions are ANDed. An empty - label selector matches all objects. A null label selector matches - no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. type: string - type: array - required: - - key - - operator + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - type: array - peers: - description: Peers limits the bgppeer to advertise the ips of the - selected pools to. When empty, the loadbalancer IP is announced - to all the BGPPeers configured. - items: - type: string - type: array - type: object - status: - description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement. - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + type: object + x-kubernetes-map-type: atomic + type: array + ipAddressPools: + description: The list of IPAddressPools to advertise via this advertisement, selected by name. + items: + type: string + type: array + localPref: + description: The BGP LOCAL_PREF attribute which is used by BGP best path algorithm, Path with higher localpref is preferred over one with lower localpref. + format: int32 + type: integer + nodeSelectors: + description: NodeSelectors allows to limit the nodes to announce as next hops for the LoadBalancer IP. When empty, all the nodes having are announced as next hops. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + peers: + description: Peers limits the bgppeer to advertise the ips of the selected pools to. When empty, the loadbalancer IP is announced to all the BGPPeers configured. + items: + type: string + type: array + type: object + status: + description: BGPAdvertisementStatus defines the observed state of BGPAdvertisement. + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: bgppeers.metallb.io spec: + conversion: + strategy: Webhook + webhook: + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== + service: + name: webhook-service + namespace: {{ .Release.Namespace }} + path: /convert + conversionReviewVersions: + - v1beta1 + - v1beta2 group: metallb.io names: kind: BGPPeer @@ -524,654 +270,255 @@ spec: plural: bgppeers singular: bgppeer scope: Namespaced - conversion: - strategy: Webhook - webhook: - conversionReviewVersions: ["v1beta1", "v1beta2"] - clientConfig: - # this is a valid pem format, otherwise the apiserver will reject the deletion of the crds - # with "unable to parse bytes as PEM block", The controller will patch it with the right content after it starts - caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGWlRDQ0EwMmdBd0lCQWdJVU5GRW1XcTM3MVpKdGkrMmlSQzk1WmpBV1MxZ3dEUVlKS29aSWh2Y05BUUVMDQpCUUF3UWpFTE1Ba0dBMVVFQmhNQ1dGZ3hGVEFUQmdOVkJBY01ERVJsWm1GMWJIUWdRMmwwZVRFY01Cb0dBMVVFDQpDZ3dUUkdWbVlYVnNkQ0JEYjIxd1lXNTVJRXgwWkRBZUZ3MHlNakEzTVRrd09UTXlNek5hRncweU1qQTRNVGd3DQpPVE15TXpOYU1FSXhDekFKQmdOVkJBWVRBbGhZTVJVd0V3WURWUVFIREF4RVpXWmhkV3gwSUVOcGRIa3hIREFhDQpCZ05WQkFvTUUwUmxabUYxYkhRZ1EyOXRjR0Z1ZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDDQpEd0F3Z2dJS0FvSUNBUUNxVFpxMWZRcC9vYkdlenhES0o3OVB3Ny94azJwellualNzMlkzb1ZYSm5sRmM4YjVlDQpma2ZZQnY2bndscW1keW5PL2phWFBaQmRQSS82aFdOUDBkdVhadEtWU0NCUUpyZzEyOGNXb3F0MGNTN3pLb1VpDQpvcU1tQ0QvRXVBeFFNZjhRZDF2c1gvVllkZ0poVTZBRXJLZEpIaXpFOUJtUkNkTDBGMW1OVW55Rk82UnRtWFZUDQpidkxsTDVYeTc2R0FaQVBLOFB4aVlDa0NtbDdxN0VnTWNiOXlLWldCYmlxQ3VkTXE5TGJLNmdKNzF6YkZnSXV4DQo1L1pXK2JraTB2RlplWk9ZODUxb1psckFUNzJvMDI4NHNTWW9uN0pHZVZkY3NoUnh5R1VpSFpSTzdkaXZVTDVTDQpmM2JmSDFYbWY1ZDQzT0NWTWRuUUV2NWVaOG8zeWVLa3ZrbkZQUGVJMU9BbjdGbDlFRVNNR2dhOGFaSG1URSttDQpsLzlMSmdDYjBnQmtPT0M0WnV4bWh2aERKV1EzWnJCS3pMQlNUZXN0NWlLNVlwcXRWVVk2THRyRW9FelVTK1lsDQpwWndXY2VQWHlHeHM5ZURsR3lNVmQraW15Y3NTU1UvVno2Mmx6MnZCS21NTXBkYldDQWhud0RsRTVqU2dyMjRRDQp0eGNXLys2N3d5KzhuQlI3UXdqVTFITndVRjBzeERWdEwrZ1NHVERnSEVZSlhZelYvT05zMy94TkpoVFNPSkxNDQpoeXNVdyttaGdackdhbUdXcHVIVU1DUitvTWJzMTc1UkcrQjJnUFFHVytPTjJnUTRyOXN2b0ZBNHBBQm8xd1dLDQpRYjRhY3pmeVVscElBOVFoSmFsZEY3S3dPSHVlV3gwRUNrNXg0T2tvVDBvWVp0dzFiR0JjRGtaSmF3SURBUUFCDQpvMU13VVRBZEJnTlZIUTRFRmdRVW90UlNIUm9IWTEyRFZ4R0NCdEhpb1g2ZmVFQXdId1lEVlIwakJCZ3dGb0FVDQpvdFJTSFJvSFkxMkRWeEdDQnRIaW9YNmZlRUF3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCDQpBUXNGQUFPQ0FnRUFSbkpsWWRjMTFHd0VxWnh6RDF2R3BDR2pDN2VWTlQ3aVY1d3IybXlybHdPYi9aUWFEa0xYDQpvVStaOVVXT1VlSXJTdzUydDdmQUpvVVAwSm5iYkMveVIrU1lqUGhvUXNiVHduOTc2ZldBWTduM3FMOXhCd1Y0DQphek41OXNjeUp0dlhMeUtOL2N5ak1ReDRLajBIMFg0bWJ6bzVZNUtzWWtYVU0vOEFPdWZMcEd0S1NGVGgrSEFDDQpab1Q5YnZHS25adnNHd0tYZFF0Wnh0akhaUjVqK3U3ZGtQOTJBT051RFNabS8rWVV4b2tBK09JbzdSR3BwSHNXDQo1ZTdNY0FTVXRtb1FORXd6dVFoVkJaRWQ1OGtKYjUrV0VWbGNzanlXNnRTbzErZ25tTWNqR1BsMWgxR2hVbjV4DQpFY0lWRnBIWXM5YWo1NmpBSjk1MVQvZjhMaWxmTlVnanBLQ0c1bnl0SUt3emxhOHNtdGlPdm1UNEpYbXBwSkI2DQo4bmdHRVluVjUrUTYwWFJ2OEhSSGp1VG9CRHVhaERrVDA2R1JGODU1d09FR2V4bkZpMXZYWUxLVllWb1V2MXRKDQo4dVdUR1pwNllDSVJldlBqbzg5ZytWTlJSaVFYUThJd0dybXE5c0RoVTlqTjA0SjdVL1RvRDFpNHE3VnlsRUc5DQorV1VGNkNLaEdBeTJIaEhwVncyTGFoOS9lUzdZMUZ1YURrWmhPZG1laG1BOCtqdHNZamJadnR5Mm1SWlF0UUZzDQpUU1VUUjREbUR2bVVPRVRmeStpRHdzK2RkWXVNTnJGeVVYV2dkMnpBQU4ydVl1UHFGY2pRcFNPODFzVTJTU3R3DQoxVzAyeUtYOGJEYmZFdjBzbUh3UzliQnFlSGo5NEM1Mjg0YXpsdTBmaUdpTm1OUEM4ckJLRmhBPQ0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== - service: - namespace: {{ .Release.Namespace }} - name: metallb-webhook-service - path: /convert versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: BGPPeer is the Schema for the peers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPPeerSpec defines the desired state of Peer. - properties: - bfdProfile: - type: string - ebgpMultiHop: - description: EBGP peer is multi-hops away - type: boolean - holdTime: - description: Requested BGP hold time, per RFC4271. - type: string - keepaliveTime: - description: Requested BGP keepalive time, per RFC4271. - type: string - myASN: - description: AS number to use for the local end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - nodeSelectors: - description: Only connect to this peer on nodes that match one of - these selectors. - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - minItems: 1 - type: array - required: - - key - - operator - - values - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - type: array - password: - description: Authentication password for routers enforcing TCP MD5 - authenticated sessions - type: string - peerASN: - description: AS number to expect from the remote end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - peerAddress: - description: Address to dial when establishing the session. - type: string - peerPort: - description: Port to dial when establishing the session. - maximum: 16384 - minimum: 0 - type: integer - routerID: - description: BGP router ID to advertise to the peer - type: string - sourceAddress: - description: Source address to use when establishing the session. - type: string - required: - - myASN - - peerASN - - peerAddress - type: object - status: - description: BGPPeerStatus defines the observed state of Peer. - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta2 - schema: - openAPIV3Schema: - description: BGPPeer is the Schema for the peers API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: BGPPeerSpec defines the desired state of Peer. - properties: - bfdProfile: - description: The name of the BFD Profile to be used for the BFD session - associated to the BGP session. If not set, the BFD session won't - be set up. - type: string - ebgpMultiHop: - description: To set if the BGPPeer is multi-hops away. Needed for - FRR mode only. - type: boolean - holdTime: - description: Requested BGP hold time, per RFC4271. - type: string - keepaliveTime: - description: Requested BGP keepalive time, per RFC4271. - type: string - myASN: - description: AS number to use for the local end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - nodeSelectors: - description: Only connect to this peer on nodes that match one of - these selectors. - items: - description: A label selector is a label query over a set of resources. - The result of matchLabels and matchExpressions are ANDed. An empty - label selector matches all objects. A null label selector matches - no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - type: array - password: - description: Authentication password for routers enforcing TCP MD5 - authenticated sessions - type: string - passwordSecret: - description: passwordSecret is name of the authentication secret for - BGP Peer. the secret must be of type "kubernetes.io/basic-auth", - and created in the same namespace as the MetalLB deployment. The - password is stored in the secret as the key "password". - properties: - name: - description: Name is unique within a namespace to reference a - secret resource. - type: string - namespace: - description: Namespace defines the space within which the secret - name must be unique. - type: string - type: object - peerASN: - description: AS number to expect from the remote end of the session. - format: int32 - maximum: 4294967295 - minimum: 0 - type: integer - peerAddress: - description: Address to dial when establishing the session. - type: string - peerPort: - default: 179 - description: Port to dial when establishing the session. - maximum: 16384 - minimum: 0 - type: integer - routerID: - description: BGP router ID to advertise to the peer - type: string - sourceAddress: - description: Source address to use when establishing the session. - type: string - vrf: - description: To set if we want to peer with the BGPPeer using an interface - belonging to a host vrf - type: string - required: - - myASN - - peerASN - - peerAddress - type: object - status: - description: BGPPeerStatus defines the observed state of Peer. - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: ipaddresspools.metallb.io -spec: - group: metallb.io - names: - kind: IPAddressPool - listKind: IPAddressPoolList - plural: ipaddresspools - singular: ipaddresspool - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: IPAddressPool represents a pool of IP addresses that can be allocated - to LoadBalancer services. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: IPAddressPoolSpec defines the desired state of IPAddressPool. - properties: - addresses: - description: A list of IP address ranges over which MetalLB has authority. - You can list multiple ranges in a single pool, they will all share - the same settings. Each range can be either a CIDR prefix, or an - explicit start-end range of IPs. - items: + - additionalPrinterColumns: + - jsonPath: .spec.peerAddress + name: Address + type: string + - jsonPath: .spec.peerASN + name: ASN + type: string + - jsonPath: .spec.bfdProfile + name: BFD Profile + type: string + - jsonPath: .spec.ebgpMultiHop + name: Multi Hops + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: BGPPeer is the Schema for the peers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec defines the desired state of Peer. + properties: + bfdProfile: type: string - type: array - autoAssign: - default: true - description: AutoAssign flag used to prevent MetallB from automatic - allocation for a pool. - type: boolean - avoidBuggyIPs: - default: false - description: AvoidBuggyIPs prevents addresses ending with .0 and .255 - to be used by a pool. - type: boolean - serviceAllocation: - description: AllocateTo makes ip pool allocation to specific namespace - and/or service. The controller will use the pool with lowest value - of priority in case of multiple matches. A pool with no priority - set will be used only if the pools with priority can't be used. - If multiple matching IPAddressPools are available it will check - for the availability of IPs sorting the matching IPAddressPools - by priority, starting from the highest to the lowest. If multiple - IPAddressPools have the same priority, choice will be random. - properties: - namespaceSelectors: - description: NamespaceSelectors list of label selectors to select - namespace(s) for ip pool, an alternative to using namespace - list. - items: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. + ebgpMultiHop: + description: EBGP peer is multi-hops away + type: boolean + holdTime: + description: Requested BGP hold time, per RFC4271. + type: string + keepaliveTime: + description: Requested BGP keepalive time, per RFC4271. + type: string + myASN: + description: AS number to use for the local end of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + nodeSelectors: + description: Only connect to this peer on nodes that match one of these selectors. + items: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: + minItems: 1 + type: array + required: - key - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + - values type: object - type: object - type: array - namespaces: - description: Namespaces list of namespace(s) on which ip pool - can be attached. - items: + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: array + password: + description: Authentication password for routers enforcing TCP MD5 authenticated sessions + type: string + peerASN: + description: AS number to expect from the remote end of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + peerAddress: + description: Address to dial when establishing the session. + type: string + peerPort: + description: Port to dial when establishing the session. + maximum: 16384 + minimum: 0 + type: integer + routerID: + description: BGP router ID to advertise to the peer + type: string + sourceAddress: + description: Source address to use when establishing the session. + type: string + required: + - myASN + - peerASN + - peerAddress + type: object + status: + description: BGPPeerStatus defines the observed state of Peer. + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.peerAddress + name: Address + type: string + - jsonPath: .spec.peerASN + name: ASN + type: string + - jsonPath: .spec.bfdProfile + name: BFD Profile + type: string + - jsonPath: .spec.ebgpMultiHop + name: Multi Hops + type: string + name: v1beta2 + schema: + openAPIV3Schema: + description: BGPPeer is the Schema for the peers API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec defines the desired state of Peer. + properties: + bfdProfile: + description: The name of the BFD Profile to be used for the BFD session associated to the BGP session. If not set, the BFD session won't be set up. + type: string + ebgpMultiHop: + description: To set if the BGPPeer is multi-hops away. Needed for FRR mode only. + type: boolean + holdTime: + description: Requested BGP hold time, per RFC4271. + type: string + keepaliveTime: + description: Requested BGP keepalive time, per RFC4271. + type: string + myASN: + description: AS number to use for the local end of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + nodeSelectors: + description: Only connect to this peer on nodes that match one of these selectors. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + password: + description: Authentication password for routers enforcing TCP MD5 authenticated sessions + type: string + passwordSecret: + description: passwordSecret is name of the authentication secret for BGP Peer. the secret must be of type "kubernetes.io/basic-auth", and created in the same namespace as the MetalLB deployment. The password is stored in the secret as the key "password". + properties: + name: + description: name is unique within a namespace to reference a secret resource. type: string - type: array - priority: - description: Priority priority given for ip pool while ip allocation - on a service. - type: integer - serviceSelectors: - description: ServiceSelectors list of label selector to select - service(s) for which ip pool can be used for ip allocation. - items: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. - type: object - type: object - type: array - type: object - required: - - addresses - type: object - status: - description: IPAddressPoolStatus defines the observed state of IPAddressPool. - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + namespace: + description: namespace defines the space within which the secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + peerASN: + description: AS number to expect from the remote end of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + peerAddress: + description: Address to dial when establishing the session. + type: string + peerPort: + default: 179 + description: Port to dial when establishing the session. + maximum: 16384 + minimum: 0 + type: integer + routerID: + description: BGP router ID to advertise to the peer + type: string + sourceAddress: + description: Source address to use when establishing the session. + type: string + vrf: + description: To set if we want to peer with the BGPPeer using an interface belonging to a host vrf + type: string + required: + - myASN + - peerASN + - peerAddress + type: object + status: + description: BGPPeerStatus defines the observed state of Peer. + type: object + type: object + served: true + storage: true + subresources: + status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 - creationTimestamp: null - name: l2advertisements.metallb.io -spec: - group: metallb.io - names: - kind: L2Advertisement - listKind: L2AdvertisementList - plural: l2advertisements - singular: l2advertisement - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: L2Advertisement allows to advertise the LoadBalancer IPs provided - by the selected pools via L2. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: L2AdvertisementSpec defines the desired state of L2Advertisement. - properties: - interfaces: - description: A list of interfaces to announce from. The LB IP will - be announced only from these interfaces. If the field is not set, - we advertise from all the interfaces on the host. - items: - type: string - type: array - ipAddressPoolSelectors: - description: A selector for the IPAddressPools which would get advertised - via this advertisement. If no IPAddressPool is selected by this - or by the list, the advertisement is applied to all the IPAddressPools. - items: - description: A label selector is a label query over a set of resources. - The result of matchLabels and matchExpressions are ANDed. An empty - label selector matches all objects. A null label selector matches - no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - type: array - ipAddressPools: - description: The list of IPAddressPools to advertise via this advertisement, - selected by name. - items: - type: string - type: array - nodeSelectors: - description: NodeSelectors allows to limit the nodes to announce as - next hops for the LoadBalancer IP. When empty, all the nodes having are - announced as next hops. - items: - description: A label selector is a label query over a set of resources. - The result of matchLabels and matchExpressions are ANDed. An empty - label selector matches all objects. A null label selector matches - no objects. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - type: array - type: object - status: - description: L2AdvertisementStatus defines the observed state of L2Advertisement. - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.11.1 creationTimestamp: null name: communities.metallb.io spec: @@ -1183,51 +530,322 @@ spec: singular: community scope: Namespaced versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: Community is a collection of aliases for communities. Users can - define named aliases to be used in the BGPPeer CRD. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: CommunitySpec defines the desired state of Community. - properties: - communities: - items: + - name: v1beta1 + schema: + openAPIV3Schema: + description: Community is a collection of aliases for communities. Users can define named aliases to be used in the BGPPeer CRD. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CommunitySpec defines the desired state of Community. + properties: + communities: + items: + properties: + name: + description: The name of the alias for the community. + type: string + value: + description: The BGP community value corresponding to the given name. Can be a standard community of the form 1234:1234 or a large community of the form large:1234:1234:1234. + type: string + type: object + type: array + type: object + status: + description: CommunityStatus defines the observed state of Community. + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: ipaddresspools.metallb.io +spec: + group: metallb.io + names: + kind: IPAddressPool + listKind: IPAddressPoolList + plural: ipaddresspools + singular: ipaddresspool + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.autoAssign + name: Auto Assign + type: boolean + - jsonPath: .spec.avoidBuggyIPs + name: Avoid Buggy IPs + type: boolean + - jsonPath: .spec.addresses + name: Addresses + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: IPAddressPool represents a pool of IP addresses that can be allocated to LoadBalancer services. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAddressPoolSpec defines the desired state of IPAddressPool. + properties: + addresses: + description: A list of IP address ranges over which MetalLB has authority. You can list multiple ranges in a single pool, they will all share the same settings. Each range can be either a CIDR prefix, or an explicit start-end range of IPs. + items: + type: string + type: array + autoAssign: + default: true + description: AutoAssign flag used to prevent MetallB from automatic allocation for a pool. + type: boolean + avoidBuggyIPs: + default: false + description: AvoidBuggyIPs prevents addresses ending with .0 and .255 to be used by a pool. + type: boolean + serviceAllocation: + description: AllocateTo makes ip pool allocation to specific namespace and/or service. The controller will use the pool with lowest value of priority in case of multiple matches. A pool with no priority set will be used only if the pools with priority can't be used. If multiple matching IPAddressPools are available it will check for the availability of IPs sorting the matching IPAddressPools by priority, starting from the highest to the lowest. If multiple IPAddressPools have the same priority, choice will be random. properties: - name: - description: The name of the alias for the community. - type: string - value: - description: The BGP community value corresponding to the given - name. - type: string + namespaceSelectors: + description: NamespaceSelectors list of label selectors to select namespace(s) for ip pool, an alternative to using namespace list. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + namespaces: + description: Namespaces list of namespace(s) on which ip pool can be attached. + items: + type: string + type: array + priority: + description: Priority priority given for ip pool while ip allocation on a service. + type: integer + serviceSelectors: + description: ServiceSelectors list of label selector to select service(s) for which ip pool can be used for ip allocation. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array type: object - type: array - type: object - status: - description: CommunityStatus defines the observed state of Community. - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + required: + - addresses + type: object + status: + description: IPAddressPoolStatus defines the observed state of IPAddressPool. + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: l2advertisements.metallb.io +spec: + group: metallb.io + names: + kind: L2Advertisement + listKind: L2AdvertisementList + plural: l2advertisements + singular: l2advertisement + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.ipAddressPools + name: IPAddressPools + type: string + - jsonPath: .spec.ipAddressPoolSelectors + name: IPAddressPool Selectors + type: string + - jsonPath: .spec.interfaces + name: Interfaces + type: string + - jsonPath: .spec.nodeSelectors + name: Node Selectors + priority: 10 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: L2Advertisement allows to advertise the LoadBalancer IPs provided by the selected pools via L2. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: L2AdvertisementSpec defines the desired state of L2Advertisement. + properties: + interfaces: + description: A list of interfaces to announce from. The LB IP will be announced only from these interfaces. If the field is not set, we advertise from all the interfaces on the host. + items: + type: string + type: array + ipAddressPoolSelectors: + description: A selector for the IPAddressPools which would get advertised via this advertisement. If no IPAddressPool is selected by this or by the list, the advertisement is applied to all the IPAddressPools. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + ipAddressPools: + description: The list of IPAddressPools to advertise via this advertisement, selected by name. + items: + type: string + type: array + nodeSelectors: + description: NodeSelectors allows to limit the nodes to announce as next hops for the LoadBalancer IP. When empty, all the nodes having are announced as next hops. + items: + description: A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + type: object + status: + description: L2AdvertisementStatus defines the observed state of L2Advertisement. + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/.helmignore b/charts/metallb/metallb/charts/frr-k8s/.helmignore similarity index 95% rename from charts/kubecost/cost-analyzer/charts/prometheus/.helmignore rename to charts/metallb/metallb/charts/frr-k8s/.helmignore index 825c00779..0e8a0eb36 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/.helmignore +++ b/charts/metallb/metallb/charts/frr-k8s/.helmignore @@ -14,10 +14,10 @@ *.swp *.bak *.tmp +*.orig *~ # Various IDEs .project .idea/ *.tmproj - -OWNERS +.vscode/ diff --git a/charts/metallb/metallb/charts/frr-k8s/Chart.lock b/charts/metallb/metallb/charts/frr-k8s/Chart.lock new file mode 100644 index 000000000..882f5945b --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: crds + repository: "" + version: 0.0.8 +digest: sha256:7efb8664deb296dbc6bc1311922b9b9203ec7c7611a07c7014e4aa92320f947b +generated: "2024-01-24T09:35:01.567823358+01:00" diff --git a/charts/metallb/metallb/charts/frr-k8s/Chart.yaml b/charts/metallb/metallb/charts/frr-k8s/Chart.yaml new file mode 100644 index 000000000..0b2e8693d --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: v0.0.8 +dependencies: +- condition: crds.enabled + name: crds + repository: "" + version: 0.0.8 +description: A cloud native wrapper of FRR +home: https://metallb.universe.tf +icon: https://metallb.universe.tf/images/logo/metallb-white.png +kubeVersion: '>= 1.19.0-0' +name: frr-k8s +sources: +- https://github.com/metallb/frr-k8s +type: application +version: 0.0.8 diff --git a/charts/metallb/metallb/charts/frr-k8s/README.md b/charts/metallb/metallb/charts/frr-k8s/README.md new file mode 100644 index 000000000..fe4018830 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/README.md @@ -0,0 +1,96 @@ +# frr-k8s + +![Version: 0.0.8](https://img.shields.io/badge/Version-0.0.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.8](https://img.shields.io/badge/AppVersion-v0.0.8-informational?style=flat-square) + +A cloud native wrapper of FRR + +**Homepage:** + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.19.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| | crds | 0.0.8 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| crds.enabled | bool | `true` | | +| crds.validationFailurePolicy | string | `"Fail"` | | +| frrk8s.affinity | object | `{}` | | +| frrk8s.alwaysBlock | string | `""` | | +| frrk8s.disableCertRotation | bool | `false` | | +| frrk8s.frr.image.pullPolicy | string | `nil` | | +| frrk8s.frr.image.repository | string | `"quay.io/frrouting/frr"` | | +| frrk8s.frr.image.tag | string | `"8.4.2"` | | +| frrk8s.frr.metricsBindAddress | string | `"127.0.0.1"` | | +| frrk8s.frr.metricsPort | int | `7573` | | +| frrk8s.frr.resources | object | `{}` | | +| frrk8s.frr.secureMetricsPort | int | `9141` | | +| frrk8s.frrMetrics.resources | object | `{}` | | +| frrk8s.healthPort | int | `8081` | | +| frrk8s.image.pullPolicy | string | `nil` | | +| frrk8s.image.repository | string | `"quay.io/metallb/frr-k8s"` | | +| frrk8s.image.tag | string | `nil` | | +| frrk8s.labels.app | string | `"frr-k8s"` | | +| frrk8s.livenessProbe.enabled | bool | `true` | | +| frrk8s.livenessProbe.failureThreshold | int | `3` | | +| frrk8s.livenessProbe.initialDelaySeconds | int | `10` | | +| frrk8s.livenessProbe.periodSeconds | int | `10` | | +| frrk8s.livenessProbe.successThreshold | int | `1` | | +| frrk8s.livenessProbe.timeoutSeconds | int | `1` | | +| frrk8s.logLevel | string | `"info"` | Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` | +| frrk8s.nodeSelector | object | `{}` | | +| frrk8s.podAnnotations | object | `{}` | | +| frrk8s.priorityClassName | string | `""` | | +| frrk8s.readinessProbe.enabled | bool | `true` | | +| frrk8s.readinessProbe.failureThreshold | int | `3` | | +| frrk8s.readinessProbe.initialDelaySeconds | int | `10` | | +| frrk8s.readinessProbe.periodSeconds | int | `10` | | +| frrk8s.readinessProbe.successThreshold | int | `1` | | +| frrk8s.readinessProbe.timeoutSeconds | int | `1` | | +| frrk8s.reloader.resources | object | `{}` | | +| frrk8s.resources | object | `{}` | | +| frrk8s.restartOnRotatorSecretRefresh | bool | `false` | | +| frrk8s.runtimeClassName | string | `""` | | +| frrk8s.serviceAccount.annotations | object | `{}` | | +| frrk8s.serviceAccount.create | bool | `true` | | +| frrk8s.serviceAccount.name | string | `""` | | +| frrk8s.startupProbe.enabled | bool | `true` | | +| frrk8s.startupProbe.failureThreshold | int | `30` | | +| frrk8s.startupProbe.periodSeconds | int | `5` | | +| frrk8s.tolerateMaster | bool | `true` | | +| frrk8s.tolerations | list | `[]` | | +| frrk8s.updateStrategy.type | string | `"RollingUpdate"` | | +| fullnameOverride | string | `""` | | +| nameOverride | string | `""` | | +| prometheus.metricsBindAddress | string | `"127.0.0.1"` | | +| prometheus.metricsPort | int | `7572` | | +| prometheus.metricsTLSSecret | string | `""` | | +| prometheus.namespace | string | `""` | | +| prometheus.rbacPrometheus | bool | `false` | | +| prometheus.rbacProxy.pullPolicy | string | `nil` | | +| prometheus.rbacProxy.repository | string | `"gcr.io/kubebuilder/kube-rbac-proxy"` | | +| prometheus.rbacProxy.tag | string | `"v0.12.0"` | | +| prometheus.scrapeAnnotations | bool | `false` | | +| prometheus.secureMetricsPort | int | `9140` | | +| prometheus.serviceAccount | string | `""` | | +| prometheus.serviceMonitor.additionalLabels | object | `{}` | | +| prometheus.serviceMonitor.annotations | object | `{}` | | +| prometheus.serviceMonitor.enabled | bool | `false` | | +| prometheus.serviceMonitor.interval | string | `nil` | | +| prometheus.serviceMonitor.jobLabel | string | `"app.kubernetes.io/name"` | | +| prometheus.serviceMonitor.metricRelabelings | list | `[]` | | +| prometheus.serviceMonitor.relabelings | list | `[]` | | +| prometheus.serviceMonitor.tlsConfig.insecureSkipVerify | bool | `true` | | +| rbac.create | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/.helmignore b/charts/metallb/metallb/charts/frr-k8s/charts/crds/.helmignore similarity index 95% rename from charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/.helmignore rename to charts/metallb/metallb/charts/frr-k8s/charts/crds/.helmignore index f0c131944..0e8a0eb36 100644 --- a/charts/kubecost/cost-analyzer/charts/prometheus/charts/kube-state-metrics/.helmignore +++ b/charts/metallb/metallb/charts/frr-k8s/charts/crds/.helmignore @@ -14,8 +14,10 @@ *.swp *.bak *.tmp +*.orig *~ # Various IDEs .project .idea/ *.tmproj +.vscode/ diff --git a/charts/metallb/metallb/charts/frr-k8s/charts/crds/Chart.yaml b/charts/metallb/metallb/charts/frr-k8s/charts/crds/Chart.yaml new file mode 100644 index 000000000..5b71b0509 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/charts/crds/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +appVersion: v0.0.8 +description: FRR K8s CRDs +home: https://metallb.universe.tf +icon: https://metallb.universe.tf/images/logo/metallb-white.png +name: crds +sources: +- https://github.com/metallb/frr-k8s +type: application +version: 0.0.8 diff --git a/charts/metallb/metallb/charts/frr-k8s/charts/crds/README.md b/charts/metallb/metallb/charts/frr-k8s/charts/crds/README.md new file mode 100644 index 000000000..65e636c6d --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/charts/crds/README.md @@ -0,0 +1,14 @@ +# crds + +![Version: 0.0.0](https://img.shields.io/badge/Version-0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.0.0](https://img.shields.io/badge/AppVersion-v0.0.0-informational?style=flat-square) + +FRR-K8s CRDs + +**Homepage:** + +## Source Code + +* + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.10.0](https://github.com/norwoodj/helm-docs/releases/v1.10.0) diff --git a/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrconfigurations.yaml b/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrconfigurations.yaml new file mode 100644 index 000000000..18c70f3e6 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrconfigurations.yaml @@ -0,0 +1,404 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: frrconfigurations.frrk8s.metallb.io +spec: + group: frrk8s.metallb.io + names: + kind: FRRConfiguration + listKind: FRRConfigurationList + plural: frrconfigurations + singular: frrconfiguration + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: FRRConfiguration is a piece of FRR configuration. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FRRConfigurationSpec defines the desired state of FRRConfiguration. + properties: + bgp: + description: BGP is the configuration related to the BGP protocol. + properties: + bfdProfiles: + description: BFDProfiles is the list of bfd profiles to be used + when configuring the neighbors. + items: + description: BFDProfile is the configuration related to the + BFD protocol associated to a BGP session. + properties: + detectMultiplier: + description: Configures the detection multiplier to determine + packet loss. The remote transmission interval will be + multiplied by this value to determine the connection loss + detection timer. + format: int32 + maximum: 255 + minimum: 2 + type: integer + echoInterval: + description: Configures the minimal echo receive transmission + interval that this system is capable of handling in milliseconds. + Defaults to 50ms + format: int32 + maximum: 60000 + minimum: 10 + type: integer + echoMode: + description: Enables or disables the echo transmission mode. + This mode is disabled by default, and not supported on + multi hops setups. + type: boolean + minimumTtl: + description: 'For multi hop sessions only: configure the + minimum expected TTL for an incoming BFD control packet.' + format: int32 + maximum: 254 + minimum: 1 + type: integer + name: + description: The name of the BFD Profile to be referenced + in other parts of the configuration. + type: string + passiveMode: + description: 'Mark session as passive: a passive session + will not attempt to start the connection and will wait + for control packets from peer before it begins replying.' + type: boolean + receiveInterval: + description: The minimum interval that this system is capable + of receiving control packets in milliseconds. Defaults + to 300ms. + format: int32 + maximum: 60000 + minimum: 10 + type: integer + transmitInterval: + description: The minimum transmission interval (less jitter) + that this system wants to use to send BFD control packets + in milliseconds. Defaults to 300ms + format: int32 + maximum: 60000 + minimum: 10 + type: integer + required: + - name + type: object + type: array + routers: + description: Routers is the list of routers we want FRR to configure + (one per VRF). + items: + description: Router represent a neighbor router we want FRR + to connect to. + properties: + asn: + description: ASN is the AS number to use for the local end + of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + id: + description: ID is the BGP router ID + type: string + neighbors: + description: Neighbors is the list of neighbors we want + to establish BGP sessions with. + items: + description: Neighbor represents a BGP Neighbor we want + FRR to connect to. + properties: + address: + description: Address is the IP address to establish + the session with. + type: string + asn: + description: ASN is the AS number to use for the local + end of the session. + format: int32 + maximum: 4294967295 + minimum: 0 + type: integer + bfdProfile: + description: BFDProfile is the name of the BFD Profile + to be used for the BFD session associated to the + BGP session. If not set, the BFD session won't be + set up. + type: string + ebgpMultiHop: + description: EBGPMultiHop indicates if the BGPPeer + is multi-hops away. + type: boolean + holdTime: + description: HoldTime is the requested BGP hold time, + per RFC4271. Defaults to 180s. + type: string + keepaliveTime: + description: KeepaliveTime is the requested BGP keepalive + time, per RFC4271. Defaults to 60s. + type: string + password: + description: Password to be used for establishing + the BGP session. Password and PasswordSecret are + mutually exclusive. + type: string + passwordSecret: + description: PasswordSecret is name of the authentication + secret for the neighbor. the secret must be of type + "kubernetes.io/basic-auth", and created in the same + namespace as the frr-k8s daemon. The password is + stored in the secret as the key "password". Password + and PasswordSecret are mutually exclusive. + properties: + name: + description: name is unique within a namespace + to reference a secret resource. + type: string + namespace: + description: namespace defines the space within + which the secret name must be unique. + type: string + type: object + x-kubernetes-map-type: atomic + port: + description: Port is the port to dial when establishing + the session. Defaults to 179. + maximum: 16384 + minimum: 0 + type: integer + toAdvertise: + description: ToAdvertise represents the list of prefixes + to advertise to the given neighbor and the associated + properties. + properties: + allowed: + description: Allowed is is the list of prefixes + allowed to be propagated to this neighbor. They + must match the prefixes defined in the router. + properties: + mode: + default: filtered + description: Mode is the mode to use when + handling the prefixes. When set to "filtered", + only the prefixes in the given list will + be allowed. When set to "all", all the prefixes + configured on the router will be allowed. + enum: + - all + - filtered + type: string + prefixes: + items: + type: string + type: array + type: object + withCommunity: + description: PrefixesWithCommunity is a list of + prefixes that are associated to a bgp community + when being advertised. The prefixes associated + to a given local pref must be in the prefixes + allowed to be advertised. + items: + description: CommunityPrefixes is a list of + prefixes associated to a community. + properties: + community: + description: Community is the community + associated to the prefixes. + type: string + prefixes: + description: Prefixes is the list of prefixes + associated to the community. + format: cidr + items: + type: string + minItems: 1 + type: array + type: object + type: array + withLocalPref: + description: PrefixesWithLocalPref is a list of + prefixes that are associated to a local preference + when being advertised. The prefixes associated + to a given local pref must be in the prefixes + allowed to be advertised. + items: + description: LocalPrefPrefixes is a list of + prefixes associated to a local preference. + properties: + localPref: + description: LocalPref is the local preference + associated to the prefixes. + format: int32 + type: integer + prefixes: + description: Prefixes is the list of prefixes + associated to the local preference. + format: cidr + items: + type: string + minItems: 1 + type: array + type: object + type: array + type: object + toReceive: + description: ToReceive represents the list of prefixes + to receive from the given neighbor. + properties: + allowed: + description: Allowed is the list of prefixes allowed + to be received from this neighbor. + properties: + mode: + default: filtered + description: Mode is the mode to use when + handling the prefixes. When set to "filtered", + only the prefixes in the given list will + be allowed. When set to "all", all the prefixes + configured on the router will be allowed. + enum: + - all + - filtered + type: string + prefixes: + items: + description: PrefixSelector is a filter + of prefixes to receive. + properties: + ge: + description: The prefix length modifier. + This selector accepts any matching + prefix with length greater or equal + the given value. + format: int32 + maximum: 128 + minimum: 1 + type: integer + le: + description: The prefix length modifier. + This selector accepts any matching + prefix with length less or equal the + given value. + format: int32 + maximum: 128 + minimum: 1 + type: integer + prefix: + format: cidr + type: string + type: object + type: array + type: object + type: object + required: + - address + - asn + type: object + type: array + prefixes: + description: Prefixes is the list of prefixes we want to + advertise from this router instance. + items: + type: string + type: array + vrf: + description: VRF is the host vrf used to establish sessions + from this router. + type: string + required: + - asn + type: object + type: array + type: object + nodeSelector: + description: NodeSelector limits the nodes that will attempt to apply + this config. When specified, the configuration will be considered + only on nodes whose labels match the specified selectors. When it + is not specified all nodes will attempt to apply this config. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + raw: + description: Raw is a snippet of raw frr configuration that gets appended + to the one rendered translating the type safe API. + properties: + priority: + description: Priority is the order with this configuration is + appended to the bottom of the rendered configuration. A higher + value means the raw config is appended later in the configuration + file. + type: integer + rawConfig: + description: Config is a raw FRR configuration to be appended + to the configuration rendered via the k8s api. + type: string + type: object + type: object + status: + description: FRRConfigurationStatus defines the observed state of FRRConfiguration. + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrnodestates.yaml b/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrnodestates.yaml new file mode 100644 index 000000000..b0d25c30d --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/charts/crds/templates/frrk8s.metallb.io_frrnodestates.yaml @@ -0,0 +1,61 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + creationTimestamp: null + name: frrnodestates.frrk8s.metallb.io +spec: + group: frrk8s.metallb.io + names: + kind: FRRNodeState + listKind: FRRNodeStateList + plural: frrnodestates + singular: frrnodestate + scope: Cluster + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: FRRNodeState exposes the status of the FRR instance running on + each node. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FRRNodeStateSpec defines the desired state of FRRNodeState. + type: object + status: + description: FRRNodeStateStatus defines the observed state of FRRNodeState. + properties: + lastConversionResult: + description: LastConversionResult is the status of the last translation + between the `FRRConfiguration`s resources and FRR's configuration, + contains "success" or an error. + type: string + lastReloadResult: + description: LastReloadResult represents the status of the last configuration + update operation by FRR, contains "success" or an error. + type: string + runningConfig: + description: RunningConfig represents the current FRR running config, + which is the configuration the FRR instance is currently running + with. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/NOTES.txt b/charts/metallb/metallb/charts/frr-k8s/templates/NOTES.txt new file mode 100644 index 000000000..5b5b84a17 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/NOTES.txt @@ -0,0 +1,4 @@ +FRR-k8s is now running in the cluster. + +Now you can configure it via its CRs. Please refer to the frr-k8s official docs +on how to use the CRs. diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/_helpers.tpl b/charts/metallb/metallb/charts/frr-k8s/templates/_helpers.tpl new file mode 100644 index 000000000..4e35f6fc6 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/_helpers.tpl @@ -0,0 +1,63 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "frrk8s.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "frrk8s.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "frrk8s.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "frrk8s.labels" -}} +helm.sh/chart: {{ include "frrk8s.chart" . }} +{{ include "frrk8s.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "frrk8s.selectorLabels" -}} +app.kubernetes.io/name: {{ include "frrk8s.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the frrk8s service account to use +*/}} +{{- define "frrk8s.serviceAccountName" -}} +{{- if .Values.frrk8s.serviceAccount.create }} +{{- default (printf "%s-controller" (include "frrk8s.fullname" .)) .Values.frrk8s.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.frrk8s.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/controller.yaml b/charts/metallb/metallb/charts/frr-k8s/templates/controller.yaml new file mode 100644 index 000000000..2d955da70 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/controller.yaml @@ -0,0 +1,429 @@ +# FRR expects to have these files owned by frr:frr on startup. +# Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup. +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "frrk8s.fullname" . }}-frr-startup + labels: + {{- include "frrk8s.labels" . | nindent 4 }} + app.kubernetes.io/component: frr-k8s +data: + daemons: | + # This file tells the frr package which daemons to start. + # + # Sample configurations for these daemons can be found in + # /usr/share/doc/frr/examples/. + # + # ATTENTION: + # + # When activating a daemon for the first time, a config file, even if it is + # empty, has to be present *and* be owned by the user and group "frr", else + # the daemon will not be started by /etc/init.d/frr. The permissions should + # be u=rw,g=r,o=. + # When using "vtysh" such a config file is also needed. It should be owned by + # group "frrvty" and set to ug=rw,o= though. Check /etc/pam.d/frr, too. + # + # The watchfrr and zebra daemons are always started. + # + bgpd=yes + ospfd=no + ospf6d=no + ripd=no + ripngd=no + isisd=no + pimd=no + ldpd=no + nhrpd=no + eigrpd=no + babeld=no + sharpd=no + pbrd=no + bfdd=yes + fabricd=no + vrrpd=no + + # + # If this option is set the /etc/init.d/frr script automatically loads + # the config via "vtysh -b" when the servers are started. + # Check /etc/pam.d/frr if you intend to use "vtysh"! + # + vtysh_enable=yes + zebra_options=" -A 127.0.0.1 -s 90000000" + bgpd_options=" -A 127.0.0.1 -p 0" + ospfd_options=" -A 127.0.0.1" + ospf6d_options=" -A ::1" + ripd_options=" -A 127.0.0.1" + ripngd_options=" -A ::1" + isisd_options=" -A 127.0.0.1" + pimd_options=" -A 127.0.0.1" + ldpd_options=" -A 127.0.0.1" + nhrpd_options=" -A 127.0.0.1" + eigrpd_options=" -A 127.0.0.1" + babeld_options=" -A 127.0.0.1" + sharpd_options=" -A 127.0.0.1" + pbrd_options=" -A 127.0.0.1" + staticd_options="-A 127.0.0.1" + bfdd_options=" -A 127.0.0.1" + fabricd_options="-A 127.0.0.1" + vrrpd_options=" -A 127.0.0.1" + + # configuration profile + # + #frr_profile="traditional" + #frr_profile="datacenter" + + # + # This is the maximum number of FD's that will be available. + # Upon startup this is read by the control files and ulimit + # is called. Uncomment and use a reasonable value for your + # setup if you are expecting a large number of peers in + # say BGP. + #MAX_FDS=1024 + + # The list of daemons to watch is automatically generated by the init script. + #watchfrr_options="" + + # for debugging purposes, you can specify a "wrap" command to start instead + # of starting the daemon directly, e.g. to use valgrind on ospfd: + # ospfd_wrap="/usr/bin/valgrind" + # or you can use "all_wrap" for all daemons, e.g. to use perf record: + # all_wrap="/usr/bin/perf record --call-graph -" + # the normal daemon command is added to this at the end. + vtysh.conf: |+ + service integrated-vtysh-config + frr.conf: |+ + ! This file gets overriden the first time the speaker renders a config. + ! So anything configured here is only temporary. + frr version 7.5.1 + frr defaults traditional + hostname Router + line vty + log file /etc/frr/frr.log informational +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "frrk8s.fullname" . }} + labels: + {{- include "frrk8s.labels" . | nindent 4 }} + app.kubernetes.io/component: frr-k8s + {{- range $key, $value := .Values.frrk8s.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + {{- if .Values.frrk8s.updateStrategy }} + updateStrategy: {{- toYaml .Values.frrk8s.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "frrk8s.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: frr-k8s + template: + metadata: + labels: + {{- include "frrk8s.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: frr-k8s + {{- range $key, $value := .Values.frrk8s.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + {{- if .Values.frrk8s.runtimeClassName }} + runtimeClassName: {{ .Values.frrk8s.runtimeClassName }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ template "frrk8s.serviceAccountName" . }} + terminationGracePeriodSeconds: 0 + hostNetwork: true + volumes: + - name: frr-sockets + emptyDir: {} + - name: frr-startup + configMap: + name: {{ template "frrk8s.fullname" . }}-frr-startup + - name: frr-conf + emptyDir: {} + - name: reloader + emptyDir: {} + - name: metrics + emptyDir: {} + {{- if .Values.prometheus.metricsTLSSecret }} + - name: metrics-certs + secret: + secretName: {{ .Values.prometheus.metricsTLSSecret }} + {{- end }} + initContainers: + # Copies the initial config files with the right permissions to the shared volume. + - name: cp-frr-files + image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }} + securityContext: + runAsUser: 100 + runAsGroup: 101 + command: ["/bin/sh", "-c", "cp -rLf /tmp/frr/* /etc/frr/"] + volumeMounts: + - name: frr-startup + mountPath: /tmp/frr + - name: frr-conf + mountPath: /etc/frr + # Copies the reloader to the shared volume between the speaker and reloader. + - name: cp-reloader + image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }} + command: ["/bin/sh", "-c", "cp -f /frr-reloader.sh /etc/frr_reloader/"] + volumeMounts: + - name: reloader + mountPath: /etc/frr_reloader + # Copies the metrics exporter + - name: cp-metrics + image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }} + command: ["/bin/sh", "-c", "cp -f /frr-metrics /etc/frr_metrics/"] + volumeMounts: + - name: metrics + mountPath: /etc/frr_metrics + shareProcessNamespace: true + containers: + - name: controller + image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }} + {{- if .Values.frrk8s.image.pullPolicy }} + imagePullPolicy: {{ .Values.frrk8s.image.pullPolicy }} + {{- end }} + command: + - /frr-k8s + args: + - "--node-name=$(NODE_NAME)" + - "--namespace=$(NAMESPACE)" + - "--metrics-bind-address={{.Values.prometheus.metricsBindAddress}}:{{ .Values.prometheus.metricsPort }}" + {{- with .Values.frrk8s.logLevel }} + - --log-level={{ . }} + {{- end }} + - --health-probe-bind-address={{.Values.prometheus.metricsBindAddress}}:{{ .Values.frrk8s.healthPort }} + {{- if .Values.frrk8s.alwaysBlock }} + - --always-block={{ .Values.frrk8s.alwaysBlock }} + {{- end }} + env: + - name: FRR_CONFIG_FILE + value: /etc/frr_reloader/frr.conf + - name: FRR_RELOADER_PID_FILE + value: /etc/frr_reloader/reloader.pid + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - containerPort: {{ .Values.prometheus.metricsPort }} + name: monitoring + {{- if .Values.frrk8s.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.frrk8s.healthPort }} + host: {{ .Values.prometheus.metricsBindAddress }} + initialDelaySeconds: {{ .Values.frrk8s.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.frrk8s.livenessProbe.timeoutSeconds }} + successThreshold: {{ .Values.frrk8s.livenessProbe.successThreshold }} + failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.frrk8s.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /healthz + port: {{ .Values.frrk8s.healthPort }} + host: {{ .Values.prometheus.metricsBindAddress }} + initialDelaySeconds: {{ .Values.frrk8s.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.frrk8s.readinessProbe.periodSeconds }} + timeoutSeconds: {{ .Values.frrk8s.readinessProbe.timeoutSeconds }} + successThreshold: {{ .Values.frrk8s.readinessProbe.successThreshold }} + failureThreshold: {{ .Values.frrk8s.readinessProbe.failureThreshold }} + {{- end }} + {{- with .Values.frrk8s.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + add: + - NET_RAW + volumeMounts: + - name: reloader + mountPath: /etc/frr_reloader + - name: frr + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + - NET_BIND_SERVICE + image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }} + {{- if .Values.frrk8s.frr.image.pullPolicy }} + imagePullPolicy: {{ .Values.frrk8s.frr.image.pullPolicy }} + {{- end }} + env: + - name: TINI_SUBREAPER + value: "true" + volumeMounts: + - name: frr-sockets + mountPath: /var/run/frr + - name: frr-conf + mountPath: /etc/frr + # The command is FRR's default entrypoint & waiting for the log file to appear and tailing it. + # If the log file isn't created in 60 seconds the tail fails and the container is restarted. + # This workaround is needed to have the frr logs as part of kubectl logs -c frr < controller_pod_name >. + command: + - /bin/sh + - -c + - | + /sbin/tini -- /usr/lib/frr/docker-start & + attempts=0 + until [[ -f /etc/frr/frr.log || $attempts -eq 60 ]]; do + sleep 1 + attempts=$(( $attempts + 1 )) + done + tail -f /etc/frr/frr.log + {{- with .Values.frrk8s.frr.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.frrk8s.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /livez + port: {{ .Values.frrk8s.frr.metricsPort }} + host: {{ .Values.frrk8s.frr.metricsBindAddress }} + periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.frrk8s.startupProbe.enabled }} + startupProbe: + httpGet: + path: /livez + port: {{ .Values.frrk8s.frr.metricsPort }} + host: {{ .Values.frrk8s.frr.metricsBindAddress }} + failureThreshold: {{ .Values.frrk8s.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.frrk8s.startupProbe.periodSeconds }} + {{- end }} + - name: reloader + image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }} + {{- if .Values.frrk8s.frr.image.pullPolicy }} + imagePullPolicy: {{ .Values.frrk8s.frr.image.pullPolicy }} + {{- end }} + command: ["/etc/frr_reloader/frr-reloader.sh"] + volumeMounts: + - name: frr-sockets + mountPath: /var/run/frr + - name: frr-conf + mountPath: /etc/frr + - name: reloader + mountPath: /etc/frr_reloader + {{- with .Values.frrk8s.reloader.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: frr-metrics + image: {{ .Values.frrk8s.frr.image.repository }}:{{ .Values.frrk8s.frr.image.tag | default .Chart.AppVersion }} + command: ["/etc/frr_metrics/frr-metrics"] + args: + - --metrics-port={{ .Values.frrk8s.frr.metricsPort }} + - --metrics-bind-address={{ .Values.frrk8s.frr.metricsBindAddress }} + ports: + - containerPort: {{ .Values.frrk8s.frr.metricsPort }} + name: monitoring + volumeMounts: + - name: frr-sockets + mountPath: /var/run/frr + - name: frr-conf + mountPath: /etc/frr + - name: metrics + mountPath: /etc/frr_metrics + {{- with .Values.frrk8s.frrMetrics.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + - name: kube-rbac-proxy + image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag }} + imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }} + args: + - --logtostderr + - --secure-listen-address=:{{ .Values.prometheus.secureMetricsPort }} + - --upstream=http://{{.Values.prometheus.metricsBindAddress}}:{{ .Values.prometheus.metricsPort }}/ + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + {{- if .Values.prometheus.metricsTLSSecret }} + - --tls-private-key-file=/etc/metrics/tls.key + - --tls-cert-file=/etc/metrics/tls.crt + {{- end }} + ports: + - containerPort: {{ .Values.prometheus.secureMetricsPort }} + name: metricshttps + resources: + requests: + cpu: 10m + memory: 20Mi + terminationMessagePolicy: FallbackToLogsOnError + {{- if .Values.prometheus.metricsTLSSecret }} + volumeMounts: + - name: metrics-certs + mountPath: /etc/metrics + readOnly: true + {{- end }} + - name: kube-rbac-proxy-frr + image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.prometheus.rbacProxy.pullPolicy }} + args: + - --logtostderr + - --secure-listen-address=:{{ .Values.frrk8s.frr.secureMetricsPort }} + - --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + - --upstream=http://{{ .Values.frrk8s.frr.metricsBindAddress }}:{{ .Values.frrk8s.frr.metricsPort }}/ + {{- if .Values.prometheus.metricsTLSSecret }} + - --tls-private-key-file=/etc/metrics/tls.key + - --tls-cert-file=/etc/metrics/tls.crt + {{- end }} + ports: + - containerPort: {{ .Values.frrk8s.frr.secureMetricsPort }} + name: metricshttps + resources: + requests: + cpu: 10m + memory: 20Mi + terminationMessagePolicy: FallbackToLogsOnError + {{- if .Values.prometheus.metricsTLSSecret }} + volumeMounts: + - name: metrics-certs + mountPath: /etc/metrics + readOnly: true + {{- end }} + nodeSelector: + "kubernetes.io/os": linux + {{- with .Values.frrk8s.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.frrk8s.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.frrk8s.tolerateMaster .Values.frrk8s.tolerations }} + tolerations: + {{- if .Values.frrk8s.tolerateMaster }} + - key: node-role.kubernetes.io/master + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + operator: Exists + {{- end }} + {{- with .Values.frrk8s.tolerations }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + {{- with .Values.frrk8s.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/rbac.yaml b/charts/metallb/metallb/charts/frr-k8s/templates/rbac.yaml new file mode 100644 index 000000000..20460142d --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/rbac.yaml @@ -0,0 +1,72 @@ +{{- if .Values.rbac.create -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "frrk8s.fullname" . }}-controller + labels: {{- include "frrk8s.labels" . | nindent 4 }} +rules: +- apiGroups: ["frrk8s.metallb.io"] + resources: ["frrconfigurations"] + verbs: ["get", "list", "watch"] +- apiGroups: ["frrk8s.metallb.io"] + resources: ["frrnodestates"] + verbs: ["get", "list", "watch", "create", "delete", "patch", "update"] +- apiGroups: ["frrk8s.metallb.io"] + resources: ["frrnodestates/status"] + verbs: ["get", "patch", "update"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch"] +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] +- apiGroups: ["admissionregistration.k8s.io"] + resources: ["validatingwebhookconfigurations"] + verbs: ["get", "list", "watch"] +- apiGroups: ["admissionregistration.k8s.io"] + resourceNames: ["frr-k8s-validating-webhook-configuration"] + resources: ["validatingwebhookconfigurations"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "frrk8s.fullname" . }}-controller + labels: {{- include "frrk8s.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "frrk8s.fullname" . }}-controller +subjects: +- kind: ServiceAccount + name: {{ include "frrk8s.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "frrk8s.fullname" . }}-controller + labels: {{- include "frrk8s.labels" . | nindent 4 }} +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch","update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "frrk8s.fullname" . }}-controller + namespace: {{ .Release.Namespace }} + labels: {{- include "frrk8s.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "frrk8s.fullname" . }}-controller +subjects: +- kind: ServiceAccount + name: {{ include "frrk8s.serviceAccountName" . }} +{{ end -}} diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/service-accounts.yaml b/charts/metallb/metallb/charts/frr-k8s/templates/service-accounts.yaml new file mode 100644 index 000000000..9fb46d156 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/service-accounts.yaml @@ -0,0 +1,15 @@ +{{- if .Values.frrk8s.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "frrk8s.serviceAccountName" . }} + labels: + {{- include "frrk8s.labels" . | nindent 4 }} + app.kubernetes.io/component: controller + {{- with .Values.frrk8s.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/service-monitor.yaml b/charts/metallb/metallb/charts/frr-k8s/templates/service-monitor.yaml new file mode 100644 index 000000000..c6f91304e --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/service-monitor.yaml @@ -0,0 +1,128 @@ +{{- if .Values.prometheus.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "frrk8s.labels" . | nindent 4 }} + app.kubernetes.io/component: frr-k8s + {{- if .Values.prometheus.serviceMonitor.additionalLabels }} +{{ toYaml .Values.prometheus.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.annotations }} + annotations: +{{ toYaml .Values.prometheus.serviceMonitor.annotations | indent 4 }} + {{- end }} +spec: + endpoints: + - port: "metricshttps" + honorLabels: true + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end -}} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end -}} +{{ if .Values.prometheus.secureMetricsPort }} + bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token" + scheme: "https" +{{- if .Values.prometheus.serviceMonitor.tlsConfig }} + tlsConfig: +{{ toYaml .Values.prometheus.serviceMonitor.tlsConfig | indent 8 }} +{{- end }} +{{ end }} +{{ if .Values.frrk8s.frr.secureMetricsPort }} + - port: "frrmetricshttps" + honorLabels: true + {{- if .Values.prometheus.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.serviceMonitor.metricRelabelings | nindent 8 }} + {{- end -}} + {{- if .Values.prometheus.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.serviceMonitor.relabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.serviceMonitor.interval }} + interval: {{ .Values.prometheus.serviceMonitor.interval }} + {{- end }} + bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token" + scheme: "https" +{{- if .Values.prometheus.serviceMonitor.tlsConfig }} + tlsConfig: +{{ toYaml .Values.prometheus.serviceMonitor.tlsConfig | indent 8 }} +{{- end }} +{{- end }} + jobLabel: {{ .Values.prometheus.serviceMonitor.jobLabel | quote }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + prometheus.io/scrape: "true" + {{- if .Values.prometheus.serviceMonitor.annotations }} +{{ toYaml .Values.prometheus.serviceMonitor.annotations | indent 4 }} + {{- end }} + labels: + name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service + name: {{ template "frrk8s.fullname" . }}-frr-k8s-monitor-service + namespace: {{ .Release.Namespace | quote }} +spec: + selector: + {{- include "frrk8s.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: frr-k8s + clusterIP: None + ports: + - name: "metricshttps" + port: {{ .Values.prometheus.secureMetricsPort }} + targetPort: {{ .Values.prometheus.secureMetricsPort }} + - name: frrmetricshttps + port: {{ .Values.frrk8s.frr.secureMetricsPort }} + targetPort: {{ .Values.frrk8s.frr.secureMetricsPort }} + sessionAffinity: None + type: ClusterIP +--- +{{- if .Values.prometheus.rbacPrometheus }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "frrk8s.fullname" . }}-prometheus + namespace: {{ .Release.Namespace | quote }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - endpoints + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "frrk8s.fullname" . }}-prometheus + namespace: {{ .Release.Namespace | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "frrk8s.fullname" . }}-prometheus +subjects: + - kind: ServiceAccount + name: {{ required ".Values.prometheus.serviceAccount must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.serviceAccount }} + namespace: {{ required ".Values.prometheus.namespace must be defined when .Values.prometheus.serviceMonitor.enabled == true" .Values.prometheus.namespace }} +{{- end }} +{{- end }} diff --git a/charts/metallb/metallb/charts/frr-k8s/templates/webhooks.yaml b/charts/metallb/metallb/charts/frr-k8s/templates/webhooks.yaml new file mode 100644 index 000000000..3fa055bbb --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/templates/webhooks.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "frrk8s.fullname" . }}-webhook-server + labels: + {{- include "frrk8s.labels" . | nindent 4 }} + app.kubernetes.io/component: frr-k8s-webhook-server + {{- range $key, $value := .Values.frrk8s.labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + selector: + matchLabels: + app.kubernetes.io/component: frr-k8s-webhook-server + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: frr-k8s-webhook-server + labels: + app.kubernetes.io/component: frr-k8s-webhook-server + spec: + {{- if .Values.frrk8s.runtimeClassName }} + runtimeClassName: {{ .Values.frrk8s.runtimeClassName }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - command: + - /frr-k8s + args: + {{- with .Values.frrk8s.logLevel }} + - --log-level={{ . }} + {{- end }} + - "--webhook-mode=onlywebhook" + {{- if .Values.frrk8s.disableCertRotation }} + - "--disable-cert-rotation=true" + {{- end }} + {{- if .Values.frrk8s.restartOnRotatorSecretRefresh }} + - "--restart-on-rotator-secret-refresh=true" + {{- end }} + - "--namespace=$(NAMESPACE)" + - --health-probe-bind-address=:8081 + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ .Values.frrk8s.image.repository }}:{{ .Values.frrk8s.image.tag | default .Chart.AppVersion }} + {{- if .Values.frrk8s.image.pullPolicy }} + imagePullPolicy: {{ .Values.frrk8s.image.pullPolicy }} + {{- end }} + name: frr-k8s-webhook-server + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + {{- if .Values.frrk8s.livenessProbe.enabled }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: {{ .Values.frrk8s.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.frrk8s.livenessProbe.periodSeconds }} + failureThreshold: {{ .Values.frrk8s.livenessProbe.failureThreshold }} + {{- end }} + {{- if .Values.frrk8s.readinessProbe.enabled }} + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: {{ .Values.frrk8s.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.frrk8s.readinessProbe.periodSeconds }} + failureThreshold: {{ .Values.frrk8s.readinessProbe.failureThreshold }} + {{- end }} + {{- with .Values.frrk8s.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + volumeMounts: + - name: cert + mountPath: /tmp/k8s-webhook-server/serving-certs + readOnly: true + {{- with .Values.frrk8s.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if or .Values.frrk8s.tolerateMaster .Values.frrk8s.tolerations }} + tolerations: + {{- if .Values.frrk8s.tolerateMaster }} + - key: node-role.kubernetes.io/master + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + operator: Exists + {{- end }} + {{- with .Values.frrk8s.tolerations }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + {{- with .Values.frrk8s.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: frr-k8s-webhook-server-cert + serviceAccountName: {{ template "frrk8s.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 +--- +apiVersion: v1 +kind: Secret +metadata: + name: frr-k8s-webhook-server-cert +--- +apiVersion: v1 +kind: Service +metadata: + name: frr-k8s-webhook-service +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app.kubernetes.io/component: frr-k8s-webhook-server +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: frr-k8s-validating-webhook-configuration +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: frr-k8s-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-frrk8s-metallb-io-v1beta1-frrconfiguration + failurePolicy: {{ .Values.crds.validationFailurePolicy }} + name: frrconfigurationsvalidationwebhook.metallb.io + rules: + - apiGroups: + - frrk8s.metallb.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - frrconfigurations + sideEffects: None diff --git a/charts/metallb/metallb/charts/frr-k8s/values.schema.json b/charts/metallb/metallb/charts/frr-k8s/values.schema.json new file mode 100644 index 000000000..cb7b914c7 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/values.schema.json @@ -0,0 +1,387 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "title": "Values", + "type": "object", + "definitions": { + "prometheusAlert": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "labels": { + "type": "object", + "additionalProperties": { + "type": "string" + } + } + }, + "required": [ + "enabled" + ] + }, + "probe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "failureThreshold", + "initialDelaySeconds", + "periodSeconds", + "successThreshold", + "timeoutSeconds" + ] + }, + "component": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "logLevel": { + "type": "string", + "enum": [ + "all", + "debug", + "info", + "warn", + "error", + "none" + ] + }, + "image": { + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "null" + } + ] + }, + "pullPolicy": { + "anyOf": [ + { + "type": "null" + }, + { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + ] + } + } + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "annotations": { + "type": "object" + } + } + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "type": "object" + }, + "tolerations": { + "type": "array", + "items": { + "type": "object" + } + }, + "priorityClassName": { + "type": "string" + }, + "runtimeClassName": { + "type": "string" + }, + "affinity": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "livenessProbe": { + "$ref": "#/definitions/probe" + }, + "readinessProbe": { + "$ref": "#/definitions/probe" + } + }, + "required": [ + "image", + "serviceAccount" + ] + } + }, + "properties": { + "imagePullSecrets": { + "description": "Secrets used for pulling images", + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string" + } + }, + "required": [ + "name" + ], + "additionalProperties": false + } + }, + "nameOverride": { + "description": "Override chart name", + "type": "string" + }, + "fullNameOverride": { + "description": "Override fully qualified app name", + "type": "string" + }, + "rbac": { + "description": "RBAC configuration", + "type": "object", + "properties": { + "create": { + "description": "Enable RBAC", + "type": "boolean" + } + } + }, + "prometheus": { + "description": "Prometheus monitoring config", + "type": "object", + "properties": { + "scrapeAnnotations": { + "type": "boolean" + }, + "metricsPort": { + "type": "integer" + }, + "secureMetricsPort": { + "type": "integer" + }, + "rbacPrometheus": { + "type": "boolean" + }, + "serviceAccount": { + "type": "string" + }, + "namespace": { + "type": "string" + }, + "rbacProxy": { + "description": "kube-rbac-proxy configuration", + "type": "object", + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "serviceMonitor": { + "description": "Prometheus Operator ServiceMonitors", + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "jobLabel": { + "type": "string" + }, + "interval": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "metricRelabelings": { + "type": "array", + "items": { + "type": "object" + } + }, + "relabelings": { + "type": "array", + "items": { + "type": "object" + } + } + } + } + }, + "frrk8s": { + "allOf": [ + { + "$ref": "#/definitions/component" + }, + { + "description": "FRR-K8s controller", + "type": "object", + "properties": { + "tolerateMaster": { + "type": "boolean" + }, + "updateStrategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ + "type" + ] + }, + "runtimeClassName": { + "type": "string" + }, + "secretName": { + "type": "string" + }, + "frr": { + "description": "The FRR properties in the controller", + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/component/properties/image" + }, + "metricsPort": { + "type": "integer" + }, + "secureMetricsPort": { + "type": "integer" + }, + "resources:": { + "type": "object" + } + }, + "required": [ + "enabled" + ] + }, + "command": { + "type": "string" + }, + "reloader": { + "type": "object", + "properties": { + "resources": { + "type": "object" + } + } + }, + "frrMetrics": { + "type": "object", + "properties": { + "resources": { + "type": "object" + } + } + } + }, + "required": [ + "tolerateMaster" + ] + } + ] + }, + "crds": { + "description": "CRD configuration", + "type": "object", + "properties": { + "enabled": { + "description": "Enable CRDs", + "type": "boolean" + }, + "validationFailurePolicy": { + "description": "Failure policy to use with validating webhooks", + "type": "string", + "enum": [ + "Ignore", + "Fail" + ] + } + } + } + }, + "frrk8s": { + "allOf": [ + { + "$ref": "#/definitions/component" + }, + { + "description": "FRRk8s Controller", + "type": "object", + "properties": { + "strategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ + "type" + ] + }, + "command": { + "type": "string" + }, + "webhookMode": { + "type": "string" + } + } + } + ] + } + }, + "required": [ + "frrk8s" + ] +} \ No newline at end of file diff --git a/charts/metallb/metallb/charts/frr-k8s/values.yaml b/charts/metallb/metallb/charts/frr-k8s/values.yaml new file mode 100644 index 000000000..5addc75f8 --- /dev/null +++ b/charts/metallb/metallb/charts/frr-k8s/values.yaml @@ -0,0 +1,173 @@ +# Default values for frr-k8s. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +nameOverride: "" +fullnameOverride: "" + +rbac: + # create specifies whether to install and use RBAC rules. + create: true + +prometheus: + # scrape annotations specifies whether to add Prometheus metric + # auto-collection annotations to pods. See + # https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml + # for a corresponding Prometheus configuration. Alternatively, you + # may want to use the Prometheus Operator + # (https://github.com/coreos/prometheus-operator) for more powerful + # monitoring configuration. If you use the Prometheus operator, this + # can be left at false. + scrapeAnnotations: false + + # bind addr frr-k8s will use for metrics + metricsBindAddress: 127.0.0.1 + + # port frr-k8s will listen on for metrics + metricsPort: 7572 + + # if set, enables rbac proxy on frr-k8s to expose + # the metrics via tls. + secureMetricsPort: 9140 + + # the name of the secret to be mounted in the frr-k8s pod + # to expose the metrics securely. If not present, a self signed + # certificate to be used. + metricsTLSSecret: "" + + # prometheus doens't have the permission to scrape all namespaces so we give it permission to scrape metallb's one + rbacPrometheus: false + + # the service account used by prometheus + # required when " .Values.prometheus.rbacPrometheus == true " and " prometheus.serviceMonitor.enabled=true " + serviceAccount: "" + + # the namespace where prometheus is deployed + # required when " .Values.prometheus.rbacPrometheus == true " and " prometheus.serviceMonitor.enabled=true " + namespace: "" + + # the image to be used for the kuberbacproxy container + rbacProxy: + repository: gcr.io/kubebuilder/kube-rbac-proxy + tag: v0.12.0 + pullPolicy: + + # Prometheus Operator ServiceMonitors. + serviceMonitor: + # enable support for Prometheus Operator + enabled: false + + additionalLabels: {} + # optional additional annotations for the controller serviceMonitor + annotations: {} + # optional tls configuration for the controller serviceMonitor, in case + # secure metrics are enabled. + tlsConfig: + insecureSkipVerify: true + + # Job label for scrape target + jobLabel: "app.kubernetes.io/name" + + # Scrape interval. If not set, the Prometheus default scrape interval is used. + interval: + + # metric relabel configs to apply to samples before ingestion. + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + # relabel configs to apply to samples before ingestion. + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # target_label: nodename + # replacement: $1 + # action: replace + +# controller contains configuration specific to the FRRK8s controller +# daemonset. +frrk8s: + # -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none` + logLevel: info + tolerateMaster: true + image: + repository: quay.io/metallb/frr-k8s + tag: + pullPolicy: + ## @param controller.updateStrategy.type FRR-K8s controller daemonset strategy type + ## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/ + ## + updateStrategy: + ## StrategyType + ## Can be set to RollingUpdate or OnDelete + ## + type: RollingUpdate + serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. If not set and create is + # true, a name is generated using the fullname template + name: "" + annotations: {} + ## Defines a secret name for the controller to generate a memberlist encryption secret + ## By default secretName: {{ "metallb.fullname" }}-memberlist + ## + # secretName: + resources: {} + # limits: + # cpu: 100m + # memory: 100Mi + nodeSelector: {} + tolerations: [] + priorityClassName: "" + affinity: {} + ## Selects which runtime class will be used by the pod. + runtimeClassName: "" + podAnnotations: {} + labels: + app: frr-k8s + healthPort: 8081 + livenessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + enabled: true + failureThreshold: 3 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + startupProbe: + enabled: true + failureThreshold: 30 + periodSeconds: 5 + ## A comma separated list of cidrs we want always to block for incoming routes + alwaysBlock: "" + ## Specifies whether the cert rotator works as part of the webhook. + disableCertRotation: false + ## Specifies whether the pod restarts when the rotator refreshes the cert secret. + ## Enabling this proved useful for the webhook's stability when it is redeployed multiple times in succession. + restartOnRotatorSecretRefresh: false + # frr contains configuration specific to the FRR container, + frr: + image: + repository: quay.io/frrouting/frr + tag: 8.4.2 + pullPolicy: + metricsBindAddress: 127.0.0.1 + metricsPort: 7573 + resources: {} + secureMetricsPort: 9141 + reloader: + resources: {} + frrMetrics: + resources: {} +crds: + enabled: true + validationFailurePolicy: Fail diff --git a/charts/metallb/metallb/policy/controller.rego b/charts/metallb/metallb/policy/controller.rego index 716eeb7a4..b7a0ea1a0 100644 --- a/charts/metallb/metallb/policy/controller.rego +++ b/charts/metallb/metallb/policy/controller.rego @@ -4,7 +4,7 @@ package main deny[msg] { input.kind == "Deployment" serviceAccountName := input.spec.template.spec.serviceAccountName - not serviceAccountName == "RELEASE-NAME-metallb-controller" + not serviceAccountName == "release-name-metallb-controller" msg = sprintf("controller serviceAccountName '%s' does not match expected value", [serviceAccountName]) } diff --git a/charts/metallb/metallb/policy/speaker.rego b/charts/metallb/metallb/policy/speaker.rego index d4d8137f1..146a0373c 100644 --- a/charts/metallb/metallb/policy/speaker.rego +++ b/charts/metallb/metallb/policy/speaker.rego @@ -4,7 +4,7 @@ package main deny[msg] { input.kind == "DaemonSet" serviceAccountName := input.spec.template.spec.serviceAccountName - not serviceAccountName == "RELEASE-NAME-metallb-speaker" + not serviceAccountName == "release-name-metallb-speaker" msg = sprintf("speaker serviceAccountName '%s' does not match expected value", [serviceAccountName]) } diff --git a/charts/metallb/metallb/templates/controller.yaml b/charts/metallb/metallb/templates/controller.yaml index 2b522d1b2..bb79aeb64 100644 --- a/charts/metallb/metallb/templates/controller.yaml +++ b/charts/metallb/metallb/templates/controller.yaml @@ -72,6 +72,12 @@ spec: {{- if .Values.controller.webhookMode }} - --webhook-mode={{ .Values.controller.webhookMode }} {{- end }} + {{- if .Values.controller.tlsMinVersion }} + - --tls-min-version={{ .Values.controller.tlsMinVersion }} + {{- end }} + {{- if .Values.controller.tlsCipherSuites }} + - --tls-cipher-suites={{ .Values.controller.tlsCipherSuites }} + {{- end }} env: {{- if and .Values.speaker.enabled .Values.speaker.memberlist.enabled }} - name: METALLB_ML_SECRET_NAME @@ -83,6 +89,10 @@ spec: - name: METALLB_BGP_TYPE value: frr {{- end }} + {{- if .Values.frrk8s.enabled }} + - name: METALLB_BGP_TYPE + value: frr-k8s + {{- end }} ports: - name: monitoring containerPort: {{ .Values.prometheus.metricsPort }} @@ -153,6 +163,9 @@ spec: readOnly: true {{- end }} {{ end }} + {{- if .Values.controller.extraContainers }} + {{- toYaml .Values.controller.extraContainers | nindent 6 }} + {{- end }} nodeSelector: "kubernetes.io/os": linux {{- with .Values.controller.nodeSelector }} diff --git a/charts/metallb/metallb/templates/rbac.yaml b/charts/metallb/metallb/templates/rbac.yaml index ed6b8260c..5a7d53e03 100644 --- a/charts/metallb/metallb/templates/rbac.yaml +++ b/charts/metallb/metallb/templates/rbac.yaml @@ -104,6 +104,11 @@ rules: - apiGroups: ["metallb.io"] resources: ["communities"] verbs: ["get", "list", "watch"] +{{- if .Values.frrk8s.enabled }} +- apiGroups: ["frrk8s.metallb.io"] + resources: ["frrconfigurations"] + verbs: ["get", "list", "watch","create","update"] +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/charts/metallb/metallb/templates/speaker.yaml b/charts/metallb/metallb/templates/speaker.yaml index 1a4c7b2aa..635aa0a80 100644 --- a/charts/metallb/metallb/templates/speaker.yaml +++ b/charts/metallb/metallb/templates/speaker.yaml @@ -1,4 +1,10 @@ {{- if .Values.speaker.frr.enabled }} +{{- if .Values.frrk8s.enabled }} +{{- fail "speaker.frr.enabled and frrk8s.enabled are mutually exclusive!" }} +{{- end }} +{{- end }} +{{- if .Values.speaker.frr.enabled }} + # FRR expects to have these files owned by frr:frr on startup. # Having them in a ConfigMap allows us to modify behaviors: for example enabling more daemons on startup. apiVersion: v1 @@ -154,6 +160,10 @@ spec: serviceAccountName: {{ template "metallb.speaker.serviceAccountName" . }} terminationGracePeriodSeconds: 0 hostNetwork: true + {{- if .Values.speaker.securityContext }} + securityContext: + {{- toYaml .Values.speaker.securityContext | nindent 8 }} + {{- end }} volumes: {{- if .Values.speaker.memberlist.enabled }} - name: memberlist @@ -231,6 +241,9 @@ spec: {{- if .Values.loadBalancerClass }} - --lb-class={{ .Values.loadBalancerClass }} {{- end }} + {{- if .Values.speaker.wanConfig }} + - --ml-wan-config + {{- end }} env: - name: METALLB_NODE_NAME valueFrom: @@ -241,10 +254,15 @@ spec: fieldRef: fieldPath: status.hostIP {{- if .Values.speaker.memberlist.enabled }} + {{- if .Values.speaker.memberlist.mlBindAddrOverride }} + - name: METALLB_ML_BIND_ADDR + value: "{{ .Values.speaker.memberlist.mlBindAddrOverride }}" + {{ else }} - name: METALLB_ML_BIND_ADDR valueFrom: fieldRef: fieldPath: status.podIP + {{ end }} - name: METALLB_ML_LABELS value: "app.kubernetes.io/name={{ include "metallb.name" . }},app.kubernetes.io/component=speaker" - name: METALLB_ML_BIND_PORT @@ -260,6 +278,10 @@ spec: - name: METALLB_BGP_TYPE value: frr {{- end }} + {{- if .Values.frrk8s.enabled }} + - name: METALLB_BGP_TYPE + value: frr-k8s + {{- end }} ports: - name: monitoring containerPort: {{ .Values.prometheus.metricsPort }} @@ -448,6 +470,7 @@ spec: readOnly: true {{- end }} {{ end }} + {{- if .Values.speaker.frr.enabled }} {{- if .Values.speaker.frr.secureMetricsPort }} - name: kube-rbac-proxy-frr image: {{ .Values.prometheus.rbacProxy.repository }}:{{ .Values.prometheus.rbacProxy.tag | default .Chart.AppVersion }} @@ -463,7 +486,7 @@ spec: {{- end }} ports: - containerPort: {{ .Values.speaker.frr.secureMetricsPort }} - name: metricshttps + name: frrmetricshttps env: - name: METALLB_HOST valueFrom: @@ -481,6 +504,10 @@ spec: readOnly: true {{- end }} {{ end }} + {{- end }} + {{- if .Values.speaker.extraContainers }} + {{- toYaml .Values.speaker.extraContainers | nindent 6 }} + {{- end }} nodeSelector: "kubernetes.io/os": linux {{- with .Values.speaker.nodeSelector }} diff --git a/charts/metallb/metallb/templates/webhooks.yaml b/charts/metallb/metallb/templates/webhooks.yaml index 3b587a424..8eb0756e6 100644 --- a/charts/metallb/metallb/templates/webhooks.yaml +++ b/charts/metallb/metallb/templates/webhooks.yaml @@ -5,26 +5,6 @@ metadata: labels: {{- include "metallb.labels" . | nindent 4 }} webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: metallb-webhook-service - namespace: {{ .Release.Namespace }} - path: /validate-metallb-io-v1beta1-addresspool - failurePolicy: {{ .Values.crds.validationFailurePolicy }} - name: addresspoolvalidationwebhook.metallb.io - rules: - - apiGroups: - - metallb.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - addresspools - sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/charts/metallb/metallb/values.schema.json b/charts/metallb/metallb/values.schema.json index 5a92e56a7..b6373532f 100644 --- a/charts/metallb/metallb/values.schema.json +++ b/charts/metallb/metallb/values.schema.json @@ -299,6 +299,37 @@ }, "required": [ "podMonitor", "prometheusRule" ] }, + "controller": { + "allOf": [ + { "$ref": "#/definitions/component" }, + { "description": "MetalLB Controller", + "type": "object", + "properties": { + "strategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + }, + "required": [ "type" ] + }, + "command" : { + "type": "string" + }, + "webhookMode" : { + "type": "string" + }, + "extraContainers": { + "type": "array", + "items": { + "type": "object" + } + } + } + } + ] + }, "speaker": { "allOf": [ { "$ref": "#/definitions/component" }, @@ -317,6 +348,9 @@ "mlBindPort": { "type": "integer" }, + "mlBindAddrOverride": { + "type": "string" + }, "mlSecretKeyPath": { "type": "string" } @@ -342,6 +376,9 @@ "runtimeClassName": { "type": "string" }, + "securityContext": { + "type": "object" + }, "secretName": { "type": "string" }, @@ -373,6 +410,12 @@ "properties": { "resources": { "type": "object" } } + }, + "extraContainers": { + "type": "array", + "items": { + "type": "object" + } } }, "required": [ "tolerateMaster" ] @@ -395,31 +438,6 @@ } } }, - "controller": { - "allOf": [ - { "$ref": "#/definitions/component" }, - { "description": "MetalLB Controller", - "type": "object", - "properties": { - "strategy": { - "type": "object", - "properties": { - "type": { - "type": "string" - } - }, - "required": [ "type" ] - }, - "command" : { - "type": "string" - }, - "webhookMode" : { - "type": "string" - } - } - } - ] - }, "required": [ "controller", "speaker" diff --git a/charts/metallb/metallb/values.yaml b/charts/metallb/metallb/values.yaml index be8cf112e..50c53cd4d 100644 --- a/charts/metallb/metallb/values.yaml +++ b/charts/metallb/metallb/values.yaml @@ -248,6 +248,10 @@ controller: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + tlsMinVersion: "VersionTLS12" + tlsCipherSuites: "" + + extraContainers: [] # speaker contains configuration specific to the MetalLB speaker # daemonset. @@ -260,6 +264,7 @@ speaker: memberlist: enabled: true mlBindPort: 7946 + mlBindAddrOverride: "" mlSecretKeyPath: "/etc/ml_secret_key" excludeInterfaces: enabled: true @@ -282,6 +287,7 @@ speaker: # true, a name is generated using the fullname template name: "" annotations: {} + securityContext: {} ## Defines a secret name for the controller to generate a memberlist encryption secret ## By default secretName: {{ "metallb.fullname" }}-memberlist ## @@ -331,12 +337,24 @@ speaker: # expose the frr metrics via tls. # secureMetricsPort: 9121 + reloader: resources: {} frrMetrics: resources: {} + extraContainers: [] + crds: enabled: true validationFailurePolicy: Fail + +# frrk8s contains the configuration related to using an frrk8s instance +# (github.com/metallb/frr-k8s) as the backend for the BGP implementation. +# This allows configuring additional frr parameters in combination to those +# applied by MetalLB. +frrk8s: + # if set, enables frrk8s as a backend. This is mutually exclusive to frr + # mode. + enabled: false diff --git a/charts/minio/minio-operator/Chart.yaml b/charts/minio/minio-operator/Chart.yaml index 07ba40b55..3c5cfc2a1 100644 --- a/charts/minio/minio-operator/Chart.yaml +++ b/charts/minio/minio-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.19-0' catalog.cattle.io/release-name: minio-operator apiVersion: v2 -appVersion: v5.0.11 +appVersion: v5.0.12 description: A Helm chart for MinIO Operator home: https://min.io icon: https://min.io/resources/img/logo/MINIO_wordmark.png @@ -19,4 +19,4 @@ name: minio-operator sources: - https://github.com/minio/operator type: application -version: 5.0.11 +version: 5.0.12 diff --git a/charts/minio/minio-operator/Chart.yaml-e b/charts/minio/minio-operator/Chart.yaml-e index 1d5dc01f7..34504bb4e 100644 --- a/charts/minio/minio-operator/Chart.yaml-e +++ b/charts/minio/minio-operator/Chart.yaml-e @@ -1,8 +1,8 @@ apiVersion: v2 description: A Helm chart for MinIO Operator name: operator -version: 5.0.11 -appVersion: v5.0.11 +version: 5.0.12 +appVersion: v5.0.12 keywords: - storage - object-storage diff --git a/charts/minio/minio-operator/templates/NOTES.txt b/charts/minio/minio-operator/templates/NOTES.txt index 47b9aea9e..9766c6dcb 100644 --- a/charts/minio/minio-operator/templates/NOTES.txt +++ b/charts/minio/minio-operator/templates/NOTES.txt @@ -9,7 +9,7 @@ metadata: kubernetes.io/service-account.name: console-sa type: kubernetes.io/service-account-token EOF -kubectl -n minio-operator get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode +kubectl -n {{ .Release.Namespace }} get secret console-sa-secret -o jsonpath="{.data.token}" | base64 --decode 2. Get the Operator Console URL by running these commands: kubectl --namespace {{ .Release.Namespace }} port-forward svc/console 9090:9090 diff --git a/charts/minio/minio-operator/templates/job.min.io_jobs.yaml b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml new file mode 100644 index 000000000..412d453bb --- /dev/null +++ b/charts/minio/minio-operator/templates/job.min.io_jobs.yaml @@ -0,0 +1,112 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.1 + creationTimestamp: null + name: miniojobs.job.min.io +spec: + group: job.min.io + names: + kind: MinIOJob + listKind: MinIOJobList + plural: miniojobs + shortNames: + - miniojob + singular: miniojob + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.tenant.name + name: Tenant + type: string + - jsonPath: .spec.status.phase + name: Phase + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + commands: + items: + properties: + args: + additionalProperties: + type: string + type: object + dependsOn: + items: + type: string + type: array + name: + type: string + op: + type: string + required: + - op + type: object + type: array + execution: + default: parallel + enum: + - parallel + - sequential + type: string + failureStrategy: + default: continueOnFailure + enum: + - continueOnFailure + - stopOnFailure + type: string + serviceAccountName: + type: string + tenant: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + required: + - commands + - serviceAccountName + - tenant + type: object + status: + properties: + commands: + items: + properties: + message: + type: string + name: + type: string + result: + type: string + required: + - result + type: object + type: array + phase: + type: string + required: + - commands + - phase + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml b/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml index 24331b5b9..e3bf49be8 100644 --- a/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml +++ b/charts/minio/minio-operator/templates/minio.min.io_tenants.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: tenants.minio.min.io spec: group: minio.min.io @@ -310,18 +309,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -365,6 +352,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -553,6 +542,43 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: @@ -1107,6 +1133,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -1157,6 +1191,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -1715,6 +1757,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1783,6 +1835,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1849,6 +1911,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -1917,6 +1989,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -2455,6 +2537,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -2523,6 +2615,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -2589,6 +2691,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -2657,6 +2769,16 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic + mismatchLabelKeys: + items: + type: string + type: array + x-kubernetes-list-type: atomic namespaceSelector: properties: matchExpressions: @@ -2998,18 +3120,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3053,6 +3163,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -3107,6 +3219,17 @@ spec: - type type: object type: array + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object phase: type: string type: object @@ -3368,6 +3491,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -3418,6 +3549,14 @@ spec: required: - port type: object + sleep: + properties: + seconds: + format: int64 + type: integer + required: + - seconds + type: object tcpSocket: properties: host: @@ -3939,18 +4078,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -3994,6 +4121,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -4048,6 +4177,17 @@ spec: - type type: object type: array + currentVolumeAttributesClassName: + type: string + modifyVolumeStatus: + properties: + status: + type: string + targetVolumeAttributesClassName: + type: string + required: + - status + type: object phase: type: string type: object @@ -4300,18 +4440,6 @@ spec: type: object resources: properties: - claims: - items: - properties: - name: - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map limits: additionalProperties: anyOf: @@ -4355,6 +4483,8 @@ spec: x-kubernetes-map-type: atomic storageClassName: type: string + volumeAttributesClassName: + type: string volumeMode: type: string volumeName: @@ -4543,6 +4673,43 @@ spec: sources: items: properties: + clusterTrustBundle: + properties: + labelSelector: + properties: + matchExpressions: + items: + properties: + key: + type: string + operator: + type: string + values: + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + type: object + type: object + x-kubernetes-map-type: atomic + name: + type: string + optional: + type: boolean + path: + type: string + signerName: + type: string + required: + - path + type: object configMap: properties: items: diff --git a/charts/minio/minio-operator/templates/operator-serviceaccount.yaml b/charts/minio/minio-operator/templates/operator-serviceaccount.yaml index 7b6442480..8ae899da6 100644 --- a/charts/minio/minio-operator/templates/operator-serviceaccount.yaml +++ b/charts/minio/minio-operator/templates/operator-serviceaccount.yaml @@ -4,3 +4,7 @@ metadata: name: minio-operator namespace: {{ .Release.Namespace }} labels: {{- include "minio-operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/charts/minio/minio-operator/templates/sts.min.io_policybindings.yaml b/charts/minio/minio-operator/templates/sts.min.io_policybindings.yaml index b01576f5b..b329389ef 100644 --- a/charts/minio/minio-operator/templates/sts.min.io_policybindings.yaml +++ b/charts/minio/minio-operator/templates/sts.min.io_policybindings.yaml @@ -3,8 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.13.0 name: policybindings.sts.min.io spec: group: sts.min.io diff --git a/charts/minio/minio-operator/values.yaml b/charts/minio/minio-operator/values.yaml index 03f4850b2..fc3ac0bce 100644 --- a/charts/minio/minio-operator/values.yaml +++ b/charts/minio/minio-operator/values.yaml @@ -27,17 +27,19 @@ operator: env: - name: OPERATOR_STS_ENABLED value: "on" + # An array of additional annotations to be applied to the operator service account + serviceAccountAnnotations: [] ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.11 + # tag: v5.0.12 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -51,7 +53,7 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.11 + tag: v5.0.12 pullPolicy: IfNotPresent ### # @@ -169,14 +171,14 @@ console: ### # Specify the Operator Console container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.11 + # tag: v5.0.12 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -191,7 +193,7 @@ console: # The specified values should match that of ``operator.image`` to ensure predictable operations. image: repository: quay.io/minio/operator - tag: v5.0.11 + tag: v5.0.12 pullPolicy: IfNotPresent ### # An array of environment variables to pass to the Operator Console deployment. diff --git a/charts/minio/minio-operator/values.yaml-e b/charts/minio/minio-operator/values.yaml-e index 03f4850b2..fc3ac0bce 100644 --- a/charts/minio/minio-operator/values.yaml-e +++ b/charts/minio/minio-operator/values.yaml-e @@ -27,17 +27,19 @@ operator: env: - name: OPERATOR_STS_ENABLED value: "on" + # An array of additional annotations to be applied to the operator service account + serviceAccountAnnotations: [] ### # Specify the Operator container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.11 + # tag: v5.0.12 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -51,7 +53,7 @@ operator: # image: repository: quay.io/minio/operator - tag: v5.0.11 + tag: v5.0.12 pullPolicy: IfNotPresent ### # @@ -169,14 +171,14 @@ console: ### # Specify the Operator Console container image to use for the deployment. # ``image.tag`` - # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.11 tag. + # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.12 tag. # The container pulls the image if not already present: # # .. code-block:: yaml # # image: # repository: quay.io/minio/operator - # tag: v5.0.11 + # tag: v5.0.12 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: @@ -191,7 +193,7 @@ console: # The specified values should match that of ``operator.image`` to ensure predictable operations. image: repository: quay.io/minio/operator - tag: v5.0.11 + tag: v5.0.12 pullPolicy: IfNotPresent ### # An array of environment variables to pass to the Operator Console deployment. diff --git a/charts/nats/nats/Chart.yaml b/charts/nats/nats/Chart.yaml index 51be34d73..a034eb414 100644 --- a/charts/nats/nats/Chart.yaml +++ b/charts/nats/nats/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.16-0' catalog.cattle.io/release-name: nats apiVersion: v2 -appVersion: 2.10.9 +appVersion: 2.10.10 description: A Helm chart for the NATS.io High Speed Cloud Native Distributed Communications Technology. home: http://github.com/nats-io/k8s @@ -18,4 +18,4 @@ maintainers: name: The NATS Authors url: https://github.com/nats-io name: nats -version: 1.1.7 +version: 1.1.8 diff --git a/charts/nats/nats/values.yaml b/charts/nats/nats/values.yaml index 38f8d239a..ac51552f5 100644 --- a/charts/nats/nats/values.yaml +++ b/charts/nats/nats/values.yaml @@ -312,7 +312,7 @@ config: container: image: repository: nats - tag: 2.10.9-alpine + tag: 2.10.10-alpine pullPolicy: registry: @@ -378,7 +378,7 @@ promExporter: enabled: false image: repository: natsio/prometheus-nats-exporter - tag: 0.13.0 + tag: 0.14.0 pullPolicy: registry: @@ -564,7 +564,7 @@ natsBox: container: image: repository: natsio/nats-box - tag: 0.14.1 + tag: 0.14.2 pullPolicy: registry: diff --git a/charts/new-relic/nri-bundle/Chart.lock b/charts/new-relic/nri-bundle/Chart.lock index 960b2b3e2..75f0f7b1f 100644 --- a/charts/new-relic/nri-bundle/Chart.lock +++ b/charts/new-relic/nri-bundle/Chart.lock @@ -1,28 +1,28 @@ dependencies: - name: newrelic-infrastructure repository: https://newrelic.github.io/nri-kubernetes - version: 3.29.1 + version: 3.30.0 - name: nri-prometheus repository: https://newrelic.github.io/nri-prometheus version: 2.1.17 - name: newrelic-prometheus-agent repository: https://newrelic.github.io/newrelic-prometheus-configurator - version: 1.9.1 + version: 1.10.0 - name: nri-metadata-injection repository: https://newrelic.github.io/k8s-metadata-injection - version: 4.16.1 + version: 4.17.0 - name: newrelic-k8s-metrics-adapter repository: https://newrelic.github.io/newrelic-k8s-metrics-adapter - version: 1.8.2 + version: 1.9.0 - name: kube-state-metrics repository: https://prometheus-community.github.io/helm-charts version: 5.12.1 - name: nri-kube-events repository: https://newrelic.github.io/nri-kube-events - version: 3.7.3 + version: 3.8.0 - name: newrelic-logging repository: https://newrelic.github.io/helm-charts - version: 1.19.0 + version: 1.20.0 - name: newrelic-pixie repository: https://newrelic.github.io/helm-charts version: 2.1.2 @@ -31,6 +31,6 @@ dependencies: version: 0.1.4 - name: newrelic-infra-operator repository: https://newrelic.github.io/newrelic-infra-operator - version: 2.8.2 -digest: sha256:1ddcf0402fed4aac1b4269379376b8a8d7d4c0a87c17fd8491b1a8d87e811629 -generated: "2024-01-22T23:54:08.952326043Z" + version: 2.9.0 +digest: sha256:567eec2f33e949a44f18902897abc85b9a7ed1093d5cb89eb9de439a8961a08f +generated: "2024-02-07T13:53:22.810865497Z" diff --git a/charts/new-relic/nri-bundle/Chart.yaml b/charts/new-relic/nri-bundle/Chart.yaml index d635ef579..9a84dc00b 100644 --- a/charts/new-relic/nri-bundle/Chart.yaml +++ b/charts/new-relic/nri-bundle/Chart.yaml @@ -7,7 +7,7 @@ dependencies: - condition: infrastructure.enabled,newrelic-infrastructure.enabled name: newrelic-infrastructure repository: file://./charts/newrelic-infrastructure - version: 3.29.1 + version: 3.30.0 - condition: prometheus.enabled,nri-prometheus.enabled name: nri-prometheus repository: file://./charts/nri-prometheus @@ -15,15 +15,15 @@ dependencies: - condition: newrelic-prometheus-agent.enabled name: newrelic-prometheus-agent repository: file://./charts/newrelic-prometheus-agent - version: 1.9.1 + version: 1.10.0 - condition: webhook.enabled,nri-metadata-injection.enabled name: nri-metadata-injection repository: file://./charts/nri-metadata-injection - version: 4.16.1 + version: 4.17.0 - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled name: newrelic-k8s-metrics-adapter repository: file://./charts/newrelic-k8s-metrics-adapter - version: 1.8.2 + version: 1.9.0 - condition: ksm.enabled,kube-state-metrics.enabled name: kube-state-metrics repository: file://./charts/kube-state-metrics @@ -31,11 +31,11 @@ dependencies: - condition: kubeEvents.enabled,nri-kube-events.enabled name: nri-kube-events repository: file://./charts/nri-kube-events - version: 3.7.3 + version: 3.8.0 - condition: logging.enabled,newrelic-logging.enabled name: newrelic-logging repository: file://./charts/newrelic-logging - version: 1.19.0 + version: 1.20.0 - condition: newrelic-pixie.enabled name: newrelic-pixie repository: file://./charts/newrelic-pixie @@ -48,7 +48,7 @@ dependencies: - condition: newrelic-infra-operator.enabled name: newrelic-infra-operator repository: file://./charts/newrelic-infra-operator - version: 2.8.2 + version: 2.9.0 description: Groups together the individual charts for the New Relic Kubernetes solution for a more comfortable deployment. home: https://github.com/newrelic/helm-charts @@ -75,4 +75,4 @@ sources: - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator -version: 5.0.60 +version: 5.0.63 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml index c71d2f263..d61b13236 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infra-operator/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.16.2 +appVersion: 0.17.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -32,4 +32,4 @@ name: newrelic-infra-operator sources: - https://github.com/newrelic/newrelic-infra-operator - https://github.com/newrelic/newrelic-infra-operator/tree/main/charts/newrelic-infra-operator -version: 2.8.2 +version: 2.9.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml index 1ea9210ae..6cb543d90 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 3.24.1 +appVersion: 3.25.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -12,27 +12,15 @@ keywords: - newrelic - monitoring maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR name: newrelic-infrastructure sources: - https://github.com/newrelic/nri-kubernetes/ - https://github.com/newrelic/nri-kubernetes/tree/main/charts/newrelic-infrastructure - https://github.com/newrelic/infrastructure-agent/ -version: 3.29.1 +version: 3.30.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/README.md b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/README.md index 56cadee19..923b6109b 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/README.md @@ -194,15 +194,9 @@ integrations that you have configured. ## Maintainers -* [nserrino](https://github.com/nserrino) -* [philkuz](https://github.com/philkuz) -* [htroisi](https://github.com/htroisi) * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) -* [nrepai](https://github.com/nrepai) * [csongnr](https://github.com/csongnr) -* [vuqtran88](https://github.com/vuqtran88) -* [xqi-nr](https://github.com/xqi-nr) +* [dbudziwojskiNR](https://github.com/dbudziwojskiNR) ## Past Contributors diff --git a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/clusterrole.yaml b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/clusterrole.yaml index 4913448e7..391dc1e1f 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/clusterrole.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-infrastructure/templates/clusterrole.yaml @@ -18,6 +18,7 @@ rules: - "services" - "nodes" - "namespaces" + - "pods" verbs: [ "get", "list", "watch" ] - nonResourceURLs: ["/metrics"] verbs: ["get"] diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml index a557b5bb9..2cb4cd1b9 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 0.10.2 +appVersion: 0.11.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -14,10 +14,12 @@ keywords: maintainers: - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan +- name: csongnr + url: https://github.com/csongnr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR name: newrelic-k8s-metrics-adapter sources: - https://github.com/newrelic/newrelic-k8s-metrics-adapter - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/main/charts/newrelic-k8s-metrics-adapter -version: 1.8.2 +version: 1.9.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md index 31288586c..e5a1b0996 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-k8s-metrics-adapter/README.md @@ -135,4 +135,5 @@ resources: ## Maintainers * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) +* [csongnr](https://github.com/csongnr) +* [dbudziwojskiNR](https://github.com/dbudziwojskiNR) diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml index acd232ad3..43fbfb9dd 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - name: danybmx - name: sdaubin name: newrelic-logging -version: 1.19.0 +version: 1.20.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md index 476da5b9d..a0eb0c812 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/README.md @@ -106,63 +106,94 @@ helm upgrade --install newrelic-bundle newrelic/nri-bundle \ ### Supported configuration parameters See [values.yaml](values.yaml) for the default values -| Parameter | Description | Default | -|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------| -| `global.cluster` - `cluster` | The cluster name for the Kubernetes cluster. | | -| `global.licenseKey` - `licenseKey` | The [license key](https://docs.newrelic.com/docs/accounts/install-new-relic/account-setup/license-key) for your New Relic Account. This will be the preferred configuration option if both `licenseKey` and `customSecret*` values are specified. | | -| `global.customSecretName` - `customSecretName` | Name of the Secret object where the license key is stored | | -| `global.customSecretLicenseKey` - `customSecretLicenseKey` | Key in the Secret object where the license key is stored. | | -| `global.fargate` | Must be set to `true` when deploying in an EKS Fargate environment. Prevents DaemonSet pods from being scheduled in Fargate nodes. | | -| `global.lowDataMode` - `lowDataMode` | If `true`, send minimal attributes on Kubernetes logs. Labels and annotations are not sent when lowDataMode is enabled. | `false` | -| `rbac.create` | Enable Role-based authentication | `true` | -| `rbac.pspEnabled` | Enable pod security policy support | `false` | -| `image.repository` | The container to pull. | `newrelic/newrelic-fluentbit-output` | -| `image.pullPolicy` | The pull policy. | `IfNotPresent` | -| `image.pullSecrets` | Image pull secrets. | `nil` | -| `image.tag` | The version of the container to pull. | See value in [values.yaml]` | -| `exposedPorts` | Any ports you wish to expose from the pod. Ex. 2020 for metrics | `[]` | -| `resources` | Any resources you wish to assign to the pod. | See Resources below | -| `priorityClassName` | Scheduling priority of the pod | `nil` | -| `nodeSelector` | Node label to use for scheduling on Linux nodes | `{ kubernetes.io/os: linux }` | -| `windowsNodeSelector` | Node label to use for scheduling on Windows nodes | `{ kubernetes.io/os: windows, node.kubernetes.io/windows-build: BUILD_NUMBER }` | -| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | See Tolerations below | -| `updateStrategy` | Strategy for DaemonSet updates (requires Kubernetes >= 1.6) | `RollingUpdate` | -| `extraVolumeMounts` | Additional DaemonSet volume mounts | `[]` | -| `extraVolumes` | Additional DaemonSet volumes | `[]` | -| `initContainers` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) that will be executed before the actual container in charge of shipping logs to New Relic is initialized. Use this if you are using a custom Fluent Bit configuration that requires downloading certain files inside the volumes being accessed by the log-shipping pod. | `[]` | -| `windows.initContainers` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) that will be executed before the actual container in charge of shipping logs to New Relic is initialized. Use this if you are using a custom Fluent Bit configuration that requires downloading certain files inside the volumes being accessed by the log-shipping pod. | `[]` | -| `serviceAccount.create` | If true, a service account would be created and assigned to the deployment | `true` | -| `serviceAccount.name` | The service account to assign to the deployment. If `serviceAccount.create` is true then this name will be used when creating the service account | | -| `serviceAccount.annotations` | The annotations to add to the service account if `serviceAccount.create` is set to true. | | -| `global.nrStaging` - `nrStaging` | Send data to staging (requires a staging license key) | `false` | -| `fluentBit.path` | Node path logs are forwarded from. Patterns are supported, as well as specifying multiple paths/patterns separated by commas. | `/var/log/containers/*.log` | -| `fluentBit.db` | Node path used by Fluent Bit to store a database file to keep track of monitored files and offsets. | `/var/log/containers/*.log` | -| `fluentBit.k8sBufferSize` | Set the buffer size for HTTP client when reading responses from Kubernetes API server. A value of 0 results in no limit and the buffer will expand as needed. | `32k` | -| `fluentBit.k8sLoggingExclude` | Set to "On" to allow excluding pods by adding the annotation `fluentbit.io/exclude: "true"` to pods you wish to exclude. | `Off` | -| `fluentBit.additionalEnvVariables` | Additional environmental variables for fluentbit pods | `[]]` | -| `daemonSet.annotations` | The annotations to add to the `DaemonSet`. | | -| `podAnnotations` | The annotations to add to the `DaemonSet` created `Pod`s. | | -| `enableLinux` | Enable log collection from Linux containers. This is the default behavior. In case you are only interested of collecting logs from Windows containers, set this to `false`. | `true` | -| `enableWindows` | Enable log collection from Windows containers. Please refer to the [Windows support](#windows-support) section for more details. | `false` | -| `fluentBit.config.service` | Contains fluent-bit.conf Service config | | -| `fluentBit.config.inputs` | Contains fluent-bit.conf Inputs config | | -| `fluentBit.config.extraInputs` | Contains extra fluent-bit.conf Inputs config | | -| `fluentBit.config.filters` | Contains fluent-bit.conf Filters config | | -| `fluentBit.config.extraFilters` | Contains extra fluent-bit.conf Filters config | | -| `fluentBit.config.lowDataModeFilters` | Contains fluent-bit.conf Filters config for lowDataMode | | -| `fluentBit.config.outputs` | Contains fluent-bit.conf Outputs config | | -| `fluentBit.config.extraOutputs` | Contains extra fluent-bit.conf Outputs config | | -| `fluentBit.config.parsers` | Contains parsers.conf Parsers config | | -| `fluentBit.retryLimit` | Amount of times to retry sending a given batch of logs to New Relic. This prevents data loss if there is a temporary network disruption, if a request to the Logs API is lost or when receiving a recoverable HTTP response. Set it to "False" for unlimited retries. | 5 | -| `dnsConfig` | [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) that will be added to the pods. Can be configured also with `global.dnsConfig`. | `{}` | -| `fluentBit.criEnabled` | We assume that `kubelet`directly communicates with the container engine using the [CRI](https://kubernetes.io/docs/concepts/overview/components/#container-runtime) specification. Set this to `false` if your K8s installation uses [dockershim](https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/) instead, in order to get the logs properly parsed. |`true` | +| Parameter | Description | Default | +| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------- | +| `global.cluster` - `cluster` | The cluster name for the Kubernetes cluster. | | +| `global.licenseKey` - `licenseKey` | The [license key](https://docs.newrelic.com/docs/accounts/install-new-relic/account-setup/license-key) for your New Relic Account. This will be the preferred configuration option if both `licenseKey` and `customSecret*` values are specified. | | +| `global.customSecretName` - `customSecretName` | Name of the Secret object where the license key is stored | | +| `global.customSecretLicenseKey` - `customSecretLicenseKey` | Key in the Secret object where the license key is stored. | | +| `global.fargate` | Must be set to `true` when deploying in an EKS Fargate environment. Prevents DaemonSet pods from being scheduled in Fargate nodes. | | +| `global.lowDataMode` - `lowDataMode` | If `true`, send minimal attributes on Kubernetes logs. Labels and annotations are not sent when lowDataMode is enabled. | `false` | +| `rbac.create` | Enable Role-based authentication | `true` | +| `rbac.pspEnabled` | Enable pod security policy support | `false` | +| `image.repository` | The container to pull. | `newrelic/newrelic-fluentbit-output` | +| `image.pullPolicy` | The pull policy. | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets. | `nil` | +| `image.tag` | The version of the container to pull. | See value in [values.yaml]` | +| `exposedPorts` | Any ports you wish to expose from the pod. Ex. 2020 for metrics | `[]` | +| `resources` | Any resources you wish to assign to the pod. | See Resources below | +| `priorityClassName` | Scheduling priority of the pod | `nil` | +| `nodeSelector` | Node label to use for scheduling on Linux nodes | `{ kubernetes.io/os: linux }` | +| `windowsNodeSelector` | Node label to use for scheduling on Windows nodes | `{ kubernetes.io/os: windows, node.kubernetes.io/windows-build: BUILD_NUMBER }` | +| `tolerations` | List of node taints to tolerate (requires Kubernetes >= 1.6) | See Tolerations below | +| `updateStrategy` | Strategy for DaemonSet updates (requires Kubernetes >= 1.6) | `RollingUpdate` | +| `extraVolumeMounts` | Additional DaemonSet volume mounts | `[]` | +| `extraVolumes` | Additional DaemonSet volumes | `[]` | +| `initContainers` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) that will be executed before the actual container in charge of shipping logs to New Relic is initialized. Use this if you are using a custom Fluent Bit configuration that requires downloading certain files inside the volumes being accessed by the log-shipping pod. | `[]` | +| `windows.initContainers` | [Init containers](https://kubernetes.io/docs/concepts/workloads/pods/init-containers/) that will be executed before the actual container in charge of shipping logs to New Relic is initialized. Use this if you are using a custom Fluent Bit configuration that requires downloading certain files inside the volumes being accessed by the log-shipping pod. | `[]` | +| `serviceAccount.create` | If true, a service account would be created and assigned to the deployment | `true` | +| `serviceAccount.name` | The service account to assign to the deployment. If `serviceAccount.create` is true then this name will be used when creating the service account | | +| `serviceAccount.annotations` | The annotations to add to the service account if `serviceAccount.create` is set to true. | | +| `global.nrStaging` - `nrStaging` | Send data to staging (requires a staging license key) | `false` | +| `fluentBit.path` | Node path logs are forwarded from. Patterns are supported, as well as specifying multiple paths/patterns separated by commas. | `/var/log/containers/*.log` | +| `fluentBit.db` | Node path used by Fluent Bit to store a database file to keep track of monitored files and offsets. | `/var/log/containers/*.log` | +| `fluentBit.k8sBufferSize` | Set the buffer size for HTTP client when reading responses from Kubernetes API server. A value of 0 results in no limit and the buffer will expand as needed. | `32k` | +| `fluentBit.k8sLoggingExclude` | Set to "On" to allow excluding pods by adding the annotation `fluentbit.io/exclude: "true"` to pods you wish to exclude. | `Off` | +| `fluentBit.additionalEnvVariables` | Additional environmental variables for fluentbit pods | `[]]` | +| `fluentBit.persistence.mode` | The [persistence mode](#Fluent-Bit-persistence-modes) you want to use, options are "hostPath", "none" or "persistentVolume" (this last one available only for linux) +| `fluentBit.persistence.persistentVolume.storageClass` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), indicates the storage class that will be used for create the PersistentVolume and PersistentVolumeClaim. | | +| `fluentBit.persistence.persistentVolume.size` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), indicates the capacity for the PersistentVolume and PersistentVolumeClaim | 10Gi | +| `fluentBit.persistence.persistentVolume.dynamicProvisioning` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), indicates if the storage class used provide dynamic provisioning. If it does, only the PersistentVolumeClaim will be created. | true | +| `fluentBit.persistence.persistentVolume.existingVolume` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), indicates and existing volume in case you want to reuse one, bear in mind that it should allow ReadWriteMany access mode. A PersistentVolumeClaim will be created using it. | | +| `fluentBit.persistence.persistentVolume.existingVolumeClaim` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), indicates and existing volume claim that will be used on the daemonset. It should allow ReadWriteMany access mode. | | +| `fluentBit.persistence.persistentVolume.annotations.volume` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), allows to add annotations to the PersistentVolume (if created). | | +| `fluentBit.persistence.persistentVolume.annotations.claim` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), allows to add annotations to the PersistentVolumeClaim (if created). | | +| `fluentBit.persistence.persistentVolume.extra.volume` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), allows to add extra properties to the PersistentVolume (if created). | | +| `fluentBit.persistence.persistentVolume.extra.claim` | On "persistentVolume" [persistence mode](#Fluent-Bit-persistence-modes), allows to add extra properties to the PersistentVolumeClaim (if created). | | +| `daemonSet.annotations` | The annotations to add to the `DaemonSet`. | | +| `podAnnotations` | The annotations to add to the `DaemonSet` created `Pod`s. | | +| `enableLinux` | Enable log collection from Linux containers. This is the default behavior. In case you are only interested of collecting logs from Windows containers, set this to `false`. | `true` | +| `enableWindows` | Enable log collection from Windows containers. Please refer to the [Windows support](#windows-support) section for more details. | `false` | +| `fluentBit.config.service` | Contains fluent-bit.conf Service config | | +| `fluentBit.config.inputs` | Contains fluent-bit.conf Inputs config | | +| `fluentBit.config.extraInputs` | Contains extra fluent-bit.conf Inputs config | | +| `fluentBit.config.filters` | Contains fluent-bit.conf Filters config | | +| `fluentBit.config.extraFilters` | Contains extra fluent-bit.conf Filters config | | +| `fluentBit.config.lowDataModeFilters` | Contains fluent-bit.conf Filters config for lowDataMode | | +| `fluentBit.config.outputs` | Contains fluent-bit.conf Outputs config | | +| `fluentBit.config.extraOutputs` | Contains extra fluent-bit.conf Outputs config | | +| `fluentBit.config.parsers` | Contains parsers.conf Parsers config | | +| `fluentBit.retryLimit` | Amount of times to retry sending a given batch of logs to New Relic. This prevents data loss if there is a temporary network disruption, if a request to the Logs API is lost or when receiving a recoverable HTTP response. Set it to "False" for unlimited retries. | 5 | +| `dnsConfig` | [DNS configuration](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config) that will be added to the pods. Can be configured also with `global.dnsConfig`. | `{}` | +| `fluentBit.criEnabled` | We assume that `kubelet`directly communicates with the container engine using the [CRI](https://kubernetes.io/docs/concepts/overview/components/#container-runtime) specification. Set this to `false` if your K8s installation uses [dockershim](https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/) instead, in order to get the logs properly parsed. | `true` | +### Fluent Bit persistence modes + +Fluent Bit uses a database file to keep track of log lines read from files (offsets). This database file is stored in the host node by default, using a `hostPath` mount. It's specifically stored (by default) in `/var/log/flb_kube.db` to keep things simple, as we're already mounting `/var` for accessing container logs. + +Sometimes the security constraints of some clusters don't allow mounting `hostPath`s in read-write mode. That's why you can chose among the following +persistence modes. Each one has their pros and cons. + +- `hostPath` (default) will use a `hostPath` mount to store the DB file on the node disk. This is the easiest, cheapest an most reliable option, but prohibited by some cloud vendor security policies. +- `none` will disable the Fluent Bit DB file. This can cause log duplication or data loss in case Fluent Bit gets restarted. +- `persistentVolume` (Linux only) will use a `ReadWriteMany` persistent volume to store the DB file. This will override the `fluentBit.db` path and use `/db/${NODE_NAME}-fb.db` instead. If you use this option in a Windows cluster it will default to `none` on Windows nodes. + +#### GKE Autopilot example + +If you're using the `persistentVolume` persistence mode you need to provide at least the `storageClass`, and it should be `ReadWriteMany`. This is an example of the configuration for persistence in [GKE Autopilot](https://cloud.google.com/kubernetes-engine/docs/concepts/autopilot-overview). + +``` +fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: standard-rwx +``` ### Proxy support Since Fluent Bit Kubernetes plugin is using [newrelic-fluent-bit-output](https://github.com/newrelic/newrelic-fluent-bit-output) we can configure the [proxy support](https://github.com/newrelic/newrelic-fluent-bit-output#proxy-support) in order to set up the proxy configuration. - #### As environment variables The easiest way to configure the proxy is by means of specifying the `HTTP_PROXY` or `HTTPS_PROXY` variables as follows: @@ -220,4 +251,4 @@ This Helm chart deploys one `DaemonSet` for each of the Windows versions it supp This Helm chart currently supports the following Windows versions: - Windows Server LTSC 2019, build 10.0.17763 -- Windows Server LTSC 2022, build 10.0.20348 \ No newline at end of file +- Windows Server LTSC 2022, build 10.0.20348 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml index e7ec27e0f..d9938feb3 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset-windows.yaml @@ -91,8 +91,13 @@ spec: {{- else }} value: "docker,cri" {{- end }} + {{- if or (not $.Values.fluentBit.persistence) (eq $.Values.fluentBit.persistence.mode "hostPath") }} - name: FB_DB value: {{ $.Values.fluentBit.windowsDb | quote }} + {{- else }} + - name: FB_DB + value: "" + {{- end }} - name: PATH value: {{ $.Values.fluentBit.windowsPath | quote }} - name: K8S_BUFFER_SIZE @@ -117,11 +122,17 @@ spec: - mountPath: C:\fluent-bit\etc name: fluent-bit-config - mountPath: C:\var\log - name: varlog + name: logs + {{- if and ($.Values.fluentBit.persistence) (ne $.Values.fluentBit.persistence.mode "hostPath") }} + readOnly: true + {{- end }} # We need to also mount this because the logs in C:\var\logs are actually symlinks to C:\ProgramData. # So, in order to be able to read these logs, the reading process needs to also have access to C:\ProgramData. - mountPath: C:\ProgramData name: progdata + {{- if and ($.Values.fluentBit.persistence) (ne $.Values.fluentBit.persistence.mode "hostPath") }} + readOnly: true + {{- end }} {{- if $.Values.resources }} resources: {{ toYaml $.Values.resources | indent 12 }} @@ -130,7 +141,7 @@ spec: - name: fluent-bit-config configMap: name: {{ template "newrelic-logging.fluentBitConfig" $ }} - - name: varlog + - name: logs hostPath: path: C:\var\log - name: progdata diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml index 7b95d62e7..d0723cd43 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/daemonset.yaml @@ -47,8 +47,17 @@ spec: securityContext: {{- . | nindent 8 }} {{- end }} - {{- if .Values.initContainers }} initContainers: + {{- if and (.Values.fluentBit.persistence) (eq .Values.fluentBit.persistence.mode "persistentVolume") }} + - name: init + image: busybox:1.36 + command: ["/bin/sh", "-c"] + args: ["/bin/find /db -type f -mtime +1 -delete"] # Delete all db files not updated in the last 24h + volumeMounts: + - name: fb-db-pvc + mountPath: /db + {{- end }} + {{- if .Values.initContainers }} {{ toYaml .Values.initContainers | indent 8 }} {{- end }} containers: @@ -92,8 +101,20 @@ spec: {{- else }} value: "docker,cri" {{- end }} + {{- if or (not .Values.fluentBit.persistence) (eq .Values.fluentBit.persistence.mode "hostPath") }} - name: FB_DB value: {{ .Values.fluentBit.db | quote }} + {{- else if eq .Values.fluentBit.persistence.mode "persistentVolume" }} + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: FB_DB + value: "/db/$(NODE_NAME)-fb.db" + {{- else }} + - name: FB_DB + value: "" + {{- end }} - name: PATH value: {{ .Values.fluentBit.path | quote }} - name: K8S_BUFFER_SIZE @@ -118,8 +139,16 @@ spec: volumeMounts: - name: fluent-bit-config mountPath: /fluent-bit/etc - - name: var - mountPath: /var + - name: logs + # We mount /var by default because container logs could be on /var/log or /var/lib/docker/containers (symlinked to /var/log) + mountPath: {{ .Values.fluentBit.linuxMountPath | default "/var" }} + {{- if and (.Values.fluentBit.persistence) (ne .Values.fluentBit.persistence.mode "hostPath") }} + readOnly: true + {{- end }} + {{- if and (.Values.fluentBit.persistence) (eq .Values.fluentBit.persistence.mode "persistentVolume") }} + - name: fb-db-pvc + mountPath: /db + {{- end }} {{- if .Values.exposedPorts }} ports: {{ toYaml .Values.exposedPorts | nindent 12 }} {{- end }} @@ -134,9 +163,18 @@ spec: - name: fluent-bit-config configMap: name: {{ template "newrelic-logging.fluentBitConfig" . }} - - name: var + - name: logs hostPath: - path: /var + path: {{ .Values.fluentBit.linuxMountPath | default "/var" }} + {{- if and (.Values.fluentBit.persistence) (eq .Values.fluentBit.persistence.mode "persistentVolume") }} + - name: fb-db-pvc + persistentVolumeClaim: + {{- if .Values.fluentBit.persistence.persistentVolume.existingVolumeClaim }} + claimName: {{ .Values.fluentBit.persistence.persistentVolume.existingVolumeClaim }} + {{- else }} + claimName: {{ template "newrelic-logging.fullname" . }}-pvc + {{- end }} + {{- end }} {{- if .Values.extraVolumes }} {{- toYaml .Values.extraVolumes | nindent 8 }} {{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/persistentvolume.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/persistentvolume.yaml new file mode 100644 index 000000000..f2fb93d77 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/templates/persistentvolume.yaml @@ -0,0 +1,57 @@ +{{- if (not (empty .Values.fluentBit.persistence)) }} + +{{- if and (eq .Values.fluentBit.persistence.mode "persistentVolume") (not .Values.fluentBit.persistence.persistentVolume.storageClass) (not .Values.fluentBit.persistence.persistentVolume.existingVolumeClaim) }} +{{ fail "You should provide a ReadWriteMany storageClass or an existingVolumeClaim if using persitentVolume as Fluent Bit persistence mode." }} +{{- end }} + +{{- if and (eq .Values.fluentBit.persistence.mode "persistentVolume") (not .Values.fluentBit.persistence.persistentVolume.existingVolumeClaim) }} +{{- if and (not .Values.fluentBit.persistence.persistentVolume.dynamicProvisioning) (not .Values.fluentBit.persistence.persistentVolume.existingVolume) }} +apiVersion: v1 +kind: PersistentVolume +metadata: + namespace: {{ .Release.Namespace }} + labels: {{ include "newrelic-logging.labels" . | indent 4 }} + name: {{ template "newrelic-logging.fullname" . }}-pv + annotations: + {{- if .Values.fluentBit.persistence.persistentVolume.annotations.volume }} +{{ toYaml .Values.fluentBit.persistence.persistentVolume.annotations.volume | indent 4 }} + {{- end }} +spec: + accessModes: + - ReadWriteMany + capacity: + storage: {{ .Values.fluentBit.persistence.persistentVolume.size }} + storageClassName: {{ .Values.fluentBit.persistence.persistentVolume.storageClass }} + persistentVolumeReclaimPolicy: Delete + {{- if .Values.fluentBit.persistence.persistentVolume.extra.volume }} +{{ toYaml .Values.fluentBit.persistence.persistentVolume.extra.volume | indent 2 }} + {{- end }} +--- +{{- end }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ .Release.Namespace }} + labels: {{ include "newrelic-logging.labels" . | indent 4 }} + name: {{ template "newrelic-logging.fullname" . }}-pvc + annotations: + {{- if .Values.fluentBit.persistence.persistentVolume.annotations.claim }} +{{ toYaml .Values.fluentBit.persistence.persistentVolume.annotations.claim | indent 4 }} + {{- end }} +spec: + storageClassName: {{ .Values.fluentBit.persistence.persistentVolume.storageClass }} + accessModes: + - ReadWriteMany +{{- if .Values.fluentBit.persistence.persistentVolume.existingVolume }} + volumeName: {{ .Values.fluentBit.persistence.persistentVolume.existingVolume }} +{{- else if not .Values.fluentBit.persistence.persistentVolume.dynamicProvisioning }} + volumeName: {{ template "newrelic-logging.fullname" . }}-pv +{{- end }} + resources: + requests: + storage: {{ .Values.fluentBit.persistence.persistentVolume.size }} + {{- if .Values.fluentBit.persistence.persistentVolume.extra.claim }} +{{ toYaml .Values.fluentBit.persistence.persistentVolume.extra.claim | indent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_persistence_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_persistence_test.yaml new file mode 100644 index 000000000..67d14c795 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/fluentbit_persistence_test.yaml @@ -0,0 +1,317 @@ +suite: test fluent-bit persistence options +templates: + - templates/daemonset.yaml + - templates/configmap.yaml + - templates/persistentvolume.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: default persistence is hostPath, DB is set properly and logs volume is read/write + set: + licenseKey: nr_license_key + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: logs + mountPath: /var + template: templates/daemonset.yaml + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fb-db-pvc + mountPath: /db + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: logs + hostPath: + path: /var + template: templates/daemonset.yaml + - notContains: + path: spec.template.spec.volumes + content: + name: fb-db-pvc + persistentVolumeClaim: + claimName: my-release-newrelic-logging-pvc + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: FB_DB + value: /var/log/flb_kube.db + template: templates/daemonset.yaml + - hasDocuments: + count: 0 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence set to none should keep FB_DB env empty and mount logs volume as read-only + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: none + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: FB_DB + value: "" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: logs + mountPath: /var + readOnly: true + template: templates/daemonset.yaml + - notContains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fb-db-pvc + mountPath: /db + template: templates/daemonset.yaml + - notContains: + path: spec.template.spec.volumes + content: + name: fb-db-pvc + persistentVolumeClaim: + claimName: my-release-newrelic-logging-pvc + template: templates/daemonset.yaml + - hasDocuments: + count: 0 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence set to persistentVolume should create volume, add it to daemonset, add an initContainer to cleanup and set the FB_DB. Dynamic provisioning is enabled by default. + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: FB_DB + value: "/db/$(NODE_NAME)-fb.db" + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: logs + mountPath: /var + readOnly: true + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: fb-db-pvc + mountPath: /db + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.volumes + content: + name: fb-db-pvc + persistentVolumeClaim: + claimName: my-release-newrelic-logging-pvc + template: templates/daemonset.yaml + - isNotNullOrEmpty: + path: spec.template.spec.initContainers + template: templates/daemonset.yaml + - contains: + path: spec.template.spec.initContainers[0].volumeMounts + content: + name: fb-db-pvc + mountPath: /db + template: templates/daemonset.yaml + - hasDocuments: + count: 1 + template: templates/persistentvolume.yaml + - isKind: + of: PersistentVolumeClaim + template: templates/persistentvolume.yaml + - equal: + path: spec.accessModes + value: + - ReadWriteMany + template: templates/persistentvolume.yaml + - it: fluentBit.persistence.persistentVolume with non dynamic provisioning should create the PV and PVC + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + dynamicProvisioning: false + asserts: + - hasDocuments: + count: 2 + template: templates/persistentvolume.yaml + - isKind: + of: PersistentVolume + documentIndex: 0 + template: templates/persistentvolume.yaml + - isKind: + of: PersistentVolumeClaim + documentIndex: 1 + template: templates/persistentvolume.yaml + - equal: + path: spec.accessModes + value: + - ReadWriteMany + documentIndex: 0 + template: templates/persistentvolume.yaml + - equal: + path: spec.accessModes + value: + - ReadWriteMany + documentIndex: 1 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence storage class should be set properly on PV and PVC + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + dynamicProvisioning: false + storageClass: sample-storage-rwx + asserts: + - equal: + path: spec.storageClassName + value: sample-storage-rwx + documentIndex: 0 + template: templates/persistentvolume.yaml + - equal: + path: spec.storageClassName + value: sample-storage-rwx + documentIndex: 1 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence.persistentVolume size should be set properly on PV and PVC + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + dynamicProvisioning: false + size: 100Gi + asserts: + - equal: + path: spec.capacity.storage + value: 100Gi + documentIndex: 0 + template: templates/persistentvolume.yaml + - equal: + path: spec.resources.requests.storage + value: 100Gi + documentIndex: 1 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence.persistentVolume not dynamic provisioned but volumeName provided should use the volumeName and do not create a PV + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + dynamicProvisioning: false + existingVolume: existing-volume + asserts: + - hasDocuments: + count: 1 + template: templates/persistentvolume.yaml + - isKind: + of: PersistentVolumeClaim + template: templates/persistentvolume.yaml + - equal: + path: spec.volumeName + value: existing-volume + template: templates/persistentvolume.yaml + - it: fluentBit.persistence.persistentVolume if a existing claim is provided it's used and PV/PVC are not created + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + dynamicProvisioning: false + existingVolumeClaim: existing-claim + asserts: + - hasDocuments: + count: 0 + template: templates/persistentvolume.yaml + - contains: + path: spec.template.spec.volumes + content: + name: fb-db-pvc + persistentVolumeClaim: + claimName: existing-claim + template: templates/daemonset.yaml + - it: fluentBit.persistence.persistentVolume annotations for PV and PVC are used + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + annotations: + volume: + foo: bar + claim: + baz: qux + dynamicProvisioning: false + asserts: + - equal: + path: metadata.annotations.foo + value: bar + documentIndex: 0 + template: templates/persistentvolume.yaml + - equal: + path: metadata.annotations.baz + value: qux + documentIndex: 1 + template: templates/persistentvolume.yaml + - it: fluentBit.persistence.persistentVolume extra for PV and PVC are used + set: + licenseKey: nr_license_key + fluentBit: + persistence: + mode: persistentVolume + persistentVolume: + storageClass: sample-rwx + extra: + volume: + nfs: + path: /tmp/ + server: 1.1.1.1 + claim: + some: property + dynamicProvisioning: false + asserts: + - equal: + path: spec.nfs + value: + path: /tmp/ + server: 1.1.1.1 + documentIndex: 0 + template: templates/persistentvolume.yaml + - equal: + path: spec.some + value: property + documentIndex: 1 + template: templates/persistentvolume.yaml diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/linux_volume_mount_test.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/linux_volume_mount_test.yaml new file mode 100644 index 000000000..83d2a2c11 --- /dev/null +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/tests/linux_volume_mount_test.yaml @@ -0,0 +1,37 @@ +suite: test fluent-bit linux mount for logs +templates: + - templates/configmap.yaml + - templates/daemonset.yaml +release: + name: my-release + namespace: my-namespace +tests: + - it: is set to /var by default an + set: + licenseKey: nr_license_key + asserts: + - equal: + path: spec.template.spec.containers[0].volumeMounts[1].mountPath + value: /var + template: templates/daemonset.yaml + - equal: + path: spec.template.spec.volumes[1].hostPath.path + value: /var + template: templates/daemonset.yaml + documentIndex: 0 + - it: is set to linuxMountPath if set + templates: + - templates/daemonset.yaml + set: + licenseKey: nr_license_key + fluentBit.linuxMountPath: /var/log + asserts: + - equal: + path: spec.template.spec.containers[0].volumeMounts[1].mountPath + value: /var/log + template: templates/daemonset.yaml + - equal: + path: spec.template.spec.volumes[1].hostPath.path + value: /var/log + template: templates/daemonset.yaml + documentIndex: 0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml index ae98e6d36..b941f77c0 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-logging/values.yaml @@ -27,6 +27,7 @@ fluentBit: logLevel: "info" path: "/var/log/containers/*.log" + linuxMountPath: /var windowsPath: "C:\\var\\log\\containers\\*.log" db: "/var/log/flb_kube.db" windowsDb: "C:\\var\\log\\flb_kube.db" @@ -43,6 +44,39 @@ fluentBit: # fieldRef: # fieldPath: metadata.name + # Indicates how fluent-bit database is persisted + persistence: + # Define the persistent mode for fluent-bit db, allowed options are `hostPath` (default), `none`, `persistentVolume`. + # - `hostPath` will use hostPath to store the db file on the node disk. + # - `none` will disable the fluent-bit db file, this could cause log duplication or data loss in case fluent-bit gets restarted. + # - `persistentVolume` will use a ReadWriteMany persistent volume to store the db file. This will override `fluentBit.db` path and use `/db/${NODE_NAME}-fb.db` file instead. + mode: "hostPath" + + # In case persistence.mode is set to persistentVolume this will be needed + persistentVolume: + # The storage class should allow ReadWriteMany mode + storageClass: + # Volume and claim size. + size: 10Gi + # If dynamicProvisioning is enabled the chart will create only the PersistentVolumeClaim + dynamicProvisioning: true + # If an existingVolume is provided, we'll use it instead creating a new one + existingVolume: + # If an existingVolumeClaim is provided, we'll use it instead creating a new one + existingVolumeClaim: + # In case you need to add annotations to the created volume or claim + annotations: + volume: {} + claim: {} + # In case you need to specify any other option to your volume or claim + extra: + volume: + # nfs: + # path: /tmp/ + # server: 1.1.1.1 + claim: {} + + # New Relic default configuration for fluent-bit.conf (service, inputs, filters, outputs) # and parsers.conf (parsers). The configuration below is not configured for lowDataMode and will # send all attributes. If custom configuration is required, update these variables. diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml index 5303ba6b5..f02e7ead1 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/Chart.yaml @@ -1,5 +1,5 @@ annotations: - configuratorVersion: 1.12.1 + configuratorVersion: 1.13.0 apiVersion: v2 appVersion: v2.37.8 dependencies: @@ -11,24 +11,12 @@ keywords: - newrelic - prometheus maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR name: newrelic-prometheus-agent type: application -version: 1.9.1 +version: 1.10.0 diff --git a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/README.md b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/README.md index a9b1cedd3..069b9a79b 100644 --- a/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/README.md +++ b/charts/new-relic/nri-bundle/charts/newrelic-prometheus-agent/README.md @@ -239,12 +239,6 @@ The order to set the affinity is to set `affinity` field (at root level), if tha ## Maintainers -* [nserrino](https://github.com/nserrino) -* [philkuz](https://github.com/philkuz) -* [htroisi](https://github.com/htroisi) * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) -* [nrepai](https://github.com/nrepai) * [csongnr](https://github.com/csongnr) -* [vuqtran88](https://github.com/vuqtran88) -* [xqi-nr](https://github.com/xqi-nr) +* [dbudziwojskiNR](https://github.com/dbudziwojskiNR) diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml index 07a955dbc..95ca154ef 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 2.7.3 +appVersion: 2.8.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -12,27 +12,15 @@ keywords: - newrelic - monitoring maintainers: -- name: nserrino - url: https://github.com/nserrino -- name: philkuz - url: https://github.com/philkuz -- name: htroisi - url: https://github.com/htroisi - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: nrepai - url: https://github.com/nrepai - name: csongnr url: https://github.com/csongnr -- name: vuqtran88 - url: https://github.com/vuqtran88 -- name: xqi-nr - url: https://github.com/xqi-nr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR name: nri-kube-events sources: - https://github.com/newrelic/nri-kube-events/ - https://github.com/newrelic/nri-kube-events/tree/main/charts/nri-kube-events - https://github.com/newrelic/infrastructure-agent/ -version: 3.7.3 +version: 3.8.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md index 74d7322a8..822956302 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/README.md @@ -1,6 +1,6 @@ # nri-kube-events -![Version: 3.7.3](https://img.shields.io/badge/Version-3.7.3-informational?style=flat-square) ![AppVersion: 2.7.3](https://img.shields.io/badge/AppVersion-2.7.3-informational?style=flat-square) +![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ![AppVersion: 2.8.0](https://img.shields.io/badge/AppVersion-2.8.0-informational?style=flat-square) A Helm chart to deploy the New Relic Kube Events router @@ -74,12 +74,6 @@ Options that can be defined globally include `affinity`, `nodeSelector`, `tolera ## Maintainers -* [nserrino](https://github.com/nserrino) -* [philkuz](https://github.com/philkuz) -* [htroisi](https://github.com/htroisi) * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) -* [nrepai](https://github.com/nrepai) * [csongnr](https://github.com/csongnr) -* [vuqtran88](https://github.com/vuqtran88) -* [xqi-nr](https://github.com/xqi-nr) +* [dbudziwojskiNR](https://github.com/dbudziwojskiNR) diff --git a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml index b3921c488..9fcfd436b 100644 --- a/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-kube-events/values.yaml @@ -27,7 +27,7 @@ images: agent: registry: repository: newrelic/k8s-events-forwarder - tag: 1.48.3 + tag: 1.48.4 pullPolicy: IfNotPresent # -- The secrets that are needed to pull images from a custom registry. pullSecrets: [] diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml index ba7395cd9..e26def962 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: 1.24.1 +appVersion: 1.25.0 dependencies: - name: common-library repository: https://helm-charts.newrelic.com @@ -14,12 +14,12 @@ keywords: maintainers: - name: juanjjaramillo url: https://github.com/juanjjaramillo -- name: svetlanabrennan - url: https://github.com/svetlanabrennan -- name: xqi-nr - url: https://github.com/xqi-nr +- name: csongnr + url: https://github.com/csongnr +- name: dbudziwojskiNR + url: https://github.com/dbudziwojskiNR name: nri-metadata-injection sources: - https://github.com/newrelic/k8s-metadata-injection - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection -version: 4.16.1 +version: 4.17.0 diff --git a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/README.md b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/README.md index b0b5a7887..dd922ef13 100644 --- a/charts/new-relic/nri-bundle/charts/nri-metadata-injection/README.md +++ b/charts/new-relic/nri-bundle/charts/nri-metadata-injection/README.md @@ -64,5 +64,5 @@ Options that can be defined globally include `affinity`, `nodeSelector`, `tolera ## Maintainers * [juanjjaramillo](https://github.com/juanjjaramillo) -* [svetlanabrennan](https://github.com/svetlanabrennan) -* [xqi-nr](https://github.com/xqi-nr) +* [csongnr](https://github.com/csongnr) +* [dbudziwojskiNR](https://github.com/dbudziwojskiNR) diff --git a/charts/percona/psmdb-db/Chart.yaml b/charts/percona/psmdb-db/Chart.yaml index 3ceb9823a..28ff2bf6b 100644 --- a/charts/percona/psmdb-db/Chart.yaml +++ b/charts/percona/psmdb-db/Chart.yaml @@ -15,4 +15,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: psmdb-db -version: 1.15.1 +version: 1.15.3 diff --git a/charts/percona/psmdb-db/README.md b/charts/percona/psmdb-db/README.md index 129dde515..0fc8c12d2 100644 --- a/charts/percona/psmdb-db/README.md +++ b/charts/percona/psmdb-db/README.md @@ -93,6 +93,7 @@ The chart can be customized using the following configurable parameters: | `replsets[0].volumeSpec.emptyDir` | ReplicaSet Pods emptyDir K8S storage | `{}` | | `replsets[0].volumeSpec.hostPath` | ReplicaSet Pods hostPath K8S storage | | | `replsets[0].volumeSpec.hostPath.path` | ReplicaSet Pods hostPath K8S storage path | `""` | +| `replsets[0].volumeSpec.hostPath.type` | Type for hostPath volume | `Directory` | | `replsets[0].volumeSpec.pvc` | ReplicaSet Pods PVC request parameters | | | `replsets[0].volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | | `replsets[0].volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | @@ -119,6 +120,7 @@ The chart can be customized using the following configurable parameters: | `replsets[0].nonvoting.volumeSpec.emptyDir` | Nonvoting Pods emptyDir K8S storage | `{}` | | `replsets[0].nonvoting.volumeSpec.hostPath` | Nonvoting Pods hostPath K8S storage | | | `replsets[0].nonvoting.volumeSpec.hostPath.path` | Nonvoting Pods hostPath K8S storage path | `""` | +| `replsets[0].nonvoting.volumeSpec.hostPath.type` | Type for hostPath volume | `Directory` | | `replsets[0].nonvoting.volumeSpec.pvc` | Nonvoting Pods PVC request parameters | | | `replsets[0].nonvoting.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | | `replsets[0].nonvoting.volumeSpec.pvc.labels` | The Kubernetes labels metadata for Persistent Volume Claim | `{}` | @@ -172,6 +174,7 @@ The chart can be customized using the following configurable parameters: | `sharding.configrs.resources.requests.memory` | Config ReplicaSet resource requests memory | `0.5G` | | `sharding.configrs.volumeSpec.hostPath` | Config ReplicaSet hostPath K8S storage | | | `sharding.configrs.volumeSpec.hostPath.path` | Config ReplicaSet hostPath K8S storage path | `""` | +| `sharding.configrs.volumeSpec.hostPath.type` | Type for hostPath volum | `Directory` | | `sharding.configrs.volumeSpec.emptyDir` | Config ReplicaSet Pods emptyDir K8S storage | | | `sharding.configrs.volumeSpec.pvc` | Config ReplicaSet Pods PVC request parameters | | | `sharding.configrs.volumeSpec.pvc.annotations` | The Kubernetes annotations metadata for Persistent Volume Claim | `{}` | @@ -214,6 +217,8 @@ The chart can be customized using the following configurable parameters: | | | `backup.enabled` | Enable backup PBM agent | `true` | | `backup.annotations` | Backup job annotations | `{}` | +| `backup.podSecurityContext` | Set the security context for a Pod | `{}` | +| `backup.containerSecurityContext` | Set the security context for a Container | `{}` | | `backup.restartOnFailure` | Backup Pods restart policy | `true` | | `backup.image.repository` | PBM Container image repository | `percona/percona-backup-mongodb` | | `backup.image.tag` | PBM Container image tag | `2.3.0` | diff --git a/charts/percona/psmdb-db/templates/cluster.yaml b/charts/percona/psmdb-db/templates/cluster.yaml index 396e03aae..9052fe04b 100644 --- a/charts/percona/psmdb-db/templates/cluster.yaml +++ b/charts/percona/psmdb-db/templates/cluster.yaml @@ -191,8 +191,12 @@ spec: volumeSpec: {{- if $replset.volumeSpec.hostPath }} hostPath: - path: {{ $replset.volumeSpec.hostPath }} + path: {{ $replset.volumeSpec.hostPath.path }} + {{- if $replset.volumeSpec.hostPath.type }} + type: {{ $replset.volumeSpec.hostPath.type }} + {{- else }} type: Directory + {{- end }} {{- else if $replset.volumeSpec.pvc }} persistentVolumeClaim: {{ $replset.volumeSpec.pvc | toYaml | indent 8 }} @@ -258,8 +262,12 @@ spec: volumeSpec: {{- if $replset.nonvoting.volumeSpec.hostPath }} hostPath: - path: {{ $replset.nonvoting.volumeSpec.hostPath }} + path: {{ $replset.nonvoting.volumeSpec.hostPath.path }} + {{- if $replset.nonvoting.volumeSpec.hostPath.type }} + type: {{ $replset.nonvoting.volumeSpec.hostPath.type }} + {{- else }} type: Directory + {{- end }} {{- else if $replset.nonvoting.volumeSpec.pvc }} persistentVolumeClaim: {{ $replset.nonvoting.volumeSpec.pvc | toYaml | indent 10 }} @@ -413,8 +421,12 @@ spec: volumeSpec: {{- if .Values.sharding.configrs.volumeSpec.hostPath }} hostPath: - path: {{ .Values.sharding.configrs.volumeSpec.hostPath }} + path: {{ .Values.sharding.configrs.volumeSpec.hostPath.path }} + {{- if .Values.sharding.configrs.volumeSpec.hostPath.type }} + type: {{ .Values.sharding.configrs.volumeSpec.hostPath.type }} + {{- else }} type: Directory + {{- end }} {{- else if .Values.sharding.configrs.volumeSpec.pvc }} persistentVolumeClaim: {{ .Values.sharding.configrs.volumeSpec.pvc | toYaml | indent 10 }} @@ -538,6 +550,14 @@ spec: {{- if .Values.backup.annotations }} annotations: {{ .Values.backup.annotations | toYaml | indent 6 }} + {{- end }} + {{- if .Values.backup.podSecurityContext }} + podSecurityContext: +{{ .Values.backup.podSecurityContext | toYaml | indent 6 }} + {{- end }} + {{- if .Values.backup.containerSecurityContext }} + containerSecurityContext: +{{ .Values.backup.containerSecurityContext | toYaml | indent 6 }} {{- end }} image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}" serviceAccountName: {{ .Values.backup.serviceAccountName }} diff --git a/charts/percona/psmdb-db/values.yaml b/charts/percona/psmdb-db/values.yaml index 4b9ee8ac3..23d68a764 100644 --- a/charts/percona/psmdb-db/values.yaml +++ b/charts/percona/psmdb-db/values.yaml @@ -102,6 +102,8 @@ replsets: # priorityClass: "" # annotations: {} # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} # nodeSelector: {} # livenessProbe: # failureThreshold: 4 @@ -180,7 +182,7 @@ replsets: # - 10.0.0.0/8 # serviceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # serviceLabels: + # serviceLabels: # some-label: some-key # schedulerName: "" resources: @@ -194,6 +196,7 @@ replsets: # emptyDir: {} # hostPath: # path: /data + # type: Directory pvc: # annotations: # volume.beta.kubernetes.io/storage-class: example-hostpath @@ -250,6 +253,7 @@ replsets: # emptyDir: {} # hostPath: # path: /data + # type: Directory pvc: # annotations: # volume.beta.kubernetes.io/storage-class: example-hostpath @@ -326,6 +330,8 @@ sharding: # priorityClass: "" # annotations: {} # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} # nodeSelector: {} # livenessProbe: {} # readinessProbe: {} @@ -349,7 +355,7 @@ sharding: # - 10.0.0.0/8 # serviceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # serviceLabels: + # serviceLabels: # some-label: some-key resources: limits: @@ -409,6 +415,8 @@ sharding: # priorityClass: "" # annotations: {} # labels: {} + # podSecurityContext: {} + # containerSecurityContext: {} # nodeSelector: {} # livenessProbe: {} # readinessProbe: {} @@ -439,7 +447,7 @@ sharding: # - 10.0.0.0/8 # serviceAnnotations: # service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http - # serviceLabels: + # serviceLabels: # some-label: some-key # auditLog: # destination: file @@ -459,6 +467,8 @@ backup: serviceAccountName: percona-server-mongodb-operator # annotations: # iam.amazonaws.com/role: role-arn + # podSecurityContext: {} + # containerSecurityContext: {} # resources: # limits: # cpu: "300m" diff --git a/charts/percona/psmdb-operator/Chart.yaml b/charts/percona/psmdb-operator/Chart.yaml index c003246ad..b9a284e27 100644 --- a/charts/percona/psmdb-operator/Chart.yaml +++ b/charts/percona/psmdb-operator/Chart.yaml @@ -16,4 +16,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: psmdb-operator -version: 1.15.0 +version: 1.15.2 diff --git a/charts/percona/psmdb-operator/README.md b/charts/percona/psmdb-operator/README.md index 2a2a03373..3237153e9 100644 --- a/charts/percona/psmdb-operator/README.md +++ b/charts/percona/psmdb-operator/README.md @@ -32,6 +32,8 @@ The chart can be customized using the following configurable parameters: | `image.pullSecrets` | PSMDB Operator Pod pull secret | `[]` | | `replicaCount` | PSMDB Operator Pod quantity | `1` | | `tolerations` | List of node taints to tolerate | `[]` | +| `annotations` | PSMDB Operator Deployment annotations | `{}` | +| `podAnnotations` | PSMDB Operator Pod annotations | `{}` | | `resources` | Resource requests and limits | `{}` | | `nodeSelector` | Labels for Pod assignment | `{}` | | `podAnnotations` | Annotations for pod | `{}` | @@ -40,6 +42,7 @@ The chart can be customized using the following configurable parameters: | `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | | `securityContext` | Container Security Context | `{}` | | `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` | +| `serviceAccount.annotations` | PSMDB Operator ServiceAccount annotations | `{}` | | `logStructured` | Force PSMDB operator to print JSON-wrapped log messages | `false` | | `logLevel` | PSMDB Operator logging level | `INFO` | | `disableTelemetry` | Disable sending PSMDB Operator telemetry data to Percona | `false` | diff --git a/charts/percona/psmdb-operator/templates/deployment.yaml b/charts/percona/psmdb-operator/templates/deployment.yaml index a208e8efe..5ab469894 100644 --- a/charts/percona/psmdb-operator/templates/deployment.yaml +++ b/charts/percona/psmdb-operator/templates/deployment.yaml @@ -4,7 +4,11 @@ metadata: name: {{ include "psmdb-operator.fullname" . }} namespace: {{ .Release.Namespace }} labels: -{{ include "psmdb-operator.labels" . | indent 4 }} + {{- include "psmdb-operator.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} spec: replicas: {{ .Values.replicaCount }} selector: @@ -35,9 +39,12 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 60000 + - containerPort: 8080 protocol: TCP name: metrics + - containerPort: 8081 + protocol: TCP + name: health command: - percona-server-mongodb-operator env: @@ -61,14 +68,14 @@ spec: value: "{{ .Values.env.resyncPeriod }}" - name: DISABLE_TELEMETRY value: "{{ .Values.disableTelemetry }}" - # livenessProbe: - # httpGet: - # path: / - # port: metrics - # readinessProbe: - # httpGet: - # path: / - # port: metrics + livenessProbe: + httpGet: + path: /healthz + port: health + readinessProbe: + httpGet: + path: /healthz + port: health resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/charts/percona/psmdb-operator/templates/role-binding.yaml b/charts/percona/psmdb-operator/templates/role-binding.yaml index 3f4528400..fb2bdbe3a 100644 --- a/charts/percona/psmdb-operator/templates/role-binding.yaml +++ b/charts/percona/psmdb-operator/templates/role-binding.yaml @@ -4,6 +4,10 @@ kind: ServiceAccount metadata: name: {{ include "psmdb-operator.fullname" . }} namespace: {{ .Release.Namespace }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} --- {{- end }} {{- if .Values.rbac.create }} diff --git a/charts/percona/psmdb-operator/values.yaml b/charts/percona/psmdb-operator/values.yaml index ab989c846..37f58e237 100644 --- a/charts/percona/psmdb-operator/values.yaml +++ b/charts/percona/psmdb-operator/values.yaml @@ -31,7 +31,13 @@ rbac: serviceAccount: # serviceAccount.create: Whether to create the Service Accounts or not create: true + # annotations to add to the service account + annotations: {} +# annotations to add to the operator deployment +annotations: {} + +# annotations to add to the operator pod podAnnotations: {} # prometheus.io/scrape: "true" # prometheus.io/port: "8080" diff --git a/charts/percona/pxc-db/Chart.yaml b/charts/percona/pxc-db/Chart.yaml index 25ee4572d..9385cd5a9 100644 --- a/charts/percona/pxc-db/Chart.yaml +++ b/charts/percona/pxc-db/Chart.yaml @@ -17,4 +17,4 @@ maintainers: - email: natalia.marukovich@percona.com name: nmarukovich name: pxc-db -version: 1.13.4 +version: 1.13.6 diff --git a/charts/percona/pxc-db/README.md b/charts/percona/pxc-db/README.md index 490736ede..849cc956a 100644 --- a/charts/percona/pxc-db/README.md +++ b/charts/percona/pxc-db/README.md @@ -215,6 +215,8 @@ The chart can be customized using the following configurable parameters: | `pmm.serverUser` | Username for accessing PXC database internals | `admin` | | `pmm.resources.requests` | PMM Container resource requests | `{"memory": "150M", "cpu": "300m"}` | | `pmm.resources.limits` | PMM Container resource limits | `{}` | +| `pmm.pxcParams` | Additional parameters which will be passed to the [pmm-admin add mysql](https://docs.percona.com/percona-monitoring-and-management/setting-up/client/mysql.html#add-service) command for `pxc` Pods | `""` | +| `pmm.proxysqlParams` | Additional parameters which will be passed to the [pmm-admin add proxysql](https://docs.percona.com/percona-monitoring-and-management/setting-up/client/proxysql.html) command for `proxysql` Pods | `""` | | | | `backup.enabled` | Enables backups for PXC cluster | `true` | | `backup.allowParallel` | Allow taking multiple backups in parallel | `true` | diff --git a/charts/percona/pxc-db/templates/cluster.yaml b/charts/percona/pxc-db/templates/cluster.yaml index 2d47ce491..a581e01f3 100644 --- a/charts/percona/pxc-db/templates/cluster.yaml +++ b/charts/percona/pxc-db/templates/cluster.yaml @@ -473,6 +473,12 @@ spec: {{- end }} serverHost: {{ $pmm.serverHost }} serverUser: {{ $pmm.serverUser }} + {{- if $pmm.pxcParams }} + pxcParams: {{ $pmm.pxcParams }} + {{- end }} + {{- if $pmm.proxysqlParams }} + proxysqlParams: {{ $pmm.proxysqlParams }} + {{- end }} resources: requests: {{ tpl ($pmm.resources.requests | toYaml) $ | indent 8 }} diff --git a/charts/percona/pxc-db/templates/s3-secret.yaml b/charts/percona/pxc-db/templates/s3-secret.yaml index 60413f896..b801f1890 100644 --- a/charts/percona/pxc-db/templates/s3-secret.yaml +++ b/charts/percona/pxc-db/templates/s3-secret.yaml @@ -5,7 +5,7 @@ apiVersion: v1 kind: Secret metadata: name: {{ include "pxc-database.fullname" $ }}-s3-{{ $key }} - namespace: {{ .Release.Namespace }} + namespace: {{ $.Release.Namespace }} labels: {{ include "pxc-database.labels" $ | indent 4 }} type: Opaque diff --git a/charts/percona/pxc-db/values.yaml b/charts/percona/pxc-db/values.yaml index e967e9753..6e90f9bbf 100644 --- a/charts/percona/pxc-db/values.yaml +++ b/charts/percona/pxc-db/values.yaml @@ -477,6 +477,8 @@ pmm: imagePullSecrets: [] serverHost: monitoring-service serverUser: admin + # pxcParams: "--disable-tablestats-limit=2000" + # proxysqlParams: "--custom-labels=CUSTOM-LABELS" resources: requests: memory: 150M diff --git a/charts/percona/pxc-operator/Chart.yaml b/charts/percona/pxc-operator/Chart.yaml index 5f973f15e..937c9f737 100644 --- a/charts/percona/pxc-operator/Chart.yaml +++ b/charts/percona/pxc-operator/Chart.yaml @@ -18,4 +18,4 @@ maintainers: - email: sergey.pronin@percona.com name: spron-in name: pxc-operator -version: 1.13.3 +version: 1.13.5 diff --git a/charts/percona/pxc-operator/README.md b/charts/percona/pxc-operator/README.md index 75b4acbe5..1c465b742 100644 --- a/charts/percona/pxc-operator/README.md +++ b/charts/percona/pxc-operator/README.md @@ -32,6 +32,7 @@ The chart can be customized using the following configurable parameters: | `imagePullSecrets` | PXC Operator Pod pull secret | `[]` | | `replicaCount` | PXC Operator Pod quantity | `1` | | `tolerations` | List of node taints to tolerate | `[]` | +| `podAnnotations` | Operator Pod user-defined annotations | `{}` | | `resources` | Resource requests and limits | `{}` | | `nodeSelector` | Labels for Pod assignment | `{}` | | `logStructured` | Force PXC operator to print JSON-wrapped log messages | `false` | @@ -39,6 +40,7 @@ The chart can be customized using the following configurable parameters: | `disableTelemetry` | Disable sending PXC Operator telemetry data to Percona | `false` | | `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` | | `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` | +| `extraEnvVars` | Custom pod environment variables | `[]` | Specify parameters using `--set key=value[,key=value]` argument to `helm install` diff --git a/charts/percona/pxc-operator/templates/deployment.yaml b/charts/percona/pxc-operator/templates/deployment.yaml index 69d615dcd..f073b4f10 100644 --- a/charts/percona/pxc-operator/templates/deployment.yaml +++ b/charts/percona/pxc-operator/templates/deployment.yaml @@ -19,6 +19,10 @@ spec: type: RollingUpdate template: metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} labels: app.kubernetes.io/component: operator app.kubernetes.io/name: {{ include "pxc-operator.name" . }} @@ -65,6 +69,9 @@ spec: value: "{{ .Values.logLevel }}" - name: DISABLE_TELEMETRY value: "{{ .Values.disableTelemetry }}" + {{- if .Values.extraEnvVars }} + {{- toYaml .Values.extraEnvVars | nindent 12 }} + {{- end }} livenessProbe: failureThreshold: 3 httpGet: diff --git a/charts/percona/pxc-operator/values.yaml b/charts/percona/pxc-operator/values.yaml index 725945f05..07f8a3453 100644 --- a/charts/percona/pxc-operator/values.yaml +++ b/charts/percona/pxc-operator/values.yaml @@ -53,6 +53,14 @@ tolerations: [] affinity: {} +podAnnotations: {} + logStructured: false logLevel: "INFO" disableTelemetry: false + +extraEnvVars: [] +# - name: http_proxy +# value: "example-proxy-http" +# - name: https_proxy +# value: "example-proxy-https" diff --git a/charts/redpanda/redpanda/Chart.lock b/charts/redpanda/redpanda/Chart.lock index fe0f09054..7197c87ea 100644 --- a/charts/redpanda/redpanda/Chart.lock +++ b/charts/redpanda/redpanda/Chart.lock @@ -1,9 +1,9 @@ dependencies: - name: console repository: https://charts.redpanda.com - version: 0.7.16 + version: 0.7.18 - name: connectors repository: https://charts.redpanda.com version: 0.1.9 -digest: sha256:977004c9b9eb8cb886229bf385619e90b137562b67ebefde04b9791ebbff88fb -generated: "2024-01-23T12:05:10.35618748Z" +digest: sha256:89c683c4ecbe02d5157c467f49975eb440d61e40a8470e7da722f459ca04701a +generated: "2024-02-06T14:22:00.096887653Z" diff --git a/charts/redpanda/redpanda/Chart.yaml b/charts/redpanda/redpanda/Chart.yaml index 2a859128a..bb9383b5e 100644 --- a/charts/redpanda/redpanda/Chart.yaml +++ b/charts/redpanda/redpanda/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/redpanda:v23.3.1 + image: docker.redpanda.com/redpandadata/redpanda:v23.3.4 - name: busybox image: busybox:latest - name: mintel/docker-alpine-bash-curl-jq @@ -17,7 +17,7 @@ annotations: catalog.cattle.io/kube-version: '>=1.21-0' catalog.cattle.io/release-name: redpanda apiVersion: v2 -appVersion: v23.3.1 +appVersion: v23.3.4 dependencies: - condition: console.enabled name: console @@ -37,4 +37,4 @@ name: redpanda sources: - https://github.com/redpanda-data/helm-charts type: application -version: 5.7.10 +version: 5.7.23 diff --git a/charts/redpanda/redpanda/README.md b/charts/redpanda/redpanda/README.md index 257aee0af..5f609b6cb 100644 --- a/charts/redpanda/redpanda/README.md +++ b/charts/redpanda/redpanda/README.md @@ -3,7 +3,7 @@ description: Find the default values and descriptions of settings in the Redpanda Helm chart. --- -![Version: 5.7.8](https://img.shields.io/badge/Version-5.7.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.1](https://img.shields.io/badge/AppVersion-v23.3.1-informational?style=flat-square) +![Version: 5.7.22](https://img.shields.io/badge/Version-5.7.22-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v23.3.4](https://img.shields.io/badge/AppVersion-v23.3.4-informational?style=flat-square) This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. @@ -57,7 +57,7 @@ Enable or disable audit logging, for production clusters we suggest you enable, ### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) -Event types that should be captured by audit logs, default is ["admin", "authenticate", "management"]. +Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. **Default:** `nil` @@ -75,7 +75,7 @@ List of topics to exclude from auditing, default is null. ### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) -Kafka listener name, note that it must have `authenticationMethod` set to sasl 'internal' if using internal listener, else use external listener name, e.g., default. +Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`. **Default:** `"internal"` @@ -99,7 +99,7 @@ Defines the maximum amount of memory used (in bytes) by the audit buffer in each ### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) -Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the internal_topic_replication_factor cluster config value. Default is null +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` **Default:** `nil` @@ -777,7 +777,7 @@ In environments where root is not allowed, you cannot change the ownership of fi ### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) -Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global nodeSelector value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). **Default:** `{}` @@ -817,7 +817,7 @@ Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you w ### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) -Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. +Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types. **Default:** `100` @@ -966,7 +966,7 @@ Persistence settings. For details, see the [storage documentation](https://docs. **Default:** ``` -{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"credentialsSecretRef":{},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} ``` ### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) @@ -982,7 +982,7 @@ If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and us **Default:** ``` -{"annotations":{},"enabled":true,"labels":{},"size":"20Gi","storageClass":""} +{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""} ``` ### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) @@ -997,9 +997,15 @@ Additional labels to apply to the created PersistentVolumeClaims. **Default:** `{}` +### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite) + +Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume` + +**Default:** `""` + ### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) -To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). +To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). **Default:** `""` @@ -1015,37 +1021,37 @@ Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.license ### [storage.tiered.config.cloud_storage_access_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_access_key) -Required for AWS and GCS authentication with access keys. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). +AWS or GCP access key (required for AWS and GCP authentication with access keys). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). **Default:** `""` ### [storage.tiered.config.cloud_storage_api_endpoint](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_api_endpoint) -See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). +AWS or GCP API endpoint. * For AWS, this can be left blank as it is generated automatically using the bucket and region. For example, `.s3..amazonaws.com`. * For GCP, use `storage.googleapis.com` See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). **Default:** `""` ### [storage.tiered.config.cloud_storage_azure_container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_container) -Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). +Name of the Azure container to use with Tiered Storage (required for ABS/ADLS). Note that the container must belong to the account specified by `cloud_storage_azure_storage_account`. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). **Default:** `nil` ### [storage.tiered.config.cloud_storage_azure_shared_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_shared_key) -Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). +Shared key to be used for Azure Shared Key authentication with the Azure storage account specified by `cloud_storage_azure_storage_account`. Note that the key should be base64 encoded. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). **Default:** `nil` ### [storage.tiered.config.cloud_storage_azure_storage_account](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_storage_account) -Required for ABS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). +Name of the Azure storage account to use with Tiered Storage (required for ABS/ADLS). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). **Default:** `nil` ### [storage.tiered.config.cloud_storage_bucket](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_bucket) -Required for AWS and GCS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). +AWS or GCP bucket name used for Tiered Storage (required for AWS and GCP). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). **Default:** `""` @@ -1057,19 +1063,19 @@ Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See th ### [storage.tiered.config.cloud_storage_credentials_source](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_credentials_source) -Required for AWS and GCS authentication with IAM roles. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). +Source of credentials used to connect to cloud services (required for AWS and GCP authentication with IAM roles). * `config_file` * `aws_instance_metadata` * `sts` * `gcp_instance_metadata` See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). **Default:** `"config_file"` ### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read) -See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). +Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). **Default:** `true` ### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write) -See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). +Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). **Default:** `true` @@ -1081,13 +1087,13 @@ Global flag that enables Tiered Storage if a license key is provided. See the [p ### [storage.tiered.config.cloud_storage_region](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_region) -Required for AWS and GCS. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). +AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCP). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). **Default:** `""` ### [storage.tiered.config.cloud_storage_secret_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_secret_key) -Required for AWS and GCS authentication with access keys. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). +AWS or GCP secret key (required for AWS and GCP authentication with access keys). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). **Default:** `""` diff --git a/charts/redpanda/redpanda/charts/console/Chart.yaml b/charts/redpanda/redpanda/charts/console/Chart.yaml index 1d4cd0a37..5e487f101 100644 --- a/charts/redpanda/redpanda/charts/console/Chart.yaml +++ b/charts/redpanda/redpanda/charts/console/Chart.yaml @@ -1,7 +1,7 @@ annotations: artifacthub.io/images: | - name: redpanda - image: docker.redpanda.com/redpandadata/console:v2.3.9 + image: docker.redpanda.com/redpandadata/console:v2.4.1 artifacthub.io/license: Apache-2.0 artifacthub.io/links: | - name: Documentation @@ -9,7 +9,7 @@ annotations: - name: "Helm (>= 3.6.0)" url: https://helm.sh/docs/intro/install/ apiVersion: v2 -appVersion: v2.3.9 +appVersion: v2.4.1 description: Helm chart to deploy Redpanda Console. icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg maintainers: @@ -19,4 +19,4 @@ name: console sources: - https://github.com/redpanda-data/helm-charts type: application -version: 0.7.16 +version: 0.7.18 diff --git a/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml b/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml new file mode 100644 index 000000000..b710777bb --- /dev/null +++ b/charts/redpanda/redpanda/ci/18-single-external-address-values.yaml @@ -0,0 +1,26 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +# the number of replicas should match the length of the addresses +statefulset: + replicas: 3 + +external: + enabled: true + domain: my-domain + addresses: + - $PREFIX_TEMPLATE + prefixTemplate: $POD_ORDINAL-XYZ-$(echo -n $HOST_IP_ADDRESS | sha256sum + | head -c 7) diff --git a/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl index da8d6f5a8..dc7e8e553 100644 --- a/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl +++ b/charts/redpanda/redpanda/ci/21-eks-tiered-storage-with-creds-values.yaml.tpl @@ -24,4 +24,12 @@ storage: cloud_storage_bucket: "${TEST_BUCKET}" cloud_storage_segment_max_upload_interval_sec: 1 enterprise: - license: "${REDPANDA_SAMPLE_LICENSE}" \ No newline at end of file + license: "${REDPANDA_SAMPLE_LICENSE}" + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl index f456972ff..2b9aa4aea 100644 --- a/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl +++ b/charts/redpanda/redpanda/ci/22-gke-tiered-storage-with-creds-values.yaml.tpl @@ -36,4 +36,12 @@ resources: max: 2.0Gi redpanda: memory: 1Gi - reserveMemory: 100Mi \ No newline at end of file + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl index e559095d7..241ffb753 100644 --- a/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl +++ b/charts/redpanda/redpanda/ci/23-aks-tiered-storage-with-creds-values.yaml.tpl @@ -37,4 +37,12 @@ resources: max: 2.0Gi redpanda: memory: 1Gi - reserveMemory: 100Mi \ No newline at end of file + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl new file mode 100644 index 000000000..1e11a8333 --- /dev/null +++ b/charts/redpanda/redpanda/ci/24-eks-tiered-storage-persistent-with-creds-values.yaml.tpl @@ -0,0 +1,36 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + tiered: + mountType: persistentVolume + config: + cloud_storage_enabled: true + cloud_storage_credentials_source: config_file + cloud_storage_access_key: "${AWS_ACCESS_KEY_ID}" + cloud_storage_secret_key: "${AWS_SECRET_ACCESS_KEY}" + cloud_storage_region: "${AWS_REGION}" + cloud_storage_bucket: "${TEST_BUCKET}" + cloud_storage_segment_max_upload_interval_sec: 1 +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl new file mode 100644 index 000000000..60f6eed3e --- /dev/null +++ b/charts/redpanda/redpanda/ci/25-gke-tiered-storage-persistent-with-creds-values.yaml.tpl @@ -0,0 +1,48 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + tiered: + mountType: persistentVolume + config: + cloud_storage_enabled: true + cloud_storage_api_endpoint: storage.googleapis.com + cloud_storage_credentials_source: config_file + cloud_storage_region: "US-WEST1" + cloud_storage_bucket: "${TEST_BUCKET}" + cloud_storage_segment_max_upload_interval_sec: 1 + cloud_storage_access_key: "${GCP_ACCESS_KEY_ID}" + cloud_storage_secret_key: "${GCP_SECRET_ACCESS_KEY}" +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + + +resources: + cpu: + cores: 400m + memory: + container: + max: 2.0Gi + redpanda: + memory: 1Gi + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl new file mode 100644 index 000000000..b82f9b85d --- /dev/null +++ b/charts/redpanda/redpanda/ci/26-aks-tiered-storage-persistent-with-creds-values.yaml.tpl @@ -0,0 +1,49 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + persistentVolume: + storageClass: managed-csi + tiered: + mountType: persistentVolume + persistentVolume: + storageClass: managed-csi + config: + cloud_storage_enabled: true + cloud_storage_credentials_source: config_file + cloud_storage_segment_max_upload_interval_sec: 1 + cloud_storage_azure_storage_account: ${TEST_STORAGE_ACCOUNT} + cloud_storage_azure_container: ${TEST_STORAGE_CONTAINER} + cloud_storage_azure_shared_key: ${TEST_AZURE_SHARED_KEY} +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + +resources: + cpu: + cores: 400m + memory: + container: + max: 2.0Gi + redpanda: + memory: 1Gi + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl new file mode 100644 index 000000000..f92ec7a9c --- /dev/null +++ b/charts/redpanda/redpanda/ci/27-eks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl @@ -0,0 +1,38 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + persistentVolume: + nameOverwrite: shadow-index-cache + tiered: + mountType: persistentVolume + config: + cloud_storage_enabled: true + cloud_storage_credentials_source: config_file + cloud_storage_access_key: "${AWS_ACCESS_KEY_ID}" + cloud_storage_secret_key: "${AWS_SECRET_ACCESS_KEY}" + cloud_storage_region: "${AWS_REGION}" + cloud_storage_bucket: "${TEST_BUCKET}" + cloud_storage_segment_max_upload_interval_sec: 1 +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl new file mode 100644 index 000000000..ebc096f91 --- /dev/null +++ b/charts/redpanda/redpanda/ci/28-gke-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl @@ -0,0 +1,50 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + persistentVolume: + nameOverwrite: shadow-index-cache + tiered: + mountType: persistentVolume + config: + cloud_storage_enabled: true + cloud_storage_api_endpoint: storage.googleapis.com + cloud_storage_credentials_source: config_file + cloud_storage_region: "US-WEST1" + cloud_storage_bucket: "${TEST_BUCKET}" + cloud_storage_segment_max_upload_interval_sec: 1 + cloud_storage_access_key: "${GCP_ACCESS_KEY_ID}" + cloud_storage_secret_key: "${GCP_SECRET_ACCESS_KEY}" +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + + +resources: + cpu: + cores: 400m + memory: + container: + max: 2.0Gi + redpanda: + memory: 1Gi + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl b/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl new file mode 100644 index 000000000..bf5a1eafe --- /dev/null +++ b/charts/redpanda/redpanda/ci/29-aks-tiered-storage-persistent-nameoverwrite-with-creds-values.yaml.tpl @@ -0,0 +1,50 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +storage: + persistentVolume: + storageClass: managed-csi + nameOverwrite: shadow-index-cache + tiered: + mountType: persistentVolume + persistentVolume: + storageClass: managed-csi + config: + cloud_storage_enabled: true + cloud_storage_credentials_source: config_file + cloud_storage_segment_max_upload_interval_sec: 1 + cloud_storage_azure_storage_account: ${TEST_STORAGE_ACCOUNT} + cloud_storage_azure_container: ${TEST_STORAGE_CONTAINER} + cloud_storage_azure_shared_key: ${TEST_AZURE_SHARED_KEY} +enterprise: + license: "${REDPANDA_SAMPLE_LICENSE}" + +resources: + cpu: + cores: 400m + memory: + container: + max: 2.0Gi + redpanda: + memory: 1Gi + reserveMemory: 100Mi + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl b/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl index c760df54b..c2dbef2ce 100644 --- a/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl +++ b/charts/redpanda/redpanda/ci/96-audit-logging-values.yaml.tpl @@ -27,3 +27,11 @@ auth: auditLogging: enabled: true listeners: default + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl b/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl index 3eb6cf4aa..b1abb8be4 100644 --- a/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl +++ b/charts/redpanda/redpanda/ci/97-license-key-values.yaml.tpl @@ -15,3 +15,11 @@ --- enterprise: license: "${REDPANDA_LICENSE}" + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/98-license-secret-values.yaml b/charts/redpanda/redpanda/ci/98-license-secret-values.yaml index 8643f347d..f66a39ccc 100644 --- a/charts/redpanda/redpanda/ci/98-license-secret-values.yaml +++ b/charts/redpanda/redpanda/ci/98-license-secret-values.yaml @@ -17,3 +17,11 @@ enterprise: licenseSecretRef: name: redpanda-license key: license-key + +console: + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml b/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml index 030655830..637cd0f68 100644 --- a/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml +++ b/charts/redpanda/redpanda/ci/99-none-existent-config-options-with-empty-values.yaml @@ -67,3 +67,9 @@ console: secret: defaultMode: 0420 secretName: redpanda-license + # Until https://github.com/redpanda-data/console-enterprise/pull/256 is released the console + # test named `test-license-with-console.yaml` needs to work with unreleased Redpanda Console version. + image: + registry: redpandadata + repository: console-unstable + tag: master-8a51854 diff --git a/charts/redpanda/redpanda/templates/_helpers.tpl b/charts/redpanda/redpanda/templates/_helpers.tpl index 08187c9ea..3e1378d24 100644 --- a/charts/redpanda/redpanda/templates/_helpers.tpl +++ b/charts/redpanda/redpanda/templates/_helpers.tpl @@ -524,10 +524,16 @@ advertised-host returns a json string with the data needed for configuring the a {{- define "advertised-host" -}} {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}} {{- if .values.external.addresses -}} - {{- if ( .values.external.domain | default "" ) }} - {{- $host = dict "name" .externalName "address" (printf "%s.%s" (index .values.external.addresses .replicaIndex) (.values.external.domain)) "port" .port -}} + {{- $address := "" -}} + {{- if gt (len .values.external.addresses) 1 -}} + {{- $address = (index .values.external.addresses .replicaIndex) -}} {{- else -}} - {{- $host = dict "name" .externalName "address" (index .values.external.addresses .replicaIndex) "port" .port -}} + {{- $address = (index .values.external.addresses 0) -}} + {{- end -}} + {{- if ( .values.external.domain | default "" ) }} + {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}} + {{- else -}} + {{- $host = dict "name" .externalName "address" $address "port" .port -}} {{- end -}} {{- end -}} {{- toJson $host -}} @@ -862,3 +868,26 @@ REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM {{- toJson (dict "bool" $requireClientAuth) -}} {{- end -}} {{- end -}} + +{{- define "storage-tiered-credentials-secret-key" -}} +{{- $oldCondtion := (and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key) -}} +{{- $newCondtion := (and .Values.storage.tiered.credentialsSecretRef.secretKey.name .Values.storage.tiered.credentialsSecretRef.secretKey.key) -}} +{{- $configurationKey := (dig "configurationKey" "" .Values.storage.tiered.credentialsSecretRef) -}} +{{- if empty $configurationKey -}} + {{- $configurationKey = .Values.storage.tiered.credentialsSecretRef.secretKey.configurationKey -}} +{{- end -}} +{{- $key := (dig "key" "" .Values.storage.tiered.credentialsSecretRef) -}} +{{- if empty $key -}} + {{- $key = .Values.storage.tiered.credentialsSecretRef.secretKey.key -}} +{{- end -}} +{{- $name := (dig "name" "" .Values.storage.tiered.credentialsSecretRef) -}} +{{- if empty $name -}} + {{- $name = .Values.storage.tiered.credentialsSecretRef.secretKey.name -}} +{{- end -}} +{{- toJson (dict + "bool" (or $oldCondtion $newCondtion) + "configurationKey" $configurationKey + "key" $key + "name" $name +) -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/templates/post-upgrade.yaml b/charts/redpanda/redpanda/templates/post-upgrade.yaml index 3819ac70d..0ec2f0499 100644 --- a/charts/redpanda/redpanda/templates/post-upgrade.yaml +++ b/charts/redpanda/redpanda/templates/post-upgrade.yaml @@ -37,6 +37,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + {{- with .Values.post_upgrade_job.backoffLimit }} + backoffLimit: {{ .Values.post_upgrade_job.backoffLimit }} + {{- end }} template: metadata: name: "{{ .Release.Name }}" diff --git a/charts/redpanda/redpanda/templates/rbac.yaml b/charts/redpanda/redpanda/templates/rbac.yaml index 767f13270..735442d73 100644 --- a/charts/redpanda/redpanda/templates/rbac.yaml +++ b/charts/redpanda/redpanda/templates/rbac.yaml @@ -121,7 +121,7 @@ metadata: {{- . | nindent 4 }} {{- end }} {{- with .Values.serviceAccount.annotations }} -annotations: + annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: @@ -154,7 +154,7 @@ metadata: {{- . | nindent 4 }} {{- end }} {{- with .Values.serviceAccount.annotations }} -annotations: + annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: @@ -175,7 +175,7 @@ metadata: {{- . | nindent 4 }} {{- end }} {{- with .Values.serviceAccount.annotations }} -annotations: + annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: @@ -226,7 +226,7 @@ metadata: {{- . | nindent 4 }} {{- end }} {{- with .Values.serviceAccount.annotations }} -annotations: + annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: diff --git a/charts/redpanda/redpanda/templates/secrets.yaml b/charts/redpanda/redpanda/templates/secrets.yaml index eaac69bed..7e472d130 100644 --- a/charts/redpanda/redpanda/templates/secrets.yaml +++ b/charts/redpanda/redpanda/templates/secrets.yaml @@ -293,11 +293,11 @@ stringData: BROKER_INDEX=`expr $POD_ORDINAL + 1` CONFIG=/etc/redpanda/redpanda.yaml - + # Setup config files cp /tmp/base-config/redpanda.yaml "${CONFIG}" cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml - + {{- if not (include "redpanda-atleast-22-3-0" . | fromJson).bool }} # Configure bootstrap ## Not used for Redpanda v22.3.0+ @@ -351,10 +351,16 @@ stringData: rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}" {{- end }} {{- end }} - {{- if and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key }} + {{- if (include "storage-tiered-credentials-secret-key" . | fromJson).bool }} set +x - echo Setting cloud_storage_secret_key configuration - rpk redpanda config --config "$CONFIG" set cloud_storage_secret_key $CLOUD_STORAGE_SECRET_KEY + echo Setting {{ (include "storage-tiered-credentials-secret-key" . | fromJson).configurationKey }} configuration + rpk cluster config --config "$CONFIG" set {{ (include "storage-tiered-credentials-secret-key" . | fromJson).configurationKey }} $CLOUD_STORAGE_SECRET_KEY + set -x + {{- end }} + {{- if and .Values.storage.tiered.credentialsSecretRef.accessKey.name .Values.storage.tiered.credentialsSecretRef.accessKey.key }} + set +x + echo Setting {{ .Values.storage.tiered.credentialsSecretRef.accessKey.configurationKey }} configuration + rpk cluster config --config "$CONFIG" set {{ .Values.storage.tiered.credentialsSecretRef.accessKey.configurationKey }} $CLOUD_STORAGE_ACCESS_KEY set -x {{- end }} {{- if .Values.statefulset.initContainers.fsValidator.enabled}} @@ -376,38 +382,38 @@ stringData: DATA_DIR="/var/lib/redpanda/data" TEST_FILE="testfile" - + echo "checking data directory exist..." if [ ! -d "${DATA_DIR}" ]; then echo "data directory does not exists, exiting" exit 1 fi - + echo "checking filesystem type..." FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') - + if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" exit 1 fi - + echo "checking if able to create a test file..." - + touch ${DATA_DIR}/${TEST_FILE} result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) if [ "${result}" != "0" ]; then echo "could not write testfile, may not have write permission" exit 1 fi - + echo "checking if able to delete a test file..." - + result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) if [ "${result}" != "0" ]; then echo "could not delete testfile" exit 1 fi - + echo "passed" -{{- end }} \ No newline at end of file +{{- end }} diff --git a/charts/redpanda/redpanda/templates/statefulset.yaml b/charts/redpanda/redpanda/templates/statefulset.yaml index edbf2ca68..b42ada292 100644 --- a/charts/redpanda/redpanda/templates/statefulset.yaml +++ b/charts/redpanda/redpanda/templates/statefulset.yaml @@ -131,7 +131,7 @@ spec: - name: datadir mountPath: /var/lib/redpanda/data {{- if ne (include "storage-tiered-mountType" .) "none" }} - - name: tiered-storage-dir + - name: {{ default "tiered-storage-dir" .Values.storage.persistentVolume.nameOverwrite }} mountPath: {{ include "tieredStorage.cacheDirectory" . }} {{- end }} {{- if dig "initContainers" "setTieredStorageCacheDirOwnership" "extraVolumeMounts" false .Values.statefulset -}} @@ -163,12 +163,19 @@ spec: fieldRef: apiVersion: v1 fieldPath: status.hostIP - {{- if and .Values.storage.tiered.credentialsSecretRef.name .Values.storage.tiered.credentialsSecretRef.key }} + {{- if (include "storage-tiered-credentials-secret-key" . | fromJson).bool }} - name: CLOUD_STORAGE_SECRET_KEY valueFrom: secretKeyRef: - key: {{ .Values.storage.tiered.credentialsSecretRef.key }} - name: {{ .Values.storage.tiered.credentialsSecretRef.name }} + key: {{ (include "storage-tiered-credentials-secret-key" . | fromJson).key }} + name: {{ (include "storage-tiered-credentials-secret-key" . | fromJson).name }} + {{- end }} + {{- if and .Values.storage.tiered.credentialsSecretRef.accessKey.name .Values.storage.tiered.credentialsSecretRef.accessKey.key }} + - name: CLOUD_STORAGE_ACCESS_KEY + valueFrom: + secretKeyRef: + key: {{ .Values.storage.tiered.credentialsSecretRef.accessKey.key }} + name: {{ .Values.storage.tiered.credentialsSecretRef.accessKey.name }} {{- end }} securityContext: {{ include "container-security-context" . | nindent 12 }} volumeMounts: {{ include "common-mounts" . | nindent 12 }} @@ -296,7 +303,7 @@ spec: - name: datadir mountPath: /var/lib/redpanda/data {{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled (ne (include "storage-tiered-mountType" .) "none") }} - - name: tiered-storage-dir + - name: {{ default "tiered-storage-dir" .Values.storage.persistentVolume.nameOverwrite }} mountPath: {{ include "tieredStorage.cacheDirectory" . }} {{- end }} resources: @@ -372,12 +379,9 @@ spec: {{- end }} {{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} {{- $tieredType := include "storage-tiered-mountType" . }} - {{- if ne $tieredType "none" }} + {{- if and (ne $tieredType "none") (ne $tieredType "persistentVolume") }} - name: tiered-storage-dir - {{- if eq $tieredType "persistentVolume" }} - persistentVolumeClaim: - claimName: tiered-storage-dir - {{- else if eq $tieredType "hostPath" }} + {{- if eq $tieredType "hostPath" }} hostPath: path: {{ include "storage-tiered-hostpath" . }} {{- else }} @@ -458,7 +462,7 @@ spec: {{- end }} {{- if and (include "is-licensed" . | fromJson).bool (include "storage-tiered-config" .|fromJson).cloud_storage_enabled (eq (include "storage-tiered-mountType" .) "persistentVolume") }} - metadata: - name: tiered-storage-dir + name: {{ default "tiered-storage-dir" .Values.storage.persistentVolume.nameOverwrite }} labels: app.kubernetes.io/name: {{ template "redpanda.name" . }} app.kubernetes.io/instance: {{ .Release.Name | quote }} diff --git a/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml index 8ad14e93d..20fc8f483 100644 --- a/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml +++ b/charts/redpanda/redpanda/templates/tests/test-license-with-console.yaml @@ -43,9 +43,17 @@ spec: - | echo "testing that we do NOT have an open source license" set -xe + + max_iteration=10 + curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ include "console.containerPort" (dict "Values" .Values.console) }}/api/cluster/overview | jq . type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ include "console.containerPort" (dict "Values" .Values.console) }}/api/cluster/overview | jq -r .console.license.type) + while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do + max_iteration=$(( max_iteration - 1 )) + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ include "console.containerPort" (dict "Values" .Values.console) }}/api/cluster/overview | jq -r .console.license.type) + done if [[ "$type" == "open_source" || "$type" == "" ]]; then - exit 1 + curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ include "console.containerPort" (dict "Values" .Values.console) }}/api/cluster/overview | jq . + exit 1 fi set +x echo "license test passed." diff --git a/charts/redpanda/redpanda/values.schema.json b/charts/redpanda/redpanda/values.schema.json index c3ef32776..a0de8380c 100644 --- a/charts/redpanda/redpanda/values.schema.json +++ b/charts/redpanda/redpanda/values.schema.json @@ -413,17 +413,56 @@ }, "annotations": { "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "size": { + "type": "string" + }, + "nameOverwrite": { + "type": "string" } } }, "credentialsSecretRef": { "type": "object", "properties": { + "accessKey": { + "type": "object", + "configurationKey": { + "type": "string" + }, + "name": { + "type": "string" + }, + "key": { + "type": "string" + } + }, + "secretKey": { + "type": "object", + "configurationKey": { + "type": "string" + }, + "name": { + "type": "string" + }, + "key": { + "type": "string" + } + }, + "configurationKey": { + "type": "string", + "deprecated": true + }, "name": { - "type": "string" + "type": "string", + "deprecated": true }, "key": { - "type": "string" + "type": "string", + "deprecated": true } } }, diff --git a/charts/redpanda/redpanda/values.yaml b/charts/redpanda/redpanda/values.yaml index df9925078..ece008e26 100644 --- a/charts/redpanda/redpanda/values.yaml +++ b/charts/redpanda/redpanda/values.yaml @@ -93,12 +93,12 @@ auditLogging: # -- Enable or disable audit logging, for production clusters we suggest you enable, # however, this will only work if you also enable sasl and a listener with sasl enabled. enabled: false - # -- Kafka listener name, note that it must have `authenticationMethod` set to sasl - # 'internal' if using internal listener, else use external listener name, e.g., default. + # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. + # For external listeners, use the external listener name, such as `default`. listener: internal # -- Integer value defining the number of partitions used by a newly created audit topic. partitions: 12 - # -- Event types that should be captured by audit logs, default is ["admin", "authenticate", "management"]. + # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. enabledEventTypes: # -- List of topics to exclude from auditing, default is null. excludedTopics: @@ -113,7 +113,7 @@ auditLogging: # -- Defines the replication factor for a newly created audit log topic. This configuration applies # only to the audit log topic and may be different from the cluster or other topic configurations. # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, - # Redpanda will use the internal_topic_replication_factor cluster config value. Default is null + # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` replicationFactor: # -- Enterprise (optional) @@ -267,6 +267,8 @@ external: # The number of brokers is defined in statefulset.replicas. # The values can be IP addresses or DNS names. # If external.domain is set, the domain is appended to these values. + # There is an option to define a single external address for all brokers and leverage + # prefixTemplate as it will be calculated during initContainer execution. # addresses: # - redpanda-0 # - redpanda-1 @@ -417,7 +419,7 @@ storage: persistentVolume: enabled: true size: 20Gi - # -- To disable dynamic provisioning, set to "-". + # -- To disable dynamic provisioning, set to `-`. # If undefined or empty (default), then no storageClassName spec is set, # and the default dynamic provisioner is chosen (gp2 on AWS, standard on # GKE, AWS & OpenStack). @@ -426,6 +428,9 @@ storage: labels: {} # -- Additional annotations to apply to the created PersistentVolumeClaims. annotations: {} + # -- Option to change volume claim template name for tiered storage persistent volume + # if tiered.mountType is set to `persistentVolume` + nameOverwrite: "" # # Settings for the Tiered Storage cache. # For details, @@ -456,11 +461,25 @@ storage: # -- Additional annotations to apply to the created PersistentVolumeClaims. annotations: {} - # credentialsSecretRef can be used to set cloud_storage_secret_key from + # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from # referenced Kubernetes Secret - credentialsSecretRef: {} + credentialsSecretRef: + accessKey: + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_access_key + configurationKey: cloud_storage_access_key + # name: + # key: + secretKey: + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_secret_key + # or + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_azure_shared_key + configurationKey: cloud_storage_secret_key + # name: + # key + # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey` + # configurationKey: cloud_storage_secret_key # name: - # key + # key: # # -- Tiered Storage settings # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` @@ -476,21 +495,21 @@ storage: # -- Cluster level default remote read configuration for new topics. # See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). cloud_storage_enable_remote_read: true - # -- AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCS). + # -- AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCP). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). cloud_storage_region: "" - # -- AWS or GCP bucket name used for Tiered Storage (required for AWS and GCS). + # -- AWS or GCP bucket name used for Tiered Storage (required for AWS and GCP). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). cloud_storage_bucket: "" - # -- AWS or GCP access key (required for AWS and GCS authentication with access keys). + # -- AWS or GCP access key (required for AWS and GCP authentication with access keys). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). cloud_storage_access_key: "" - # -- AWS or GCP secret key (required for AWS and GCS authentication with access keys). + # -- AWS or GCP secret key (required for AWS and GCP authentication with access keys). # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). cloud_storage_secret_key: "" # -- AWS or GCP API endpoint. - # - For AWS, this can be left blank as it is generated automatically using the bucket and region (e.g. ".s3..amazonaws.com") - # - For GCS, use "storage.googleapis.com" + # * For AWS, this can be left blank as it is generated automatically using the bucket and region. For example, `.s3..amazonaws.com`. + # * For GCP, use `storage.googleapis.com` # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). cloud_storage_api_endpoint: "" # -- Name of the Azure container to use with Tiered Storage (required for ABS/ADLS). @@ -508,11 +527,11 @@ storage: # Available starting from 23.2.8. # cloud_storage_azure_adls_endpoint: "" # cloud_storage_azure_adls_port: "" - # -- Source of credentials used to connect to cloud services (required for AWS and GCS authentication with IAM roles). - # - config_file - # - aws_instance_metadata - # - sts - # - gcp_instance_metadata + # -- Source of credentials used to connect to cloud services (required for AWS and GCP authentication with IAM roles). + # * `config_file` + # * `aws_instance_metadata` + # * `sts` + # * `gcp_instance_metadata` # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). cloud_storage_credentials_source: config_file @@ -584,6 +603,9 @@ post_upgrade_job: # - secretRef: # name: redpanda-aws-secrets affinity: {} + # When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish + # its rollout. User can extend Job default backoff limit of `6`. + # backoffLimit: statefulset: # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) @@ -613,7 +635,7 @@ statefulset: # # StatefulSet resources: # Resources are set through the top-level resources section above. - # It is recommended to set resources values in that section rather than here, as this will guarantee + # It is recommended to set resource values in that section rather than here, as this will guarantee # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly. # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags # at startup that set the amount of memory available to each process. @@ -637,12 +659,12 @@ statefulset: # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. type: hard # -- Weight for `soft` anti-affinity rules. - # Does not apply for other anti-affinity types. + # Does not apply to other anti-affinity types. weight: 100 # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. custom: {} # -- Node selection constraints for scheduling Pods of this StatefulSet. - # These constraints override the global nodeSelector value. + # These constraints override the global `nodeSelector` value. # For details, # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). nodeSelector: {} diff --git a/charts/speedscale/speedscale-operator/Chart.yaml b/charts/speedscale/speedscale-operator/Chart.yaml index e423989a5..7cd93cead 100644 --- a/charts/speedscale/speedscale-operator/Chart.yaml +++ b/charts/speedscale/speedscale-operator/Chart.yaml @@ -4,7 +4,7 @@ annotations: catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/release-name: speedscale-operator apiVersion: v1 -appVersion: 2.0.41 +appVersion: 2.1.1 description: Stress test your APIs with real world scenarios. Collect and replay traffic without scripting. home: https://speedscale.com @@ -24,4 +24,4 @@ maintainers: - email: support@speedscale.com name: Speedscale Support name: speedscale-operator -version: 2.0.5 +version: 2.0.11 diff --git a/charts/speedscale/speedscale-operator/README.md b/charts/speedscale/speedscale-operator/README.md index 8844cd461..e433dc42d 100644 --- a/charts/speedscale/speedscale-operator/README.md +++ b/charts/speedscale/speedscale-operator/README.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.0.5 +### Upgrade to 2.0.11 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.5/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.11/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/app-readme.md b/charts/speedscale/speedscale-operator/app-readme.md index 8844cd461..e433dc42d 100644 --- a/charts/speedscale/speedscale-operator/app-readme.md +++ b/charts/speedscale/speedscale-operator/app-readme.md @@ -101,10 +101,10 @@ _See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documen A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions. -### Upgrade to 2.0.5 +### Upgrade to 2.0.11 ```bash -kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.5/templates/crds/trafficreplays.yaml +kubectl apply --server-side -f https://raw.githubusercontent.com/speedscale/operator-helm/main/2.0.11/templates/crds/trafficreplays.yaml ``` ### Upgrade to 1.1.0 diff --git a/charts/speedscale/speedscale-operator/templates/configmap.yaml b/charts/speedscale/speedscale-operator/templates/configmap.yaml index 36b2e532c..6fecf2923 100644 --- a/charts/speedscale/speedscale-operator/templates/configmap.yaml +++ b/charts/speedscale/speedscale-operator/templates/configmap.yaml @@ -23,7 +23,7 @@ data: WITH_DLP: {{ .Values.dlp.enabled | quote }} WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }} API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }} - DEPLOY_DEMO: {{ .Values.deployDemo }} + DEPLOY_DEMO: {{ .Values.deployDemo | quote }} GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }} GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }} {{- if .Values.http_proxy }} diff --git a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml index fabaeef7e..d4b47d2c9 100644 --- a/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml +++ b/charts/speedscale/speedscale-operator/templates/crds/trafficreplays.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.13.0 creationTimestamp: null name: trafficreplays.speedscale.com spec: @@ -209,13 +209,35 @@ spec: during replay and associated settings. properties: inTrafficKey: - description: InTrafficKey is used to identify the slice of inbound - snapshot traffic this workload is targeting and maps directly - to a snapshot's `InTraffic` field. Snapshot traffic can be - split across multiple slices where each slice contains part - of the traffic. A slice may only have one workload, but a - workload may be targeted by multiple slices. + description: 'DEPRECATED: use InTrafficKeys' type: string + inTrafficKeys: + description: "InTrafficKeys are used to identify slices of inbound + snapshot traffic this workload is targeting and maps directly + to a snapshot's `InTraffic` field. Snapshot ingress traffic + can be split across multiple slices where each slice contains + part of the traffic. A key must only be specified once across + all workloads, but a workload may specify multiple keys. \n + This field is optional in the spec to provide support for + single-workload and legacy replays, but must be specified + for multi-workload replays in order to provide deterministic + replay configuration." + items: + type: string + type: array + outTrafficKeys: + description: "OutTrafficKeys are used to identify slices of + outbound snapshot traffic to mock for this workload and maps + directly to a snapshot's `OutTraffic` field. Snapshot egress + traffic can be split across multiple slices where each slice + contains part of the traffic. A workload may specify multiple + keys and multiple workloads may specify the same key. \n Only + the traffic slices defined here will be mocked. A workload + with no keys defined will not mock any traffic. Pass '*' + to mock all traffic." + items: + type: string + type: array ref: description: Ref is a reference to a cluster workload, like a deployment or a statefulset. @@ -413,5 +435,5 @@ status: acceptedNames: kind: "" plural: "" - conditions: [] - storedVersions: [] + conditions: null + storedVersions: null diff --git a/charts/speedscale/speedscale-operator/values.yaml b/charts/speedscale/speedscale-operator/values.yaml index 04635ba60..c55ca51d9 100644 --- a/charts/speedscale/speedscale-operator/values.yaml +++ b/charts/speedscale/speedscale-operator/values.yaml @@ -20,7 +20,7 @@ clusterName: "my-cluster" # Speedscale components image settings. image: registry: gcr.io/speedscale - tag: v2.0.41 + tag: v2.1.1 pullPolicy: Always # Log level for Speedscale components. @@ -74,7 +74,8 @@ tolerations: [] # A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ nodeSelector: {} -# Deploy a demo app at startup. +# Deploy a demo app at startup. Set this to an empty string to not deploy. +# Valid values: ["java", ""] deployDemo: "java" # Proxy connection settings if required by your network. These translate to standard proxy environment @@ -91,14 +92,18 @@ disableSidecarSmartReverseDNS: false # Operator settings. These limits are recommended unless you have a cluster # with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.). +# +# NOTE: disable ephemeral-storage by changing its value to "none" operator: resources: limits: cpu: 500m memory: 512Mi + ephemeral-storage: 100Mi requests: cpu: 100m memory: 128Mi + ephemeral-storage: 100Mi # Default sidecar settings. Example: # sidecar: @@ -106,7 +111,9 @@ operator: # limits: # cpu: 500m # memory: 512Mi +# ephemeral-storage: 100Mi # requests: # cpu: 10m # memory: 32Mi +# ephemeral-storage: 100Mi sidecar: {} diff --git a/charts/stackstate/stackstate-k8s-agent/Chart.yaml b/charts/stackstate/stackstate-k8s-agent/Chart.yaml index a59a80a60..33e13e757 100644 --- a/charts/stackstate/stackstate-k8s-agent/Chart.yaml +++ b/charts/stackstate/stackstate-k8s-agent/Chart.yaml @@ -21,4 +21,4 @@ maintainers: - email: ops@stackstate.com name: Stackstate name: stackstate-k8s-agent -version: 1.0.67 +version: 1.0.68 diff --git a/charts/stackstate/stackstate-k8s-agent/README.md b/charts/stackstate/stackstate-k8s-agent/README.md index f27cd87ab..13a8f78a9 100644 --- a/charts/stackstate/stackstate-k8s-agent/README.md +++ b/charts/stackstate/stackstate-k8s-agent/README.md @@ -2,7 +2,7 @@ Helm chart for the StackState Agent. -Current chart version is `1.0.67` +Current chart version is `1.0.68` **Homepage:** @@ -203,7 +203,7 @@ stackstate/stackstate-k8s-agent | nodeAgent.containers.processAgent.image.pullPolicy | string | `"IfNotPresent"` | Process-agent container image pull policy. | | nodeAgent.containers.processAgent.image.registry | string | `nil` | | | nodeAgent.containers.processAgent.image.repository | string | `"stackstate/stackstate-k8s-process-agent"` | Process-agent container image repository. | -| nodeAgent.containers.processAgent.image.tag | string | `"76e11e86"` | Default process-agent container image tag. | +| nodeAgent.containers.processAgent.image.tag | string | `"718e9ab3"` | Default process-agent container image tag. | | nodeAgent.containers.processAgent.logLevel | string | `nil` | Set logging verbosity, valid log levels are: trace, debug, info, warn, error, critical, and off # If not set, fall back to the value of agent.logLevel. | | nodeAgent.containers.processAgent.procVolumeReadOnly | bool | `true` | Configure whether /host/proc is read only for the process agent container | | nodeAgent.containers.processAgent.resources.limits.cpu | string | `"125m"` | Memory resource limits. | diff --git a/charts/stackstate/stackstate-k8s-agent/values.yaml b/charts/stackstate/stackstate-k8s-agent/values.yaml index 6ea724d5c..adf35c32c 100644 --- a/charts/stackstate/stackstate-k8s-agent/values.yaml +++ b/charts/stackstate/stackstate-k8s-agent/values.yaml @@ -158,7 +158,7 @@ nodeAgent: # nodeAgent.containers.processAgent.image.repository -- Process-agent container image repository. repository: stackstate/stackstate-k8s-process-agent # nodeAgent.containers.processAgent.image.tag -- Default process-agent container image tag. - tag: "76e11e86" + tag: "718e9ab3" # nodeAgent.containers.processAgent.image.pullPolicy -- Process-agent container image pull policy. pullPolicy: IfNotPresent # nodeAgent.containers.processAgent.env -- Additional environment variables for the process-agent container diff --git a/charts/yugabyte/yugabyte/.helmignore b/charts/yugabyte/yugabyte/.helmignore new file mode 100644 index 000000000..3598c3003 --- /dev/null +++ b/charts/yugabyte/yugabyte/.helmignore @@ -0,0 +1 @@ +tests \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/Chart.yaml b/charts/yugabyte/yugabyte/Chart.yaml index 2533172a4..2b7054045 100644 --- a/charts/yugabyte/yugabyte/Chart.yaml +++ b/charts/yugabyte/yugabyte/Chart.yaml @@ -3,18 +3,20 @@ annotations: catalog.cattle.io/display-name: YugabyteDB catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugabyte -apiVersion: v1 -appVersion: 2.14.15.0-b57 + charts.openshift.io/name: yugabyte +apiVersion: v2 +appVersion: 2.18.6.0-b73 description: YugabyteDB is the high-performance distributed SQL database for building global, internet-scale apps. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 +kubeVersion: '>=1.18-0' maintainers: -- email: ram@yugabyte.com - name: Ram Sri -- email: arnav@yugabyte.com - name: Arnav Agarwal +- email: sanketh@yugabyte.com + name: Sanketh Indarapu +- email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla name: yugabyte sources: - https://github.com/yugabyte/yugabyte-db -version: 2.14.15 +version: 2.18.6 diff --git a/charts/yugabyte/yugabyte/app-readme.md b/charts/yugabyte/yugabyte/app-readme.md index 6cdeb3fb3..edad7f89e 100644 --- a/charts/yugabyte/yugabyte/app-readme.md +++ b/charts/yugabyte/yugabyte/app-readme.md @@ -1 +1 @@ -This chart bootstraps an RF3 Yugabyte DB version 2.14.15.0-b57 cluster using the Helm Package Manager. +This chart bootstraps an RF3 YugabyteDB version 2.18.6.0-b73 cluster using the Helm Package Manager. diff --git a/charts/yugabyte/yugabyte/generate_kubeconfig.py b/charts/yugabyte/yugabyte/generate_kubeconfig.py index b974c0f2d..f4c2d14ab 100644 --- a/charts/yugabyte/yugabyte/generate_kubeconfig.py +++ b/charts/yugabyte/yugabyte/generate_kubeconfig.py @@ -11,84 +11,209 @@ from sys import exit import json import base64 import tempfile +import time +import os.path -def run_command(command_args, namespace=None, as_json=True): - command = ['kubectl'] +def run_command(command_args, namespace=None, as_json=True, log_command=True): + command = ["kubectl"] if namespace: - command.extend(['--namespace', namespace]) + command.extend(["--namespace", namespace]) command.extend(command_args) if as_json: - command.extend(['-o', 'json']) - return json.loads(check_output(command)) + command.extend(["-o", "json"]) + if log_command: + print("Running command: {}".format(" ".join(command))) + output = check_output(command) + if as_json: + return json.loads(output) else: - return check_output(command).decode('utf8') + return output.decode("utf8") -parser = argparse.ArgumentParser(description='Generate KubeConfig with Token') -parser.add_argument('-s', '--service_account', help='Service Account name', required=True) -parser.add_argument('-n', '--namespace', help='Kubernetes namespace', default='kube-system') -parser.add_argument('-c', '--context', help='kubectl context') +def create_sa_token_secret(directory, sa_name, namespace): + """Creates a service account token secret for sa_name in + namespace. Returns the name of the secret created. + + Ref: + https://k8s.io/docs/concepts/configuration/secret/#service-account-token-secrets + + """ + token_secret = { + "apiVersion": "v1", + "data": { + "do-not-delete-used-for-yugabyte-anywhere": "MQ==", + }, + "kind": "Secret", + "metadata": { + "annotations": { + "kubernetes.io/service-account.name": sa_name, + }, + "name": sa_name, + }, + "type": "kubernetes.io/service-account-token", + } + token_secret_file_name = os.path.join(directory, "token_secret.yaml") + with open(token_secret_file_name, "w") as token_secret_file: + json.dump(token_secret, token_secret_file) + run_command(["apply", "-f", token_secret_file_name], namespace) + return sa_name + + +def get_secret_data(secret, namespace): + """Returns the secret in JSON format if it has ca.crt and token in + it, else returns None. It retries 3 times with 1 second timeout + for the secret to be populated with this data. + + """ + secret_data = None + num_retries = 5 + timeout = 2 + while True: + secret_json = run_command(["get", "secret", secret], namespace) + if "ca.crt" in secret_json["data"] and "token" in secret_json["data"]: + secret_data = secret_json + break + + num_retries -= 1 + if num_retries == 0: + break + print( + "Secret '{}' is not populated. Sleep {}s, ({} retries left)".format( + secret, timeout, num_retries + ) + ) + time.sleep(timeout) + return secret_data + + +def get_secrets_for_sa(sa_name, namespace): + """Returns a list of all service account token secrets associated + with the given sa_name in the namespace. + + """ + secrets = run_command( + [ + "get", + "secret", + "--field-selector", + "type=kubernetes.io/service-account-token", + "-o", + 'jsonpath="{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name == "' + + sa_name + + '")].metadata.name}"', + ], + as_json=False, + ) + return secrets.strip('"').split() + + +parser = argparse.ArgumentParser(description="Generate KubeConfig with Token") +parser.add_argument("-s", "--service_account", help="Service Account name", required=True) +parser.add_argument("-n", "--namespace", help="Kubernetes namespace", default="kube-system") +parser.add_argument("-c", "--context", help="kubectl context") +parser.add_argument("-o", "--output_file", help="output file path") args = vars(parser.parse_args()) # if the context is not provided we use the current-context -context = args['context'] +context = args["context"] if context is None: - context = run_command(['config', 'current-context'], - args['namespace'], as_json=False) + context = run_command(["config", "current-context"], args["namespace"], as_json=False) -cluster_attrs = run_command(['config', 'get-contexts', context.strip(), - '--no-headers'], args['namespace'], as_json=False) +cluster_attrs = run_command( + ["config", "get-contexts", context.strip(), "--no-headers"], args["namespace"], as_json=False +) cluster_name = cluster_attrs.strip().split()[2] -endpoint = run_command(['config', 'view', '-o', - 'jsonpath="{.clusters[?(@.name =="' + - cluster_name + '")].cluster.server}"'], - args['namespace'], as_json=False) -service_account_info = run_command(['get', 'sa', args['service_account']], - args['namespace']) +endpoint = run_command( + [ + "config", + "view", + "-o", + 'jsonpath="{.clusters[?(@.name =="' + cluster_name + '")].cluster.server}"', + ], + args["namespace"], + as_json=False, +) +service_account_info = run_command(["get", "sa", args["service_account"]], args["namespace"]) + +tmpdir = tempfile.TemporaryDirectory() + +# Get the token and ca.crt from service account secret. +sa_secrets = list() + +# Get secrets specified in the service account, there can be multiple +# of them, and not all are service account token secrets. +if "secrets" in service_account_info: + sa_secrets = [secret["name"] for secret in service_account_info["secrets"]] + +# Find the existing additional service account token secrets +sa_secrets.extend(get_secrets_for_sa(args["service_account"], args["namespace"])) -# some ServiceAccounts have multiple secrets, and not all them have a -# ca.crt and a token. -sa_secrets = [secret['name'] for secret in service_account_info['secrets']] secret_data = None for secret in sa_secrets: - secret_json = run_command(['get', 'secret', secret], args['namespace']) - if 'ca.crt' not in secret_json['data'] and 'token' not in secret_json['data']: - continue - secret_data = secret_json + secret_data = get_secret_data(secret, args["namespace"]) + if secret_data is not None: + break + +# Kubernetes 1.22+ doesn't create the service account token secret by +# default, we have to create one. if secret_data is None: - exit("No usable secret found for '{}'.".format(args['service_account'])) + print("No usable secret found for '{}', creating one.".format(args["service_account"])) + token_secret = create_sa_token_secret(tmpdir.name, args["service_account"], args["namespace"]) + secret_data = get_secret_data(token_secret, args["namespace"]) + if secret_data is None: + exit( + "Failed to generate kubeconfig: No usable credentials found for '{}'.".format( + args["service_account"] + ) + ) -context_name = '{}-{}'.format(args['service_account'], cluster_name) -kube_config = '/tmp/{}.conf'.format(args['service_account']) -with tempfile.NamedTemporaryFile() as ca_crt_file: - ca_crt = base64.b64decode(secret_data['data']['ca.crt']) - ca_crt_file.write(ca_crt) - ca_crt_file.flush() - # create kubeconfig entry - set_cluster_cmd = ['config', 'set-cluster', cluster_name, - '--kubeconfig={}'.format(kube_config), - '--server={}'.format(endpoint.strip('"')), - '--embed-certs=true', - '--certificate-authority={}'.format(ca_crt_file.name)] - run_command(set_cluster_cmd, as_json=False) +context_name = "{}-{}".format(args["service_account"], cluster_name) +kube_config = args["output_file"] +if not kube_config: + kube_config = "/tmp/{}.conf".format(args["service_account"]) -user_token = base64.b64decode(secret_data['data']['token']).decode('utf-8') -set_credentials_cmd = ['config', 'set-credentials', context_name, - '--token={}'.format(user_token), - '--kubeconfig={}'.format(kube_config)] -run_command(set_credentials_cmd, as_json=False) -set_context_cmd = ['config', 'set-context', context_name, - '--cluster={}'.format(cluster_name), - '--user={}'.format(context_name), - '--kubeconfig={}'.format(kube_config)] +ca_crt_file_name = os.path.join(tmpdir.name, "ca.crt") +ca_crt_file = open(ca_crt_file_name, "wb") +ca_crt_file.write(base64.b64decode(secret_data["data"]["ca.crt"])) +ca_crt_file.close() + +# create kubeconfig entry +set_cluster_cmd = [ + "config", + "set-cluster", + cluster_name, + "--kubeconfig={}".format(kube_config), + "--server={}".format(endpoint.strip('"')), + "--embed-certs=true", + "--certificate-authority={}".format(ca_crt_file_name), +] +run_command(set_cluster_cmd, as_json=False) + +user_token = base64.b64decode(secret_data["data"]["token"]).decode("utf-8") +set_credentials_cmd = [ + "config", + "set-credentials", + context_name, + "--token={}".format(user_token), + "--kubeconfig={}".format(kube_config), +] +run_command(set_credentials_cmd, as_json=False, log_command=False) + +set_context_cmd = [ + "config", + "set-context", + context_name, + "--cluster={}".format(cluster_name), + "--user={}".format(context_name), + "--kubeconfig={}".format(kube_config), +] run_command(set_context_cmd, as_json=False) -use_context_cmd = ['config', 'use-context', context_name, - '--kubeconfig={}'.format(kube_config)] +use_context_cmd = ["config", "use-context", context_name, "--kubeconfig={}".format(kube_config)] run_command(use_context_cmd, as_json=False) print("Generated the kubeconfig file: {}".format(kube_config)) diff --git a/charts/yugabyte/yugabyte/openshift.values.yaml b/charts/yugabyte/yugabyte/openshift.values.yaml new file mode 100644 index 000000000..d2784b23e --- /dev/null +++ b/charts/yugabyte/yugabyte/openshift.values.yaml @@ -0,0 +1,4 @@ +# OCP compatible values for yugabyte + +Image: + repository: "quay.io/yugabyte/yugabyte-ubi" diff --git a/charts/yugabyte/yugabyte/questions.yaml b/charts/yugabyte/yugabyte/questions.yaml index c88fd43c0..6befa49e1 100644 --- a/charts/yugabyte/yugabyte/questions.yaml +++ b/charts/yugabyte/yugabyte/questions.yaml @@ -16,7 +16,7 @@ questions: label: YugabyteDB image repository description: "YugabyteDB image repository" - variable: Image.tag - default: "2.14.1.0-b36" + default: "2.5.1.0-b153" required: true type: string label: YugabyteDB image tag diff --git a/charts/yugabyte/yugabyte/templates/_helpers.tpl b/charts/yugabyte/yugabyte/templates/_helpers.tpl index 27697d799..7d80ece43 100644 --- a/charts/yugabyte/yugabyte/templates/_helpers.tpl +++ b/charts/yugabyte/yugabyte/templates/_helpers.tpl @@ -26,7 +26,7 @@ Generate common labels. {{- define "yugabyte.labels" }} heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} release: {{ .Release.Name | quote }} -chart: {{ .Values.oldNamingStyle | ternary .Chart.Name (include "yugabyte.chart" .) | quote }} +chart: {{ .Chart.Name | quote }} component: {{ .Values.Component | quote }} {{- if .Values.commonLabels}} {{ toYaml .Values.commonLabels }} @@ -56,6 +56,89 @@ release: {{ .root.Release.Name | quote }} {{- end }} {{- end }} +{{/* +Create secrets in DBNamespace from other namespaces by iterating over envSecrets. +*/}} +{{- define "yugabyte.envsecrets" -}} +{{- range $v := .secretenv }} +{{- if $v.valueFrom.secretKeyRef.namespace }} +{{- $secretObj := (lookup +"v1" +"Secret" +$v.valueFrom.secretKeyRef.namespace +$v.valueFrom.secretKeyRef.name) +| default dict }} +{{- $secretData := (get $secretObj "data") | default dict }} +{{- $secretValue := (get $secretData $v.valueFrom.secretKeyRef.key) | default "" }} +{{- if (and (not $secretValue) (not $v.valueFrom.secretKeyRef.optional)) }} +{{- required (printf "Secret or key missing for %s/%s in namespace: %s" +$v.valueFrom.secretKeyRef.name +$v.valueFrom.secretKeyRef.key +$v.valueFrom.secretKeyRef.namespace) +nil }} +{{- end }} +{{- if $secretValue }} +apiVersion: v1 +kind: Secret +metadata: + {{- $secretfullname := printf "%s-%s-%s-%s" + $.root.Release.Name + $v.valueFrom.secretKeyRef.namespace + $v.valueFrom.secretKeyRef.name + $v.valueFrom.secretKeyRef.key + }} + name: {{ printf "%s-%s-%s-%s-%s-%s" + $.root.Release.Name + ($v.valueFrom.secretKeyRef.namespace | substr 0 5) + ($v.valueFrom.secretKeyRef.name | substr 0 5) + ( $v.valueFrom.secretKeyRef.key | substr 0 5) + (sha256sum $secretfullname | substr 0 4) + ($.suffix) + | lower | replace "." "" | replace "_" "" + }} + namespace: "{{ $.root.Release.Namespace }}" + labels: + {{- include "yugabyte.labels" $.root | indent 4 }} +type: Opaque # should it be an Opaque secret? +data: + {{ $v.valueFrom.secretKeyRef.key }}: {{ $secretValue | quote }} +{{- end }} +{{- end }} +--- +{{- end }} +{{- end }} + +{{/* +Add env secrets to DB statefulset. +*/}} +{{- define "yugabyte.addenvsecrets" -}} +{{- range $v := .secretenv }} +- name: {{ $v.name }} + valueFrom: + secretKeyRef: + {{- if $v.valueFrom.secretKeyRef.namespace }} + {{- $secretfullname := printf "%s-%s-%s-%s" + $.root.Release.Name + $v.valueFrom.secretKeyRef.namespace + $v.valueFrom.secretKeyRef.name + $v.valueFrom.secretKeyRef.key + }} + name: {{ printf "%s-%s-%s-%s-%s-%s" + $.root.Release.Name + ($v.valueFrom.secretKeyRef.namespace | substr 0 5) + ($v.valueFrom.secretKeyRef.name | substr 0 5) + ($v.valueFrom.secretKeyRef.key | substr 0 5) + (sha256sum $secretfullname | substr 0 4) + ($.suffix) + | lower | replace "." "" | replace "_" "" + }} + {{- else }} + name: {{ $v.valueFrom.secretKeyRef.name }} + {{- end }} + key: {{ $v.valueFrom.secretKeyRef.key }} + optional: {{ $v.valueFrom.secretKeyRef.optional | default "false" }} +{{- end }} +{{- end }} {{/* Create Volume name. */}} @@ -84,18 +167,21 @@ Generate a preflight check script invocation. */}} {{- define "yugabyte.preflight_check" -}} {{- if not .Values.preflight.skipAll -}} +{{- $port := .Preflight.Port -}} +{{- range $addr := split "," .Preflight.Addr -}} if [ -f /home/yugabyte/tools/k8s_preflight.py ]; then PYTHONUNBUFFERED="true" /home/yugabyte/tools/k8s_preflight.py \ dnscheck \ - --addr="{{ .Preflight.Addr }}" \ -{{- if not .Values.preflight.skipBind }} - --port="{{ .Preflight.Port }}" + --addr="{{ $addr }}" \ +{{- if not $.Values.preflight.skipBind }} + --port="{{ $port }}" {{- else }} --skip_bind {{- end }} fi && \ -{{- end -}} -{{- end -}} +{{ end }} +{{- end }} +{{- end }} {{/* Get YugaByte fs data directories. @@ -130,12 +216,20 @@ echo "disk check at: $(date)" \ Generate server FQDN. */}} {{- define "yugabyte.server_fqdn" -}} - {{- if (and .Values.istioCompatibility.enabled .Values.multicluster.createServicePerPod) -}} + {{- if .Values.multicluster.createServicePerPod -}} {{- printf "$(HOSTNAME).$(NAMESPACE).svc.%s" .Values.domainName -}} + {{- else if (and .Values.oldNamingStyle .Values.multicluster.createServiceExports) -}} + {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} + {{- printf "$(HOSTNAME).%s.%s.$(NAMESPACE).svc.clusterset.local" $membershipName .Service.name -}} {{- else if .Values.oldNamingStyle -}} {{- printf "$(HOSTNAME).%s.$(NAMESPACE).svc.%s" .Service.name .Values.domainName -}} {{- else -}} - {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} + {{- if .Values.multicluster.createServiceExports -}} + {{ $membershipName := required "A valid membership name is required! Please set multicluster.kubernetesClusterId" .Values.multicluster.kubernetesClusterId }} + {{- printf "$(HOSTNAME).%s.%s-%s.$(NAMESPACE).svc.clusterset.local" $membershipName (include "yugabyte.fullname" .) .Service.name -}} + {{- else -}} + {{- printf "$(HOSTNAME).%s-%s.$(NAMESPACE).svc.%s" (include "yugabyte.fullname" .) .Service.name .Values.domainName -}} + {{- end -}} {{- end -}} {{- end -}} @@ -148,10 +242,25 @@ Generate server broadcast address. {{/* Generate server RPC bind address. + +In case of multi-cluster services (MCS), we set it to $(POD_IP) to +ensure YCQL uses a resolvable address. +See https://github.com/yugabyte/yugabyte-db/issues/16155 + +We use a workaround for above in case of Istio by setting it to +$(POD_IP) and localhost. Master doesn't support that combination, so +we stick to 0.0.0.0, which works for master. */}} {{- define "yugabyte.rpc_bind_address" -}} + {{- $port := index .Service.ports "tcp-rpc-port" -}} {{- if .Values.istioCompatibility.enabled -}} - 0.0.0.0:{{ index .Service.ports "tcp-rpc-port" -}} + {{- if (eq .Service.name "yb-masters") -}} + 0.0.0.0:{{ $port }} + {{- else -}} + $(POD_IP):{{ $port }},127.0.0.1:{{ $port }} + {{- end -}} + {{- else if (or .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod) -}} + $(POD_IP):{{ $port }} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} {{- end -}} @@ -168,7 +277,7 @@ Generate server web interface. Generate server CQL proxy bind address. */}} {{- define "yugabyte.cql_proxy_bind_address" -}} - {{- if .Values.istioCompatibility.enabled -}} + {{- if or .Values.istioCompatibility.enabled .Values.multicluster.createServiceExports .Values.multicluster.createServicePerPod -}} 0.0.0.0:{{ index .Service.ports "tcp-yql-port" -}} {{- else -}} {{- include "yugabyte.server_fqdn" . -}} @@ -213,10 +322,10 @@ Compute the maximum number of unavailable pods based on the number of master rep Set consistent issuer name. */}} {{- define "yugabyte.tls_cm_issuer" -}} - {{- if .Values.tls.certManager.useClusterIssuer -}} - {{ .Values.tls.certManager.clusterIssuer }} - {{- else -}} + {{- if .Values.tls.certManager.bootstrapSelfsigned -}} {{ .Values.oldNamingStyle | ternary "yugabyte-selfsigned" (printf "%s-selfsigned" (include "yugabyte.fullname" .)) }} + {{- else -}} + {{ .Values.tls.certManager.useClusterIssuer | ternary .Values.tls.certManager.clusterIssuer .Values.tls.certManager.issuer}} {{- end -}} {{- end -}} @@ -256,3 +365,51 @@ Set consistent issuer name. {{- end -}} {{- end -}} {{- end -}} + +{{/* + Default nodeAffinity for multi-az deployments +*/}} +{{- define "yugabyte.multiAZNodeAffinity" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: failure-domain.beta.kubernetes.io/zone + operator: In + values: + - {{ quote .Values.AZ }} + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: + - {{ quote .Values.AZ }} +{{- end -}} + +{{/* + Default podAntiAffinity for master and tserver + + This requires "appLabelArgs" to be passed in - defined in service.yaml + we have a .root and a .label in appLabelArgs +*/}} +{{- define "yugabyte.podAntiAffinity" -}} +preferredDuringSchedulingIgnoredDuringExecution: +- weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + {{- if .root.Values.oldNamingStyle }} + - key: app + operator: In + values: + - "{{ .label }}" + {{- else }} + - key: app.kubernetes.io/name + operator: In + values: + - "{{ .label }}" + - key: release + operator: In + values: + - {{ .root.Release.Name | quote }} + {{- end }} + topologyKey: kubernetes.io/hostname +{{- end -}} diff --git a/charts/yugabyte/yugabyte/templates/certificates.yaml b/charts/yugabyte/yugabyte/templates/certificates.yaml index f8dd4acb5..07fc2e5f5 100644 --- a/charts/yugabyte/yugabyte/templates/certificates.yaml +++ b/charts/yugabyte/yugabyte/templates/certificates.yaml @@ -1,7 +1,7 @@ {{- $root := . -}} --- {{- if $root.Values.tls.certManager.enabled }} -{{- if not $root.Values.tls.certManager.useClusterIssuer }} +{{- if $root.Values.tls.certManager.bootstrapSelfsigned }} --- apiVersion: cert-manager.io/v1 kind: Issuer @@ -37,13 +37,38 @@ spec: ca: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-ca" (printf "%s-ca" (include "yugabyte.fullname" $root)) }} --- +{{- else }} +{{/* when bootstrapSelfsigned = false, ie. when using an external CA. +Create a Secret with just the rootCA.cert value and mount into master/tserver pods. +This will be used as a fall back in case the Secret generated by cert-manager does not +have a root ca.crt. This can happen for certain certificate issuers like LetsEncrypt. +*/}} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} + namespace: "{{ $root.Release.Namespace }}" + labels: + {{- include "yugabyte.labels" $root | indent 4 }} +type: Opaque +data: + ca.crt: {{ $root.Values.tls.rootCA.cert }} +--- {{- end }} +{{/* +The below Certificate resource will trigger cert-manager to issue crt/key into Secrets. +These secrets are mounted into master/tserver pods. +*/}} {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} {{- $serviceValues := (dict "Service" $service "Values" $root.Values "Chart" $root.Chart "Release" $root.Release) -}} +{{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} + +{{- if (gt (int $replicas) 0) }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -65,28 +90,29 @@ spec: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" $service.label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) $service.label) }} duration: {{ $root.Values.tls.certManager.certificates.duration | quote }} renewBefore: {{ $root.Values.tls.certManager.certificates.renewBefore | quote }} - commonName: yugabyte-{{ .name }} isCA: false privateKey: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} + rotationPolicy: Always usages: - server auth - client auth # At least one of a DNS Name, URI, or IP address is required. dnsNames: - {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} - {{$node}} {{- end }} + - {{ printf "%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} uris: [] ipAddresses: [] --- {{- end }} +{{- end }} --- apiVersion: cert-manager.io/v1 @@ -114,6 +140,7 @@ spec: algorithm: {{ $root.Values.tls.certManager.certificates.algorithm | quote }} encoding: PKCS8 size: {{ $root.Values.tls.certManager.certificates.keySize }} + rotationPolicy: Always usages: - client auth dnsNames: [] diff --git a/charts/yugabyte/yugabyte/templates/debug_config_map.yaml b/charts/yugabyte/yugabyte/templates/debug_config_map.yaml new file mode 100644 index 000000000..a15c4fc9a --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/debug_config_map.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "yugabyte.fullname" . }}-master-hooks + namespace: "{{ .Release.Namespace }}" +data: +{{- range $index := until ( int ( .Values.replicas.master ) ) }} + yb-master-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " + yb-master-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " +{{- end }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "yugabyte.fullname" . }}-tserver-hooks + namespace: "{{ .Release.Namespace }}" +data: +{{- range $index := until ( int ( .Values.replicas.tserver) ) }} + yb-tserver-{{.}}-pre_debug_hook.sh: "echo 'hello-from-pre' " + yb-tserver-{{.}}-post_debug_hook.sh: "echo 'hello-from-post' " +{{- end }} +--- diff --git a/charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml b/charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml similarity index 100% rename from charts/yugabyte/yugabyte/templates/multicluster-common-tserver-service.yaml rename to charts/yugabyte/yugabyte/templates/multicluster/common-tserver-service.yaml diff --git a/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml b/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml new file mode 100644 index 000000000..eeafcb1bb --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/multicluster/mcs-service-export.yaml @@ -0,0 +1,21 @@ +{{- /* + Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export + https://github.com/kubernetes/enhancements/tree/master/keps/sig-multicluster/1645-multi-cluster-services-api#exporting-services +*/}} +{{- if .Values.multicluster.createServiceExports }} +apiVersion: {{ .Values.multicluster.mcsApiVersion }} +kind: ServiceExport +metadata: + name: {{ .Values.oldNamingStyle | ternary "yb-masters" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-masters") | quote }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "yugabyte.labels" . | indent 4 }} +--- +apiVersion: {{ .Values.multicluster.mcsApiVersion }} +kind: ServiceExport +metadata: + name: {{ .Values.oldNamingStyle | ternary "yb-tservers" (printf "%s-%s" (include "yugabyte.fullname" .) "yb-tservers") | quote }} + namespace: "{{ .Release.Namespace }}" + labels: + {{- include "yugabyte.labels" . | indent 4 }} +{{ end -}} diff --git a/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml b/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml similarity index 82% rename from charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml rename to charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml index a26b39018..15e09dce8 100644 --- a/charts/yugabyte/yugabyte/templates/multicluster-multiple-services.yaml +++ b/charts/yugabyte/yugabyte/templates/multicluster/service-per-pod.yaml @@ -11,11 +11,19 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $ | indent 4 }} + service-type: "non-endpoint" spec: ports: {{- range $label, $port := $server.ports }} + {{- if (eq $label "grpc-ybc-port") }} + {{- if $.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} + {{- end }} + {{- else }} + - name: {{ $label | quote }} + port: {{ $port }} + {{- end }} {{- end}} selector: statefulset.kubernetes.io/pod-name: {{ $podName | quote }} diff --git a/charts/yugabyte/yugabyte/templates/secrets.yaml b/charts/yugabyte/yugabyte/templates/secrets.yaml new file mode 100644 index 000000000..0bd903457 --- /dev/null +++ b/charts/yugabyte/yugabyte/templates/secrets.yaml @@ -0,0 +1,7 @@ +{{- $root := . -}} +--- # Create secrets from other namespaces for masters. +{{- $data := dict "secretenv" $.Values.master.secretEnv "root" . "suffix" "master"}} +{{- include "yugabyte.envsecrets" $data }} +--- # Create secrets from other namespaces for tservers. +{{- $data := dict "secretenv" $.Values.tserver.secretEnv "root" . "suffix" "tserver" }} +{{- include "yugabyte.envsecrets" $data }} \ No newline at end of file diff --git a/charts/yugabyte/yugabyte/templates/service.yaml b/charts/yugabyte/yugabyte/templates/service.yaml index f44ece98d..f3fc56a83 100644 --- a/charts/yugabyte/yugabyte/templates/service.yaml +++ b/charts/yugabyte/yugabyte/templates/service.yaml @@ -24,7 +24,7 @@ data: {{- end }} --- {{- end }} - +--- {{- range .Values.Services }} {{- $service := . -}} {{- $appLabelArgs := dict "label" .label "root" $root -}} @@ -46,12 +46,29 @@ data: {{- range $index := until ( int ( $replicas ) ) }} {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} + +{{- if $root.Values.multicluster.createServiceExports -}} + {{- $nodeOldStyle = printf "%s-%d.%s.%s.%s.svc.clusterset.local" $service.label $index $root.Values.multicluster.kubernetesClusterId $service.name $root.Release.Namespace }} + {{- $nodeNewStyle = printf "%s-%s-%d.%s.%s-%s.%s.svc.clusterset.local" (include "yugabyte.fullname" $root) $service.label $index $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} +{{- end -}} + +{{- if $root.Values.multicluster.createServicePerPod -}} + {{- $nodeOldStyle = printf "%s-%d.%s.svc.%s" $service.label $index $root.Release.Namespace $root.Values.domainName }} + {{- $nodeNewStyle = printf "%s-%s-%d.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index $root.Release.Namespace $root.Values.domainName }} +{{- end -}} + {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} {{- if $root.Values.tls.rootCA.key }} -{{- $dns1 := printf "*.*.%s" $root.Release.Namespace }} +{{- $dns1 := printf "*.%s-%s.%s" (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} {{- $dns2 := printf "%s.svc.%s" $dns1 $root.Values.domainName }} +{{- if $root.Values.multicluster.createServiceExports -}} + {{- $dns1 = printf "*.%s.%s-%s.%s.svc.clusterset.local" $root.Values.multicluster.kubernetesClusterId (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace }} +{{- end -}} +{{- if $root.Values.multicluster.createServicePerPod -}} + {{- $dns1 = printf "*.%s.svc.%s" $root.Release.Namespace $root.Values.domainName }} +{{- end -}} {{- $rootCA := buildCustomCert $root.Values.tls.rootCA.cert $root.Values.tls.rootCA.key -}} -{{- $server := genSignedCert $node ( default nil ) (list $dns1 $dns2 ) 3650 $rootCA }} +{{- $server := genSignedCert $node ( default nil ) (list $node $dns1 $dns2 ) 3650 $rootCA }} node.{{$node}}.crt: {{ $server.Cert | b64enc }} node.{{$node}}.key: {{ $server.Key | b64enc }} {{- else }} @@ -75,13 +92,20 @@ spec: clusterIP: None ports: {{- range $label, $port := .ports }} + {{- if (eq $label "grpc-ybc-port") }} + {{- if $root.Values.ybc.enabled }} - name: {{ $label | quote }} port: {{ $port }} + {{- end }} + {{- else }} + - name: {{ $label | quote }} + port: {{ $port }} + {{- end }} {{- end}} selector: {{- include "yugabyte.appselector" ($appLabelArgs) | indent 4 }} -{{ if $root.Values.enableLoadBalancer }} +{{- if $root.Values.enableLoadBalancer }} {{- range $endpoint := $root.Values.serviceEndpoints }} {{- if eq $service.label $endpoint.app }} --- @@ -94,11 +118,12 @@ metadata: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 4 }} {{- include "yugabyte.labels" $root | indent 4 }} + service-type: "endpoint" spec: - {{ if eq $root.Release.Service "Tiller" }} + {{- if eq $root.Release.Service "Tiller" }} clusterIP: - {{ else }} - {{ if $endpoint.clusterIP }} + {{- else }} + {{- if $endpoint.clusterIP }} clusterIP: {{ $endpoint.clusterIP }} {{- end }} {{- end }} @@ -116,7 +141,7 @@ spec: {{- end }} {{- end}} {{- end}} -{{ end }} +{{- end}} --- apiVersion: apps/v1 @@ -197,6 +222,9 @@ spec: labels: {{- include "yugabyte.applabel" ($appLabelArgs) | indent 8 }} {{- include "yugabyte.labels" $root | indent 8 }} + {{- if $root.Values.istioCompatibility.enabled }} + sidecar.istio.io/inject: "true" + {{- end }} {{- if eq .name "yb-masters" }} {{- with $root.Values.master.podLabels }}{{ toYaml . | nindent 8 }}{{ end }} {{- else }} @@ -214,62 +242,95 @@ spec: nodeSelector: {{ toYaml $root.Values.nodeSelector | indent 8 }} {{- end }} - terminationGracePeriodSeconds: 300 {{- if eq .name "yb-masters" }} # yb-masters + {{- with $root.Values.master.serviceAccount }} + serviceAccountName: {{ . }} + {{- end }} {{- if $root.Values.master.tolerations }} tolerations: {{- with $root.Values.master.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- else }} # yb-tservers + {{- with $root.Values.tserver.serviceAccount }} + serviceAccountName: {{ . }} + {{- end }} {{- if $root.Values.tserver.tolerations }} tolerations: {{- with $root.Values.tserver.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} {{- end }} {{- end }} + terminationGracePeriodSeconds: 300 affinity: - # Set the anti-affinity selector scope to YB masters. + # Set the anti-affinity selector scope to YB masters and tservers. + {{- $nodeAffinityData := dict}} + {{- if eq .name "yb-masters" -}} + {{- $nodeAffinityData = get $root.Values.master.affinity "nodeAffinity" | default (dict) -}} + {{- else -}} + {{- $nodeAffinityData = get $root.Values.tserver.affinity "nodeAffinity" | default (dict) -}} + {{- end -}} {{ if $root.Values.AZ }} - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: failure-domain.beta.kubernetes.io/zone - operator: In - values: - - {{ $root.Values.AZ }} - - matchExpressions: - - key: topology.kubernetes.io/zone - operator: In - values: - - {{ $root.Values.AZ }} + {{- $userSelectorTerms := dig "requiredDuringSchedulingIgnoredDuringExecution" "nodeSelectorTerms" "" $nodeAffinityData | default (list) -}} + {{- $baseAffinity := include "yugabyte.multiAZNodeAffinity" $root | fromYaml -}} + {{- $requiredSchedule := (list) -}} + {{- if $userSelectorTerms -}} + {{- range $userSelectorTerms -}} + {{- $userTerm := . -}} + {{- range $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} + {{- $matchExpr := concat .matchExpressions $userTerm.matchExpressions | dict "matchExpressions" -}} + {{- $requiredSchedule = mustMerge $matchExpr $userTerm | append $requiredSchedule -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- $requiredSchedule = $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution.nodeSelectorTerms -}} + {{- end -}} + + {{- with $baseAffinity.requiredDuringSchedulingIgnoredDuringExecution -}} + {{- $_ := set . "nodeSelectorTerms" $requiredSchedule -}} + {{- end -}} + {{- $nodeAffinityData = mustMerge $baseAffinity $nodeAffinityData -}} + {{- end -}} + + {{- $podAntiAffinityData := dict -}} + {{- $basePodAntiAffinity := include "yugabyte.podAntiAffinity" ($appLabelArgs) | fromYaml -}} + {{- if eq .name "yb-masters" -}} + {{- with $root.Values.master.affinity -}} + {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} + {{- if $userPodAntiAffinity -}} + {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} + {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} + {{- end -}} + {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} + {{- end -}} + {{- else -}} + {{- with $root.Values.tserver.affinity -}} + {{- $userPodAntiAffinity := get . "podAntiAffinity" | default (dict) -}} + {{- if $userPodAntiAffinity -}} + {{- $preferredList := dig "preferredDuringSchedulingIgnoredDuringExecution" "" $userPodAntiAffinity | default (list) | concat $basePodAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution}} + {{- $_ := set $basePodAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" $preferredList -}} + {{- end -}} + {{- $podAntiAffinityData = mustMerge $basePodAntiAffinity $userPodAntiAffinity -}} + {{- end -}} + {{- end -}} + + {{- if eq .name "yb-masters" -}} + {{- if $nodeAffinityData -}} + {{- $_ := set $root.Values.master.affinity "nodeAffinity" $nodeAffinityData -}} + {{- end -}} + {{- $_ := set $root.Values.master.affinity "podAntiAffinity" $podAntiAffinityData -}} + {{ toYaml $root.Values.master.affinity | nindent 8 }} + {{- else -}} + {{- if $nodeAffinityData -}} + {{- $_ := set $root.Values.tserver.affinity "nodeAffinity" $nodeAffinityData -}} + {{- end -}} + {{- $_ := set $root.Values.tserver.affinity "podAntiAffinity" $podAntiAffinityData -}} + {{ toYaml $root.Values.tserver.affinity | nindent 8 }} {{ end }} - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - {{- if $root.Values.oldNamingStyle }} - - key: app - operator: In - values: - - "{{ .label }}" - {{- else }} - - key: app.kubernetes.io/name - operator: In - values: - - "{{ .label }}" - - key: release - operator: In - values: - - {{ $root.Release.Name | quote }} - {{- end }} - topologyKey: kubernetes.io/hostname - {{- if eq .name "yb-masters" }} - {{- with $root.Values.master.affinity }}{{ toYaml . | nindent 8 }}{{ end }} - {{- else }} - {{- with $root.Values.tserver.affinity }}{{ toYaml . | nindent 8 }}{{ end }} - {{- end }} + {{- with $root.Values.dnsConfig }} + dnsConfig: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $root.Values.dnsPolicy }} + dnsPolicy: {{ . | quote }} + {{- end }} containers: - name: "{{ .label }}" image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" @@ -321,18 +382,20 @@ spec: - name: YBDEVOPS_CORECOPY_DIR value: "/mnt/disk0/cores" {{- if eq .name "yb-masters" }} - {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} - {{- with $root.Values.master.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.master.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} + {{- $data := dict "secretenv" $root.Values.master.secretEnv "root" $root "suffix" "master"}} + {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} {{- else }} - {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{ end }} - {{- with $root.Values.tserver.secretEnv }}{{ toYaml . | nindent 8 }}{{ end }} + {{- with $root.Values.tserver.extraEnv }}{{ toYaml . | nindent 8 }}{{- end }} + {{- $data := dict "secretenv" $root.Values.tserver.secretEnv "root" $root "suffix" "tserver" }} + {{- include "yugabyte.addenvsecrets" $data | nindent 8 }} {{- end }} {{- if and $root.Values.tls.enabled $root.Values.tls.clientToServer (ne .name "yb-masters") }} - name: SSL_CERTFILE value: /root/.yugabytedb/root.crt {{- end }} resources: - {{ if eq .name "yb-masters" }} + {{- if eq .name "yb-masters" }} {{ toYaml $root.Values.resource.master | indent 10 }} {{ else }} {{ toYaml $root.Values.resource.tserver | indent 10 }} @@ -363,10 +426,13 @@ spec: {{- $rpcPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $rpcDict) -}} {{- if $rpcPreflight -}}{{ $rpcPreflight | nindent 12 }}{{ end -}} {{- $broadcastAddr := include "yugabyte.server_broadcast_address" $serviceValues -}} - {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} - {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} - {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} - {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} + {{/* skip bind check for servicePerPod multi-cluster, we cannot/don't bind to service IP */}} + {{- if not $root.Values.multicluster.createServicePerPod }} + {{- $broadcastPort := index $service.ports "tcp-rpc-port" -}} + {{- $broadcastDict := dict "Addr" $broadcastAddr "Port" $broadcastPort -}} + {{- $broadcastPreflight := include "yugabyte.preflight_check" (set $serviceValues "Preflight" $broadcastDict) -}} + {{- if $broadcastPreflight -}}{{ $broadcastPreflight | nindent 12 }}{{ end -}} + {{- end }} {{- $webserverAddr := include "yugabyte.webserver_interface" $serviceValues -}} {{- $webserverPort := index $service.ports "http-ui" -}} {{- $webserverDict := dict "Addr" $webserverAddr "Port" $webserverPort -}} @@ -377,6 +443,25 @@ spec: else k8s_parent="" fi && \ + {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} + echo "Creating ephemeral /opt/certs/yugabyte/ as symlink to persisted /mnt/disk0/certs/" && \ + mkdir -p /mnt/disk0/certs && \ + mkdir -p /opt/certs && \ + ln -s /mnt/disk0/certs /opt/certs/yugabyte && \ + if [[ ! -f /opt/certs/yugabyte/ca.crt ]]; then + echo "Fresh install of /opt/certs/yugabyte/ca.crt" + cp /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt; + fi && \ + cmp -s /home/yugabyte/cert-manager/ca.crt /opt/certs/yugabyte/ca.crt;sameRootCA=$? && \ + if [[ $sameRootCA -eq 0 ]]; then + echo "Refreshing tls certs at /opt/certs/yugabyte/"; + cp /home/yugabyte/cert-manager/tls.crt /opt/certs/yugabyte/node.{{$rpcAddr}}.crt; + cp /home/yugabyte/cert-manager/tls.key /opt/certs/yugabyte/node.{{$rpcAddr}}.key; + chmod 600 /opt/certs/yugabyte/* + else + echo "WARNING: Not refreshing certificates as the root ca.crt has changed" + fi && \ + {{- end }} {{- if eq .name "yb-masters" }} exec ${k8s_parent} /home/yugabyte/bin/yb-master \ {{- if not $root.Values.storage.ephemeral }} @@ -480,10 +565,18 @@ spec: {{- end }} ports: {{- range $label, $port := .ports }} + {{- if not (eq $label "grpc-ybc-port") }} - containerPort: {{ $port }} name: {{ $label | quote }} + {{- end }} {{- end}} volumeMounts: + {{- if (eq .name "yb-tservers") }} + - name: tserver-tmp + mountPath: /tmp + {{- end }} + - name: debug-hooks-volume + mountPath: /opt/debug_hooks_config {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -492,7 +585,7 @@ spec: {{- end }} {{- if $root.Values.tls.enabled }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - mountPath: /opt/certs/yugabyte + mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} readOnly: true - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} mountPath: /root/.yugabytedb/ @@ -531,9 +624,86 @@ spec: - name: {{ $root.Values.oldNamingStyle | ternary "datadir0" (printf "%s0" (include "yugabyte.volume_name" $root)) }} mountPath: /var/yugabyte/cores subPath: cores + {{- if $root.Values.ybCleanup.resources }} + resources: {{ toYaml $root.Values.ybCleanup.resources | nindent 10 }} + {{- end }} {{- end }} + {{- if and (eq .name "yb-tservers") ($root.Values.ybc.enabled) }} + - name: yb-controller + image: "{{ $root.Values.Image.repository }}:{{ $root.Values.Image.tag }}" + imagePullPolicy: {{ $root.Values.Image.pullPolicy }} + lifecycle: + postStart: + exec: + command: + - "bash" + - "-c" + - > + mkdir -p /mnt/disk0/yw-data/controller/tmp; + mkdir -p /mnt/disk0/yw-data/controller/conf; + mkdir -p /mnt/disk0/ybc-data/controller/logs; + mkdir -p /tmp/yugabyte/controller; + ln -sf /mnt/disk0/ybc-data/controller/logs /tmp/yugabyte/controller; + ln -sf /mnt/disk0/yw-data/controller/bin /tmp/yugabyte/controller; + rm -f /tmp/yugabyte/controller/yb-controller.pid; + {{- if and $root.Values.tls.enabled $root.Values.tls.certManager.enabled }} + mkdir -p /opt/certs; + ln -sf /mnt/disk0/certs /opt/certs/yugabyte; + {{- end }} + command: + - "/sbin/tini" + - "--" + args: + - "/bin/bash" + - "-c" + - > + while true; do + sleep 60; + /home/yugabyte/tools/k8s_ybc_parent.py status || /home/yugabyte/tools/k8s_ybc_parent.py start; + done + {{- with index $service.ports "grpc-ybc-port" }} + ports: + - containerPort: {{ . }} + name: "grpc-ybc-port" + {{- end }} + volumeMounts: + - name: tserver-tmp + mountPath: /tmp + {{- if not $root.Values.storage.ephemeral }} + {{- range $index := until (int ($storageInfo.count)) }} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} + mountPath: /mnt/disk{{ $index }} + {{- end }} + {{- end }} + {{- if $root.Values.tls.enabled }} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + mountPath: {{ $root.Values.tls.certManager.enabled | ternary "/home/yugabyte/cert-manager" "/opt/certs/yugabyte" }} + readOnly: true + {{- end }} + {{- if ($root.Values.tserver.extraVolumeMounts) -}} + {{- include "yugabyte.isExtraVolumesMappingExists" $root.Values.tserver -}} + {{- $root.Values.tserver.extraVolumeMounts | toYaml | nindent 10 -}} + {{- end -}} + {{- if $root.Values.ybc.resources }} + resources: {{ toYaml $root.Values.ybc.resources | nindent 10 }} + {{- end }} + {{- end}} + volumes: + {{- if (eq .name "yb-masters") }} + - name: debug-hooks-volume + configMap: + name: {{ include "yugabyte.fullname" $root }}-master-hooks + defaultMode: 0755 + {{- else if (eq .name "yb-tservers") }} + - name: debug-hooks-volume + configMap: + name: {{ include "yugabyte.fullname" $root }}-tserver-hooks + defaultMode: 0755 + - name: tserver-tmp + emptyDir: {} + {{- end }} {{ if not $root.Values.storage.ephemeral }} {{- range $index := until (int ($storageInfo.count)) }} - name: {{ $root.Values.oldNamingStyle | ternary (printf "datadir%d" $index) (printf "%s%d" (include "yugabyte.volume_name" $root) $index) }} @@ -542,25 +712,24 @@ spec: {{- end }} {{- end }} {{- if $root.Values.tls.enabled }} + {{- if $root.Values.tls.certManager.enabled }} + {{- /* certManager enabled */}} + - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + projected: + sources: + {{- if not $root.Values.tls.certManager.bootstrapSelfsigned }} + - secret: + name: {{ printf "%s-root-ca" (include "yugabyte.fullname" $root) }} + {{- end }} + - secret: + name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} + {{- else }} + {{/* certManager disabled */}} - name: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary (printf "%s-yugabyte-tls-cert" .label) (printf "%s-%s-tls-cert" (include "yugabyte.fullname" $root) .label) }} - {{- if $root.Values.tls.certManager.enabled }} - items: - {{- $replicas := (eq .name "yb-masters") | ternary $root.Values.replicas.master $root.Values.replicas.tserver -}} - {{- range $index := until ( int ( $replicas ) ) }} - {{- $nodeOldStyle := printf "%s-%d.%s.%s.svc.%s" $service.label $index $service.name $root.Release.Namespace $root.Values.domainName }} - {{- $nodeNewStyle := printf "%s-%s-%d.%s-%s.%s.svc.%s" (include "yugabyte.fullname" $root) $service.label $index (include "yugabyte.fullname" $root) $service.name $root.Release.Namespace $root.Values.domainName }} - {{- $node := $root.Values.oldNamingStyle | ternary $nodeOldStyle $nodeNewStyle }} - - key: tls.crt - path: node.{{$node}}.crt - - key: tls.key - path: node.{{$node}}.key - {{- end }} - - key: ca.crt - path: ca.crt - {{- end }} defaultMode: 256 + {{- end }} - name: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} secret: secretName: {{ $root.Values.oldNamingStyle | ternary "yugabyte-tls-client-cert" (printf "%s-client-tls" (include "yugabyte.fullname" $root)) }} diff --git a/charts/yugabyte/yugabyte/values.yaml b/charts/yugabyte/yugabyte/values.yaml index bed2222da..8167c76be 100644 --- a/charts/yugabyte/yugabyte/values.yaml +++ b/charts/yugabyte/yugabyte/values.yaml @@ -2,10 +2,15 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. Component: "yugabytedb" + +fullnameOverride: "" +nameOverride: "" + Image: repository: "yugabytedb/yugabyte" - tag: 2.14.15.0-b57 + tag: 2.18.6.0-b73 pullPolicy: IfNotPresent + pullSecretName: "" storage: ephemeral: false # will not allocate PVs when true @@ -21,27 +26,38 @@ storage: resource: master: requests: - cpu: 2 + cpu: "2" memory: 2Gi limits: - cpu: 2 + cpu: "2" memory: 2Gi tserver: requests: - cpu: 2 + cpu: "2" memory: 4Gi limits: - cpu: 2 + cpu: "2" memory: 4Gi replicas: master: 3 tserver: 3 + ## Used to set replication factor when isMultiAz is set to true + totalMasters: 3 partition: master: 0 tserver: 0 +# Used in Multi-AZ setup +masterAddresses: "" + +isMultiAz: false +AZ: "" + +# Disable the YSQL +disableYsql: false + tls: # Set to true to enable the TLS. enabled: false @@ -52,25 +68,33 @@ tls: # Set enabled to true to use cert-manager instead of providing your own rootCA certManager: enabled: false - # Will create own ca certificate and issuer when set to false + # Will create own ca certificate and issuer when set to true + bootstrapSelfsigned: true + # Use ClusterIssuer when set to true, otherwise use Issuer useClusterIssuer: false - # ignored when useClusterIssuer is false + # Name of ClusterIssuer to use when useClusterIssuer is true clusterIssuer: cluster-ca + # Name of Issuer to use when useClusterIssuer is false + issuer: yugabyte-ca certificates: # The lifetime before cert-manager will issue a new certificate. # The re-issued certificates will not be automatically reloaded by the service. # It is necessary to provide some external means of restarting the pods. duration: 2160h # 90d renewBefore: 360h # 15d - algorithm: ECDSA # ECDSA or RSA - # Can be 2046, 4096 or 8192 for RSA + algorithm: RSA # ECDSA or RSA + # Can be 2048, 4096 or 8192 for RSA # Or 256, 384 or 521 for ECDSA - keySize: 521 + keySize: 2048 - # Will be ignored when certManager.enabled=true + ## When certManager.enabled=false, rootCA.cert and rootCA.key are used to generate TLS certs. + ## When certManager.enabled=true and boostrapSelfsigned=true, rootCA is ignored. + ## When certManager.enabled=true and bootstrapSelfsigned=false, only rootCA.cert is used + ## to verify TLS certs generated and signed by the external provider. rootCA: cert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM2VENDQWRHZ0F3SUJBZ0lCQVRBTkJna3Foa2lHOXcwQkFRc0ZBREFXTVJRd0VnWURWUVFERXd0WmRXZGgKWW5sMFpTQkVRakFlRncweE9UQXlNRGd3TURRd01qSmFGdzB5T1RBeU1EVXdNRFF3TWpKYU1CWXhGREFTQmdOVgpCQU1UQzFsMVoyRmllWFJsSUVSQ01JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCnVOMWF1aWc4b2pVMHM0OXF3QXhrT2FCaHkwcTlyaVg2akVyZWJyTHJOWDJOeHdWQmNVcWJkUlhVc3VZNS96RUQKUC9CZTNkcTFuMm9EQ2ZGVEwweGkyNFdNZExRcnJBMndCdzFtNHM1WmQzcEJ1U04yWHJkVVhkeUx6dUxlczJNbgovckJxcWRscXp6LzAyTk9TOE9SVFZCUVRTQTBSOFNMQ1RjSGxMQmRkMmdxZ1ZmemVXRlVObXhWQ2EwcHA5UENuCmpUamJJRzhJWkh5dnBkTyt3aURQM1Y1a1ZEaTkvbEtUaGUzcTFOeDg5VUNFcnRJa1pjSkYvWEs3aE90MU1sOXMKWDYzb2lVMTE1Q2svbGFGRjR6dWgrZk9VenpOVXRXeTc2RE92cm5pVGlaU0tQZDBBODNNa2l2N2VHaDVkV3owWgpsKzJ2a3dkZHJaRzVlaHhvbGhGS3pRSURBUUFCbzBJd1FEQU9CZ05WSFE4QkFmOEVCQU1DQXFRd0hRWURWUjBsCkJCWXdGQVlJS3dZQkJRVUhBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dFQkFEQjVRbmlYd1ptdk52eG5VbS9sTTVFbms3VmhTUzRUZldIMHY4Q0srZWZMSVBTbwpVTkdLNXU5UzNEUWlvaU9SN1Vmc2YrRnk1QXljMmNUY1M2UXBxTCt0V1QrU1VITXNJNk9oQ05pQ1gvQjNKWERPCkd2R0RIQzBVOHo3aWJTcW5zQ2Rid05kajAyM0lwMHVqNE9DVHJ3azZjd0RBeXlwVWkwN2tkd28xYWJIWExqTnAKamVQMkwrY0hkc2dKM1N4WWpkK1kvei9IdmFrZG1RZDJTL1l2V0R3aU1SRDkrYmZXWkJVRHo3Y0QyQkxEVmU0aAp1bkFaK3NyelR2Sjd5dkVodzlHSDFyajd4Qm9VNjB5SUUrYSszK2xWSEs4WnBSV0NXMnh2eWNrYXJSKytPS2NKClFsL04wWExqNWJRUDVoUzdhOTdhQktTamNqY3E5VzNGcnhJa2tKST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" key: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdU4xYXVpZzhvalUwczQ5cXdBeGtPYUJoeTBxOXJpWDZqRXJlYnJMck5YMk54d1ZCCmNVcWJkUlhVc3VZNS96RURQL0JlM2RxMW4yb0RDZkZUTDB4aTI0V01kTFFyckEyd0J3MW00czVaZDNwQnVTTjIKWHJkVVhkeUx6dUxlczJNbi9yQnFxZGxxenovMDJOT1M4T1JUVkJRVFNBMFI4U0xDVGNIbExCZGQyZ3FnVmZ6ZQpXRlVObXhWQ2EwcHA5UENualRqYklHOElaSHl2cGRPK3dpRFAzVjVrVkRpOS9sS1RoZTNxMU54ODlVQ0VydElrClpjSkYvWEs3aE90MU1sOXNYNjNvaVUxMTVDay9sYUZGNHp1aCtmT1V6ek5VdFd5NzZET3ZybmlUaVpTS1BkMEEKODNNa2l2N2VHaDVkV3owWmwrMnZrd2RkclpHNWVoeG9saEZLelFJREFRQUJBb0lCQUJsdW1tU3gxR1djWER1Mwpwei8wZEhWWkV4c2NsU3U0SGRmZkZPcTF3cFlCUjlmeGFTZGsxQzR2YXF1UjhMaWl6WWVtVWViRGgraitkSnlSCmpwZ2JNaDV4S1BtRkw5empwU3ZUTkN4UHB3OUF5bm5sM3dyNHZhcU1CTS9aZGpuSGttRC9kQzBadEEvL0JIZ3YKNHk4d3VpWCsvUWdVaER0Z1JNcmR1ZUZ1OVlKaFo5UE9jYXkzSkkzMFhEYjdJSS9vNFNhYnhTcFI3bTg5WjY0NwpUb3hsOEhTSzl0SUQxbkl1bHVpTmx1dHI1RzdDdE93WTBSc2N5dmZ2elg4a1d2akpLZVJVbmhMSCtXVFZOaExICjdZc0tMNmlLa1NkckMzeWVPWnV4R0pEbVdrZVgxTzNPRUVGYkc4TjVEaGNqL0lXbDh1dGt3LzYwTEthNHBCS2cKTXhtNEx3RUNnWUVBNnlPRkhNY2pncHYxLzlHZC8yb3c2YmZKcTFjM1dqQkV2cnM2ZXNyMzgrU3UvdVFneXJNcAo5V01oZElpb2dYZjVlNjV5ZlIzYVBXcjJJdWMxZ0RUNlYycDZFR2h0NysyQkF1YkIzczloZisycVNRY1lkS3pmCnJOTDdKalE4ZEVGZWdYd041cHhKOTRTTVFZNEI4Qm9hOHNJWTd3TzU4dHpVMjZoclVnanFXQ1VDZ1lFQXlVUUIKNzViWlh6MGJ5cEc5NjNwYVp0bGlJY0cvUk1XMnVPOE9rVFNYSGdDSjBob25uRm5IMGZOc1pGTHdFWEtnTTRORworU3ZNbWtUekE5eVVSMHpIMFJ4UW44L1YzVWZLT2k5RktFeWx6NzNiRkV6ZW1QSEppQm12NWQ4ZTlOenZmU0E0CkdpRTYrYnFyV3VVWWRoRWlYTnY1SFNPZ3I4bUx1TzJDbGlmNTg0a0NnWUFlZzlDTmlJWmlOODAzOHNNWFYzZWIKalI5ZDNnYXY3SjJ2UnVyeTdvNDVGNDlpUXNiQ3AzZWxnY1RnczY5eWhkaFpwYXp6OGNEVndhREpyTW16cHF4cQpWY1liaFFIblppSWM5MGRubS9BaVF2eWJWNUZqNnQ5b05VVWtreGpaV1haalJXOGtZMW55QmtDUmJWVnhER0k4CjZOV0ZoeTFGaUVVVGNJcms3WVZFQlFLQmdRREpHTVIrYWRFamtlRlUwNjVadkZUYmN0VFVPY3dzb1Foalc2akkKZVMyTThxakNYeE80NnhQMnVTeFNTWFJKV3FpckQ3NDRkUVRvRjRCaEdXS21veGI3M3pqSGxWaHcwcXhDMnJ4VQorZENxODE0VXVJR3BlOTBMdWU3QTFlRU9kRHB1WVdUczVzc1FmdTE3MG5CUWQrcEhzaHNFZkhhdmJjZkhyTGpQCjQzMmhVUUtCZ1FDZ3hMZG5Pd2JMaHZLVkhhdTdPVXQxbGpUT240SnB5bHpnb3hFRXpzaDhDK0ZKUUQ1bkFxZXEKZUpWSkNCd2VkallBSDR6MUV3cHJjWnJIN3IyUTBqT2ZFallwU1dkZGxXaWh4OTNYODZ0aG83UzJuUlYrN1hNcQpPVW9ZcVZ1WGlGMWdMM1NGeHZqMHhxV3l0d0NPTW5DZGFCb0M0Tkw3enJtL0lZOEUwSkw2MkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" + ## When tls.certManager.enabled=false ## nodeCert and clientCert will be used only when rootCA.key is empty. ## Will be ignored and genSignedCert will be used to generate ## node and client certs if rootCA.key is provided. @@ -85,33 +109,58 @@ tls: gflags: master: default_memory_limit_to_ram_ratio: 0.85 -# tserver: + tserver: {} # use_cassandra_authentication: false PodManagementPolicy: Parallel enableLoadBalancer: true -isMultiAz: false +ybc: + enabled: false + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + # resources: + # requests: + # cpu: "1" + # memory: 1Gi + # limits: + # cpu: "1" + # memory: 1Gi + +ybCleanup: {} + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + # resources: + # requests: + # cpu: "1" + # memory: 1Gi + # limits: + # cpu: "1" + # memory: 1Gi domainName: "cluster.local" serviceEndpoints: - name: "yb-master-ui" type: LoadBalancer + annotations: {} + clusterIP: "" ## Sets the Service's externalTrafficPolicy - # externalTrafficPolicy: "" + externalTrafficPolicy: "" app: "yb-master" - # loadBalancerIP: "" + loadBalancerIP: "" ports: http-ui: "7000" - name: "yb-tserver-service" type: LoadBalancer + annotations: {} + clusterIP: "" ## Sets the Service's externalTrafficPolicy - # externalTrafficPolicy: "" + externalTrafficPolicy: "" app: "yb-tserver" - # loadBalancerIP: "" + loadBalancerIP: "" ports: tcp-yql-port: "9042" tcp-yedis-port: "6379" @@ -138,8 +187,11 @@ Services: http-ycql-met: "12000" http-yedis-met: "11000" http-ysql-met: "13000" + grpc-ybc-port: "18018" -## Should be set to true only if Istio is being used. + +## Should be set to true only if Istio is being used. This also adds +## the Istio sidecar injection labels to the pods. ## TODO: remove this once ## https://github.com/yugabyte/yugabyte-db/issues/5641 is fixed. ## @@ -156,6 +208,22 @@ multicluster: ## failover. Useful when using new naming style. createCommonTserverService: false + ## Enable it to deploy YugabyteDB in a multi-cluster services enabled + ## Kubernetes cluster (KEP-1645). This will create ServiceExport. + ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#registering_a_service_for_export + ## You can use this gist for the reference to deploy the YugabyteDB in a multi-cluster scenario. + ## Gist - https://gist.github.com/baba230896/78cc9bb6f4ba0b3d0e611cd49ed201bf + createServiceExports: false + + ## Mandatory variable when createServiceExports is set to true. + ## Use: In case of GKE, you need to pass GKE Hub Membership Name. + ## GKE Ref - https://cloud.google.com/kubernetes-engine/docs/how-to/multi-cluster-services#enabling + kubernetesClusterId: "" + + ## mcsApiVersion is used for the MCS resources created by the + ## chart. Set to net.gke.io/v1 when using GKE MCS. + mcsApiVersion: "multicluster.x-k8s.io/v1alpha1" + serviceMonitor: ## If true, two ServiceMonitor CRs are created. One for yb-master ## and one for yb-tserver @@ -231,9 +299,37 @@ affinity: {} statefulSetAnnotations: {} +networkAnnotation: {} + +commonLabels: {} + +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} + + master: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml + # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes + # has. Each new node selector term is ORed together, and each match expression or match field in + # a single selector is ANDed together. + # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value + # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity + # terms. + # + # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. + # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -245,6 +341,8 @@ master: # values: # - "yb-master" # topologyKey: kubernetes.io/hostname + # + # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the Master pods. @@ -301,10 +399,23 @@ master: # mountPath: /home/yugabyte/nfs-backup extraVolumeMounts: [] + ## Set service account for master DB pods. The service account + ## should exist in the namespace where the master DB pods are brought up. + serviceAccount: "" + tserver: ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core ## This might override the default affinity from service.yaml + # To successfully merge, we need to follow rules for merging nodeSelectorTerms that kubernentes + # has. Each new node selector term is ORed together, and each match expression or match field in + # a single selector is ANDed together. + # This means, if a pod needs to be scheduled on a label 'custom_label_1' with a value + # 'custom_value_1', we need to add this 'subterm' to each of our pre-defined node affinity + # terms. + # + # Pod anti affinity is a simpler merge. Each term is applied separately, and the weight is tracked. + # The pod that achieves the highest weight is selected. ## Example. # affinity: # podAntiAffinity: @@ -316,6 +427,7 @@ tserver: # values: # - "yb-tserver" # topologyKey: kubernetes.io/hostname + # For further examples, see examples/yugabyte/affinity_overrides.yaml affinity: {} ## Extra environment variables passed to the TServer pods. @@ -328,13 +440,16 @@ tserver: # fieldPath: status.hostIP extraEnv: [] - # secretEnv variables are used to expose secrets data as env variables in the tserver pods. - # TODO Add namespace also to support copying secrets from other namespace. + ## secretEnv variables are used to expose secrets data as env variables in the tserver pods. + ## If namespace field is not specified we assume that user already + ## created the secret in the same namespace as DB pods. + ## Example # secretEnv: # - name: MYSQL_LDAP_PASSWORD # valueFrom: # secretKeyRef: # name: secretName + # namespace: my-other-namespace-with-ldap-secret # key: password secretEnv: [] @@ -377,6 +492,10 @@ tserver: # path: /home/yugabyte/nfs-backup extraVolumeMounts: [] + ## Set service account for tserver DB pods. The service account + ## should exist in the namespace where the tserver DB pods are brought up. + serviceAccount: "" + helm2Legacy: false ip_version_support: "v4_only" # v4_only, v6_only are the only supported values at the moment diff --git a/charts/yugabyte/yugaware/Chart.yaml b/charts/yugabyte/yugaware/Chart.yaml index 62bdc3625..228eaef2f 100644 --- a/charts/yugabyte/yugaware/Chart.yaml +++ b/charts/yugabyte/yugaware/Chart.yaml @@ -3,15 +3,20 @@ annotations: catalog.cattle.io/display-name: YugabyteDB Anywhere catalog.cattle.io/kube-version: '>=1.18-0' catalog.cattle.io/release-name: yugaware -apiVersion: v1 -appVersion: 2.14.15.0-b57 -description: YugaWare is YugaByte Database's Orchestration and Management console. + charts.openshift.io/name: yugaware +apiVersion: v2 +appVersion: 2.18.6.0-b73 +description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB cluster + with multiple pods provided by Kubernetes or OpenShift and logically grouped together + to form one logical distributed database. home: https://www.yugabyte.com icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 +kubeVersion: '>=1.18-0' maintainers: -- email: ram@yugabyte.com - name: Ram Sri -- email: arnav@yugabyte.com - name: Arnav Agarwal +- email: sanketh@yugabyte.com + name: Sanketh Indarapu +- email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla name: yugaware -version: 2.14.15 +version: 2.18.6 diff --git a/charts/yugabyte/yugaware/README.md b/charts/yugabyte/yugaware/README.md index fa27ce3e0..0d190c0be 100644 --- a/charts/yugabyte/yugaware/README.md +++ b/charts/yugabyte/yugaware/README.md @@ -1,5 +1,7 @@ YugabyteDB Anywhere gives you the simplicity and support to deliver a private database-as-a-service (DBaaS) at scale. Use YugabyteDB Anywhere to deploy YugabyteDB across any cloud anywhere in the world with a few clicks, simplify day 2 operations through automation, and get the services needed to realize business outcomes with the database. -YugabyteDB Anywhere can be deployed using this helm chart. Detailed documentation is available at +YugabyteDB Anywhere can be deployed using this Helm chart. Detailed documentation is available at: +- [Install YugabyteDB Anywhere software - Kubernetes](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/kubernetes/) +- [Install YugabyteDB Anywhere software - OpenShift (Helm based)](https://docs.yugabyte.com/preview/yugabyte-platform/install-yugabyte-platform/install-software/openshift/#helm-based-installation) [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/yugabyte)](https://artifacthub.io/packages/search?repo=yugabyte) diff --git a/charts/yugabyte/yugaware/openshift.values.yaml b/charts/yugabyte/yugaware/openshift.values.yaml new file mode 100644 index 000000000..6e797bfe8 --- /dev/null +++ b/charts/yugabyte/yugaware/openshift.values.yaml @@ -0,0 +1,24 @@ +# OCP compatible values for yugaware + +image: + + repository: quay.io/yugabyte/yugaware-ubi + + postgres: + registry: registry.redhat.io + tag: 1-88.1661531722 + name: rhscl/postgresql-13-rhel7 + + prometheus: + registry: registry.redhat.io + tag: v4.11.0 + name: openshift4/ose-prometheus + +rbac: + create: false + +ocpCompatibility: + enabled: true + +securityContext: + enabled: false diff --git a/charts/yugabyte/yugaware/questions.yaml b/charts/yugabyte/yugaware/questions.yaml index 11378b60c..446d616e1 100644 --- a/charts/yugabyte/yugaware/questions.yaml +++ b/charts/yugabyte/yugaware/questions.yaml @@ -15,7 +15,7 @@ questions: label: Yugabyte Platform image repository description: "Yugabyte Platform image repository" - variable: image.tag - default: "2.14.1.0-b36" + default: "2.5.1.0-b153" required: false type: string label: Yugabyte Platform image tag diff --git a/charts/yugabyte/yugaware/templates/_default_values.tpl b/charts/yugabyte/yugaware/templates/_default_values.tpl new file mode 100644 index 000000000..b55e7ba81 --- /dev/null +++ b/charts/yugabyte/yugaware/templates/_default_values.tpl @@ -0,0 +1,14 @@ +{{/* + The usage of helm upgrade [RELEASE] [CHART] --reuse-values --set [variable]:[value] throws an + error in the event that new entries are inserted to the values chart. + + This is because reuse-values flag uses the values from the last release. If --set (/--set-file/ + --set-string/--values/-f) is applied with the reuse-values flag, the values from the last + release are overridden for those variables alone, and newer changes to the chart are + unacknowledged. + + https://medium.com/@kcatstack/understand-helm-upgrade-flags-reset-values-reuse-values-6e58ac8f127e + + To prevent errors while applying upgrade with --reuse-values and --set flags after introducing + new variables, default values can be specified in this file. +*/}} diff --git a/charts/yugabyte/yugaware/templates/_helpers.tpl b/charts/yugabyte/yugaware/templates/_helpers.tpl index 329dba6ce..2ce99a3dc 100644 --- a/charts/yugabyte/yugaware/templates/_helpers.tpl +++ b/charts/yugabyte/yugaware/templates/_helpers.tpl @@ -169,6 +169,57 @@ server.pem: {{ $serverPemContent }} {{- end -}} {{- end -}} +{{/* +Check export of nss_wrapper environment variables required +*/}} +{{- define "checkNssWrapperExportRequired" -}} + {{- if .Values.securityContext.enabled -}} + {{- if and (ne (int .Values.securityContext.runAsUser) 0) (ne (int .Values.securityContext.runAsUser) 10001) -}} + {{- printf "true" -}} + {{- end -}} + {{- else -}} + {{- printf "false" -}} + {{- end -}} +{{- end -}} + + +{{/* + Verify the extraVolumes and extraVolumeMounts mappings. + Every extraVolumes should have extraVolumeMounts +*/}} +{{- define "yugaware.isExtraVolumesMappingExists" -}} + {{- $lenExtraVolumes := len .extraVolumes -}} + {{- $lenExtraVolumeMounts := len .extraVolumeMounts -}} + + {{- if and (eq $lenExtraVolumeMounts 0) (gt $lenExtraVolumes 0) -}} + {{- fail "You have not provided the extraVolumeMounts for extraVolumes." -}} + {{- else if and (eq $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} + {{- fail "You have not provided the extraVolumes for extraVolumeMounts." -}} + {{- else if and (gt $lenExtraVolumes 0) (gt $lenExtraVolumeMounts 0) -}} + {{- $volumeMountsList := list -}} + {{- range .extraVolumeMounts -}} + {{- $volumeMountsList = append $volumeMountsList .name -}} + {{- end -}} + + {{- $volumesList := list -}} + {{- range .extraVolumes -}} + {{- $volumesList = append $volumesList .name -}} + {{- end -}} + + {{- range $volumesList -}} + {{- if not (has . $volumeMountsList) -}} + {{- fail (printf "You have not provided the extraVolumeMounts for extraVolume %s" .) -}} + {{- end -}} + {{- end -}} + + {{- range $volumeMountsList -}} + {{- if not (has . $volumesList) -}} + {{- fail (printf "You have not provided the extraVolumes for extraVolumeMounts %s" .) -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + {{/* Make list of custom http headers */}} @@ -183,4 +234,4 @@ Make list of custom http headers {{- end -}} {{- end -}} ] -{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/yugabyte/yugaware/templates/certificates.yaml b/charts/yugabyte/yugaware/templates/certificates.yaml new file mode 100644 index 000000000..ff4b7021a --- /dev/null +++ b/charts/yugabyte/yugaware/templates/certificates.yaml @@ -0,0 +1,99 @@ +# Copyright (c) YugaByte, Inc. + +{{- $root := . }} +{{- $tls := $root.Values.tls }} +{{- if and $tls.enabled $tls.certManager.enabled }} +{{- if $tls.certManager.genSelfsigned }} +{{- if $tls.certManager.useClusterIssuer }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ $root.Release.Name }}-yugaware-cluster-issuer +spec: + selfSigned: {} +{{- else }} # useClusterIssuer=false +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ $root.Release.Name }}-yugaware-issuer + namespace: {{ $root.Release.Namespace }} +spec: + selfSigned: {} +--- +{{- end }} # useClusterIssuer +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $root.Release.Name }}-yugaware-ui-root-ca + namespace: {{ $root.Release.Namespace }} +spec: + isCA: true + commonName: Yugaware self signed CA + secretName: {{ .Release.Name }}-yugaware-root-ca + secretTemplate: + labels: + app: "{{ template "yugaware.name" . }}" + chart: "{{ template "yugaware.chart" . }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + duration: {{ $tls.certManager.configuration.duration | quote }} + renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} + privateKey: + algorithm: {{ $tls.certManager.configuration.algorithm | quote }} + encoding: PKCS8 + size: {{ $tls.certManager.configuration.keySize }} + rotationPolicy: Always + issuerRef: + {{- if $tls.certManager.useClusterIssuer }} + name: {{ $root.Release.Name }}-yugaware-cluster-issuer + kind: ClusterIssuer + {{- else }} + name: {{ $root.Release.Name }}-yugaware-issuer + kind: Issuer + {{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ $root.Release.Name }}-yugaware-ca-issuer + namespace: {{ $root.Release.Namespace }} +spec: + ca: + secretName: {{ .Release.Name }}-yugaware-root-ca +--- +{{- end }} # genSelfsigned +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $root.Release.Name }}-yugaware-ui-tls + namespace: {{ $root.Release.Namespace }} +spec: + isCA: false + commonName: {{ $tls.hostname }} + secretName: {{ .Release.Name }}-yugaware-tls-cert + secretTemplate: + labels: + app: "{{ template "yugaware.name" . }}" + chart: "{{ template "yugaware.chart" . }}" + release: {{ .Release.Name | quote }} + heritage: {{ .Release.Service | quote }} + duration: {{ $tls.certManager.configuration.duration | quote }} + renewBefore: {{ $tls.certManager.configuration.renewBefore | quote }} + privateKey: + algorithm: {{ $tls.certManager.configuration.algorithm | quote }} + encoding: PKCS8 + size: {{ $tls.certManager.configuration.keySize }} + rotationPolicy: Always + issuerRef: + name: {{ $tls.certManager.genSelfsigned | ternary (printf "%s%s" $root.Release.Name "-yugaware-ca-issuer") ($tls.certManager.useClusterIssuer | ternary $tls.certManager.clusterIssuer $tls.certManager.issuer) }} + {{- if $tls.certManager.useClusterIssuer }} + kind: ClusterIssuer + {{- else }} + kind: Issuer + {{- end }} +--- +{{- end }} diff --git a/charts/yugabyte/yugaware/templates/configs.yaml b/charts/yugabyte/yugaware/templates/configs.yaml index 932effddd..5c67697fc 100644 --- a/charts/yugabyte/yugaware/templates/configs.yaml +++ b/charts/yugabyte/yugaware/templates/configs.yaml @@ -31,27 +31,31 @@ data: log.override.path = "/opt/yugabyte/yugaware/data/logs" db { + default.dbname=${POSTGRES_DB} {{ if .Values.postgres.external.host }} default.host="{{ .Values.postgres.external.host }}" default.port={{ .Values.postgres.external.port }} - default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ else if eq .Values.ip_version_support "v6_only" }} - default.host="::1" - default.url="jdbc:postgresql://[::1]:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} + default.host="[::1]" {{ else }} default.host="127.0.0.1" - default.url="jdbc:postgresql://127.0.0.1:"${db.default.port}"/"${POSTGRES_DB}${db.default.params} {{ end }} + default.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} default.params="{{ .Values.jdbcParams }}" - default.driver=org.postgresql.Driver default.username=${POSTGRES_USER} default.password=${POSTGRES_PASSWORD} - default.logStatements=true - default.migration.initOnMigrate=true - default.migration.auto=true - } - ebean { - default = ["com.yugabyte.yw.models.*"] + {{ if .Values.yugaware.cloud.enabled }} + perf_advisor.driver="org.hsqldb.jdbc.JDBCDriver" + perf_advisor.url="jdbc:hsqldb:mem:perf-advisor" + perf_advisor.createDatabaseIfMissing=false + perf_advisor.username="sa" + perf_advisor.password="sa" + perf_advisor.migration.auto=false + perf_advisor.migration.disabled=true + {{ else }} + perf_advisor.url="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.perf_advisor.dbname}${db.default.params} + perf_advisor.createDatabaseUrl="jdbc:postgresql://"${db.default.host}":"${db.default.port}"/"${db.default.dbname}${db.default.params} + {{ end }} } {{- if .Values.tls.enabled }} @@ -140,7 +144,7 @@ data: {{- range $key, $value := .Values.additionalAppConf.nonStringConf }} {{ $key }} = {{ $value }} {{- end }} -{{- if .Values.tls.enabled }} +{{- if and .Values.tls.enabled (not .Values.tls.certManager.enabled) }} --- apiVersion: v1 kind: Secret @@ -155,8 +159,8 @@ type: Opaque data: {{- include "getOrCreateServerPem" (dict "Namespace" .Release.Namespace "Root" . "Name" (printf "%s%s" .Release.Name "-yugaware-tls-pem")) | nindent 2 }} {{- end }} - --- +{{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} apiVersion: v1 kind: ConfigMap metadata: @@ -182,6 +186,25 @@ data: docker-upgrade pg_upgrade | tee -a /pg_upgrade_logs/pg_upgrade_11_to_14.log; echo "host all all all scram-sha-256" >> "${PGDATANEW}/pg_hba.conf"; fi +{{- end }} +{{- if .Values.securityContext.enabled }} +--- +apiVersion: "v1" +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-yugaware-pg-prerun + labels: + app: {{ template "yugaware.name" . }} + chart: {{ template "yugaware.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Values.helm2Legacy | ternary "Tiller" (.Release.Service | quote) }} +data: + pg-prerun.sh: | + #!/bin/bash + set -x -o errexit + + mkdir -p $PGDATA && chown -R $PG_UID:$PG_GID $PGDATA; +{{- end }} {{- if .Values.prometheus.remoteWrite.tls.enabled }} --- @@ -252,7 +275,11 @@ data: - 'container_cpu_usage_seconds_total{pod=~"(.*)yb-(.*)"}' - 'container_memory_working_set_bytes{pod=~"(.*)yb-(.*)"}' # kube-state-metrics - - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' + # Supports >= OCP v4.4 + # OCP v4.4 has upgraded the KSM from 1.8.0 to 1.9.5. + # https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-release-notes.html#ocp-4-4-cluster-monitoring-version-updates + # - 'kube_pod_container_resource_requests_cpu_cores{pod=~"(.*)yb-(.*)"}' + - 'kube_pod_container_resource_requests{pod=~"(.*)yb-(.*)", unit="core"}' static_configs: - targets: @@ -272,8 +299,15 @@ data: regex: "(.*)" target_label: "container_name" replacement: "$1" + # rename new name of the CPU metric to the old name and label + # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" + target_label: "__name__" + replacement: "kube_pod_container_resource_requests_cpu_cores" {{- else }} + {{- if .Values.prometheus.scrapeKubernetesNodes }} - job_name: 'kubernetes-nodes' @@ -322,8 +356,8 @@ data: - targets: ['kube-state-metrics.kube-system.svc.{{.Values.domainName}}:8080'] metric_relabel_configs: # Only keep the metrics which we care about - - source_labels: ["__name__"] - regex: "kube_pod_container_resource_requests_cpu_cores" + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" action: keep # Save the name of the metric so we can group_by since we cannot by __name__ directly... - source_labels: ["__name__"] @@ -342,6 +376,16 @@ data: - source_labels: ["pod_name"] regex: "(.*)yb-(.*)" action: keep + # rename new name of the CPU metric to the old name and label + # ref: https://github.com/kubernetes/kube-state-metrics/blob/master/CHANGELOG.md#v200-alpha--2020-09-16 + - source_labels: ["__name__", "unit"] + regex: "kube_pod_container_resource_requests;core" + target_label: "__name__" + replacement: "kube_pod_container_resource_requests_cpu_cores" + # Keep metrics for CPU, discard duplicate metrics + - source_labels: ["__name__"] + regex: "kube_pod_container_resource_requests_cpu_cores" + action: keep - job_name: 'kubernetes-cadvisor' @@ -387,6 +431,7 @@ data: action: keep {{- end }} + {{- end }} - job_name: 'platform' metrics_path: "/api/v1/prometheus_metrics" @@ -395,6 +440,12 @@ data: '{{ eq .Values.ip_version_support "v6_only" | ternary "[::1]" "127.0.0.1" }}:9000' ] + - job_name: 'node-agent' + metrics_path: "/metrics" + file_sd_configs: + - files: + - '/opt/yugabyte/prometheus/targets/node-agent.*.json' + - job_name: "node" file_sd_configs: - files: @@ -480,6 +531,8 @@ data: replacement: "$1" - job_name: "yugabyte" + tls_config: + insecure_skip_verify: true metrics_path: "/prometheus-metrics" file_sd_configs: - files: diff --git a/charts/yugabyte/yugaware/templates/global-config.yaml b/charts/yugabyte/yugaware/templates/global-config.yaml index 925e1bbb7..4d7f54f45 100644 --- a/charts/yugabyte/yugaware/templates/global-config.yaml +++ b/charts/yugabyte/yugaware/templates/global-config.yaml @@ -16,8 +16,8 @@ data: postgres_user: {{ .Values.postgres.external.user | b64enc | quote }} postgres_password: {{ .Values.postgres.external.pass | b64enc | quote }} {{- else }} - postgres_db: {{ "yugaware" | b64enc | quote }} - postgres_user: {{ "postgres" | b64enc | quote }} + postgres_db: {{ .Values.postgres.dbname | b64enc | quote }} + postgres_user: {{ .Values.postgres.user | b64enc | quote }} postgres_password: {{ include "getOrGeneratePasswordConfigMapToSecret" (dict "Namespace" .Release.Namespace "Name" (printf "%s%s" .Release.Name "-yugaware-global-config") "Key" "postgres_password") | quote }} {{- end }} app_secret: {{ randAlphaNum 64 | b64enc | b64enc | quote }} diff --git a/charts/yugabyte/yugaware/templates/rbac.yaml b/charts/yugabyte/yugaware/templates/rbac.yaml index 907f9e1ce..c1e2e057a 100644 --- a/charts/yugabyte/yugaware/templates/rbac.yaml +++ b/charts/yugabyte/yugaware/templates/rbac.yaml @@ -1,3 +1,4 @@ +{{ if not .Values.yugaware.serviceAccount }} apiVersion: v1 kind: ServiceAccount metadata: @@ -10,6 +11,7 @@ metadata: annotations: {{ toYaml .Values.yugaware.serviceAccountAnnotations | indent 4 }} {{- end }} +{{ end }} {{- if .Values.rbac.create }} {{- if .Values.ocpCompatibility.enabled }} --- @@ -21,7 +23,7 @@ metadata: app: yugaware subjects: - kind: ServiceAccount - name: {{ .Release.Name }} + name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole @@ -29,43 +31,172 @@ roleRef: apiGroup: rbac.authorization.k8s.io {{- else }} --- -kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: name: {{ .Release.Name }} - labels: - k8s-app: yugaware - kubernetes.io/cluster-service: "true" - addonmanager.kubernetes.io/mode: Reconcile rules: -- apiGroups: [""] - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - - pods/exec - verbs: ["get", "list", "watch", "create"] +# Set of permissions required for operator - apiGroups: - - extensions + - operator.yugabyte.io resources: - - ingresses - verbs: ["get", "list", "watch"] -- nonResourceURLs: ["/metrics"] - verbs: ["get"] -- apiGroups: [""] + - "*" + verbs: + - "get" + - "create" + - "delete" + - "patch" + - "list" + - "watch" + - "update" +# Set of permissions required to install, upgrade, delete the yugabyte chart +- apiGroups: + - "policy" resources: - - namespaces - - secrets - - pods/portforward - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] -- apiGroups: ["", "extensions"] + - "poddisruptionbudgets" + verbs: + - "get" + - "create" + - "delete" + - "patch" +- apiGroups: + - "" resources: - - deployments - - services - verbs: ["create", "get", "list", "watch", "update", "delete"] - + - "services" + verbs: + - "get" + - "delete" + - "create" + - "patch" +- apiGroups: + - "apps" + resources: + - "statefulsets" + verbs: + - "get" + - "list" + - "delete" + - "create" + - "patch" +- apiGroups: + - "" + resources: + - "secrets" + verbs: + - "create" + - "list" + - "get" + - "delete" + - "update" + - "patch" +- apiGroups: + - "cert-manager.io" + resources: + - "certificates" + verbs: + - "create" + - "delete" + - "get" + - "patch" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "get" + - "create" + - "patch" + - "delete" +# Set of permissions required by YBA to manage YB DB universes +- apiGroups: + - "" + resources: + - "namespaces" + verbs: + - "delete" + - "create" + - "patch" + - "get" + - "list" +- apiGroups: + - "" + resources: + - "pods" + verbs: + - "get" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "services" + verbs: + - "get" + - "list" +- apiGroups: + - "" + resources: + - "persistentvolumeclaims" + verbs: + - "get" + - "patch" + - "list" + - "delete" +- apiGroups: + - "" + resources: + - "pods/exec" + verbs: + - "create" +- apiGroups: + - "apps" + resources: + - "statefulsets/scale" + verbs: + - "patch" +- apiGroups: + - "" + resources: + - "events" + verbs: + - "list" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes" + verbs: + - "list" + - "get" + - "watch" +# required to scrape resource metrics like CPU, memory, etc. +- apiGroups: + - "" + resources: + - "nodes/proxy" + verbs: + - "get" +# Ref: https://github.com/yugabyte/charts/commit/4a5319972385666487a7bc2cd0c35052f2cfa4c5 +- apiGroups: + - "" + resources: + - "events" + verbs: + - "get" + - "list" + - "watch" + - "create" + - "update" + - "patch" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + verbs: + - "list" + - "watch" + - "update" --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -77,7 +208,7 @@ metadata: addonmanager.kubernetes.io/mode: Reconcile subjects: - kind: ServiceAccount - name: {{ .Release.Name }} + name: {{ .Values.yugaware.serviceAccount | default .Release.Name }} namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole diff --git a/charts/yugabyte/yugaware/templates/service.yaml b/charts/yugabyte/yugaware/templates/service.yaml index 49fd54051..e02bb3d83 100644 --- a/charts/yugabyte/yugaware/templates/service.yaml +++ b/charts/yugabyte/yugaware/templates/service.yaml @@ -40,6 +40,10 @@ spec: {{- if and (eq .Values.yugaware.service.type "LoadBalancer") (.Values.yugaware.service.ip) }} loadBalancerIP: "{{ .Values.yugaware.service.ip }}" {{- end }} + {{- if .Values.yugaware.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.yugaware.service.loadBalancerSourceRanges | nindent 4 }} + {{- end }} {{- end }} {{- if .Values.yugaware.serviceMonitor.enabled }} --- diff --git a/charts/yugabyte/yugaware/templates/statefulset.yaml b/charts/yugabyte/yugaware/templates/statefulset.yaml index c6a216c1d..f529ebbe6 100644 --- a/charts/yugabyte/yugaware/templates/statefulset.yaml +++ b/charts/yugabyte/yugaware/templates/statefulset.yaml @@ -25,8 +25,11 @@ spec: {{- end }} labels: app: {{ .Release.Name }}-yugaware +{{- if .Values.yugaware.pod.labels }} +{{ toYaml .Values.yugaware.pod.labels | indent 8 }} +{{- end }} spec: - serviceAccountName: {{ .Release.Name }} + serviceAccountName: {{ .Values.yugaware.serviceAccount | default .Release.Name }} imagePullSecrets: - name: {{ .Values.image.pullSecret }} {{- if .Values.securityContext.enabled }} @@ -36,6 +39,30 @@ spec: fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }} {{- end }} {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8}} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- with .Values.tolerations }}{{ toYaml . | nindent 8 }}{{ end }} + {{- end }} + {{- if .Values.zoneAffinity }} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: failure-domain.beta.kubernetes.io/zone + operator: In + values: +{{ toYaml .Values.zoneAffinity | indent 18 }} + - matchExpressions: + - key: topology.kubernetes.io/zone + operator: In + values: +{{ toYaml .Values.zoneAffinity | indent 18 }} + {{- end }} volumes: - name: yugaware-storage persistentVolumeClaim: @@ -84,15 +111,36 @@ spec: secret: secretName: {{ .Release.Name }}-yugaware-prometheus-remote-write-tls {{- end }} + {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - name: pg-upgrade-11-to-14 configMap: name: {{ .Release.Name }}-yugaware-pg-upgrade items: - key: pg-upgrade-11-to-14.sh path: pg-upgrade-11-to-14.sh + {{- end }} + - name: pg-init + configMap: + name: {{ .Release.Name }}-yugaware-pg-prerun + items: + - key: pg-prerun.sh + path: pg-prerun.sh + {{- if .Values.postgres.extraVolumes -}} + {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} + {{- .Values.postgres.extraVolumes | toYaml | nindent 8 -}} + {{ end }} + {{- with .Values.dnsConfig }} + dnsConfig: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dnsPolicy }} + dnsPolicy: {{ . | quote }} + {{- end }} initContainers: - image: {{ include "full_yugaware_image" . }} imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.initContainers.prometheusConfiguration.resources }} + resources: {{- toYaml .Values.initContainers.prometheusConfiguration.resources | nindent 12 }} + {{ end -}} name: prometheus-configuration {{- if .Values.securityContext.enabled }} command: @@ -120,9 +168,13 @@ spec: - name: init-container-script mountPath: /init-container {{- end }} + {{- if not (and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io")) }} - image: {{ include "full_image" (dict "containerName" "postgres-upgrade" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} name: postgres-upgrade + {{- if .Values.initContainers.postgresUpgrade.resources }} + resources: {{- toYaml .Values.initContainers.postgresUpgrade.resources | nindent 12 }} + {{ end -}} command: - 'bash' - '-c' @@ -152,12 +204,46 @@ spec: - name: yugaware-storage mountPath: /pg_upgrade_logs subPath: postgres_data_14 + {{- end }} + {{- if .Values.securityContext.enabled }} + - image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} + name: postgres-init + {{- if .Values.initContainers.postgresInit.resources }} + resources: {{- toYaml .Values.initContainers.postgresInit.resources | nindent 12 }} + {{ end -}} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: ["/bin/bash", "/pg_prerun/pg-prerun.sh"] + env: + - name: PGDATA + value: /var/lib/postgresql/data/pgdata + - name: PG_UID + value: {{ .Values.securityContext.runAsUser | quote }} + - name: PG_GID + value: {{ .Values.securityContext.runAsGroup | quote }} + volumeMounts: + - name: yugaware-storage + mountPath: /var/lib/postgresql/data + subPath: postgres_data_14 + - name: pg-init + mountPath: /pg_prerun + {{- end }} containers: {{ if not .Values.postgres.external.host }} - name: postgres image: {{ include "full_image" (dict "containerName" "postgres" "root" .) }} imagePullPolicy: {{ .Values.image.pullPolicy }} - args: ["-c", "huge_pages=off"] + args: + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + - "run-postgresql" + {{- end }} + - "-c" + - "huge_pages=off" + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ required "runAsUser cannot be empty" .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup | default 0 }} + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} + {{- end }} env: - name: POSTGRES_USER valueFrom: @@ -174,8 +260,37 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: postgres_db + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + # Hardcoded the POSTGRESQL_USER because it's mandatory env var in RH PG image + # It doesn't have access to create the DB, so YBA fails to create the perf_advisor DB. + # Need to use admin user of RH PG image (postgres) + # Changing the user name won't be possible moving forward for OpenShift certified chart + - name: POSTGRESQL_USER + value: pg-yba + # valueFrom: + # secretKeyRef: + # name: {{ .Release.Name }}-yugaware-global-config + # key: postgres_user + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_password + - name: POSTGRESQL_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_password + - name: POSTGRESQL_DATABASE + valueFrom: + secretKeyRef: + name: {{ .Release.Name }}-yugaware-global-config + key: postgres_db + {{- else }} + # The RH Postgres image doesn't allow this directory to be changed. - name: PGDATA value: /var/lib/postgresql/data/pgdata + {{- end }} ports: - containerPort: 5432 name: postgres @@ -187,8 +302,17 @@ spec: volumeMounts: - name: yugaware-storage + {{- if and (.Values.ocpCompatibility.enabled) (eq .Values.image.postgres.registry "registry.redhat.io") }} + mountPath: /var/lib/pgsql/data + subPath: postgres_data_13 + {{- else }} mountPath: /var/lib/postgresql/data subPath: postgres_data_14 + {{- end }} + {{- if .Values.postgres.extraVolumeMounts -}} + {{- include "yugaware.isExtraVolumesMappingExists" .Values.postgres -}} + {{- .Values.postgres.extraVolumeMounts | toYaml | nindent 12 -}} + {{- end -}} {{ end }} - name: prometheus image: {{ include "full_image" (dict "containerName" "prometheus" "root" .) }} @@ -214,6 +338,9 @@ spec: subPath: prometheus.yml - name: yugaware-storage mountPath: /prometheus/ + - mountPath: /opt/yugabyte/yugaware/data/keys/ + name: yugaware-storage + subPath: data/keys {{- if .Values.prometheus.scrapeNodes }} - name: yugaware-storage mountPath: /opt/yugabyte/prometheus/targets @@ -235,6 +362,9 @@ spec: - --web.enable-admin-api - --web.enable-lifecycle - --storage.tsdb.retention.time={{ .Values.prometheus.retentionTime }} + - --query.max-concurrency={{ .Values.prometheus.queryConcurrency }} + - --query.max-samples={{ .Values.prometheus.queryMaxSamples }} + - --query.timeout={{ .Values.prometheus.queryTimeout }} ports: - containerPort: 9090 - name: yugaware @@ -251,12 +381,18 @@ spec: resources: {{ toYaml .Values.yugaware.resources | indent 12 }} {{- end }} - - command: [ "/sbin/tini", "--"] - args: - - "bin/yugaware" - - "-Dconfig.file=/data/application.docker.conf" + args: ["bin/yugaware","-Dconfig.file=/data/application.docker.conf"] env: + # Conditionally set these env variables, if runAsUser is not 0(root) + # or 10001(yugabyte). + {{- if eq (include "checkNssWrapperExportRequired" .) "true" }} + - name: NSS_WRAPPER_GROUP + value: "/tmp/group.template" + - name: NSS_WRAPPER_PASSWD + value: "/tmp/passwd.template" + - name: LD_PRELOAD + value: "/usr/lib64/libnss_wrapper.so" + {{- end }} - name: POSTGRES_USER valueFrom: secretKeyRef: @@ -277,6 +413,7 @@ spec: secretKeyRef: name: {{ .Release.Name }}-yugaware-global-config key: app_secret + {{- with .Values.yugaware.extraEnv }}{{ toYaml . | nindent 12 }}{{ end }} ports: - containerPort: 9000 name: yugaware @@ -293,6 +430,9 @@ spec: - name: yugaware-storage mountPath: /opt/yugabyte/releases/ subPath: releases + - name: yugaware-storage + mountPath: /opt/yugabyte/ybc/releases/ + subPath: ybc_releases # old path for backward compatibility - name: yugaware-storage mountPath: /opt/releases/ diff --git a/charts/yugabyte/yugaware/templates/tests/test.yaml b/charts/yugabyte/yugaware/templates/tests/test.yaml new file mode 100644 index 000000000..89d02035c --- /dev/null +++ b/charts/yugabyte/yugaware/templates/tests/test.yaml @@ -0,0 +1,37 @@ +apiVersion: v1 +kind: Pod +metadata: + name: {{ .Release.Name }}-yugaware-test + labels: + app: {{ .Release.Name }}-yugaware-test + chart: {{ template "yugaware.chart" . }} + release: {{ .Release.Name }} + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: {{ .Values.image.pullSecret }} + containers: + - name: yugaware-test + image: {{ include "full_yugaware_image" . }} + command: + - '/bin/bash' + - '-ec' + - > + sleep 60s; + {{- if .Values.tls.enabled }} + - > + curl --head -k https://{{ .Release.Name }}-yugaware-ui + {{- else }} + - > + curl --head http://{{ .Release.Name }}-yugaware-ui + {{- end }} + # Hard coded resources to the test pod. + resources: + limits: + cpu: "1" + memory: "512Mi" + requests: + cpu: "0.5" + memory: "256Mi" + restartPolicy: Never diff --git a/charts/yugabyte/yugaware/tests/test_resources.yaml b/charts/yugabyte/yugaware/tests/test_resources.yaml new file mode 100644 index 000000000..cc793a585 --- /dev/null +++ b/charts/yugabyte/yugaware/tests/test_resources.yaml @@ -0,0 +1,40 @@ +suite: Resources verification +templates: +- statefulset.yaml +- configs.yaml +tests: +- it: YBA container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "yugaware")].resources.requests + +- it: Postgres container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "postgres")].resources.requests + +- it: Prometheus container + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.containers[?(@.name == "prometheus")].resources.requests + +- it: Postgres-init initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "postgres-init")].resources.requests + +- it: Prometheus-configuration initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "prometheus-configuration")].resources.requests + +- it: Postgres-upgrade initContainer + template: statefulset.yaml + asserts: + - isNotEmpty: + path: spec.template.spec.initContainers[?(@.name == "postgres-upgrade")].resources.requests diff --git a/charts/yugabyte/yugaware/values.yaml b/charts/yugabyte/yugaware/values.yaml index 0889621e9..ef7dfb6db 100644 --- a/charts/yugabyte/yugaware/values.yaml +++ b/charts/yugabyte/yugaware/values.yaml @@ -2,20 +2,22 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +fullnameOverride: "" +nameOverride: "" + image: commonRegistry: "" # Setting commonRegistry to say, quay.io overrides the registry settings for all images # including the yugaware image repository: quay.io/yugabyte/yugaware - tag: 2.14.15.0-b57 + tag: 2.18.6.0-b73 pullPolicy: IfNotPresent pullSecret: yugabyte-k8s-pull-secret ## Docker config JSON File name ## If set, this file content will be used to automatically create secret named as above - # pullSecretFile: - - + pullSecretFile: "" + postgres: registry: "" tag: '14.9' @@ -31,36 +33,46 @@ image: tag: v2.47.1 name: prom/prometheus + yugaware: replicas: 1 storage: 100Gi storageClass: "" storageAnnotations: {} multiTenant: false - serviceAccount: yugaware + ## Name of existing ServiceAccount. When provided, the chart won't create a ServiceAccount. + ## It will attach the required RBAC roles to it. + ## Helpful in Yugabyte Platform GKE App. + serviceAccount: '' serviceMonitor: enabled: false annotations: {} serviceAccountAnnotations: {} service: annotations: {} + clusterIP: "" enabled: true ip: "" type: "LoadBalancer" + ## whitelist source CIDRs + #loadBalancerSourceRanges: + #- 0.0.0.0/0 + #- 192.168.100.0/24 pod: annotations: {} + labels: {} health: username: "" password: "" email: "" resources: requests: - cpu: 2 + cpu: "2" memory: 4Gi enableProxyMetricsAuth: true ## List of additional alowed CORS origins in case of complex rev-proxy additionAllowedCorsOrigins: [] - proxyEndpointTimeoutMs: 1 minute + proxyEndpointTimeoutMs: 3 minute ## Enables features specific for cloud deployments cloud: enabled: false @@ -71,6 +83,10 @@ yugaware: # Note that the default of 0 doesn't really make sense since a StatefulSet isn't allowed to schedule extra replicas. However it is maintained as the default while we do additional testing. This value will likely change in the future. maxUnavailable: 0 + universe_boot_script: "" + + extraEnv: [] + # In case client wants to enable the additional headers to the YBA's http response # Previously, it was possible via nginx, but given that we no longer have it, we can # expose the same as application config/runtime config. @@ -79,6 +95,10 @@ yugaware: ## Configure PostgreSQL part of the application postgres: + # DO NOT CHANGE if using OCP Certified helm chart + user: postgres + dbname: yugaware + service: ## Expose internal Postgres as a Service enabled: false @@ -91,12 +111,12 @@ postgres: resources: requests: - cpu: 0.5 + cpu: "0.5" memory: 1Gi # If external.host is set then we will connect to an external postgres database server instead of starting our own. external: - host: null + host: "" port: 5432 pass: "" dbname: postgres @@ -105,22 +125,65 @@ postgres: ## JDBC connection parameters including the leading `?`. jdbcParams: "" + + ## Extra volumes + ## extraVolumesMounts are mandatory for each extraVolumes. + ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volume-v1-core + ## Example: + # extraVolumes: + # - name: custom-nfs-vol + # persistentVolumeClaim: + # claimName: some-nfs-claim + extraVolumes: [] + + ## Extra volume mounts + ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#volumemount-v1-core + ## Example: + # extraVolumeMounts: + # - name: custom-nfs-vol + # mountPath: /home/yugabyte/nfs-backup + extraVolumeMounts: [] + tls: enabled: false hostname: "localhost" - certificate: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZDVENDQXZHZ0F3SUJBZ0lVTlhvN2N6T2dyUWQrU09wOWdNdE00b1Vva3hFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0ZERVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNQjRYRFRJeE1EUXdOakExTXpnMU4xb1hEVE14TURRdwpOREExTXpnMU4xb3dGREVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUlJQ0lqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMUxsSTFBLzRPOVIzSkNlN1N2MUxYVXhDSmxoTWpIWUoxV1FNVmcvai82RHkKazRTTmY0MkFLQjI0dFJFK2lEWTBNaTJrRWhJcVZ4TFdPN0hkWHVSN0tYNGxSZWFVVkRFTUtYUWNQUC9QWDZkbwpwZVZTUFpSVjVHNHNxTElXUFFkTVdIam9IQWx1aml5dGJsSVJUUWdLU3QrMmpuREFDN0dxRURMREdhNXRUWEM2CktRWkNtOERlaklOUTMzaGU2TDN0Q2hBRnhJM1pwY21sR0twbzdKVXJSUG14Mk9zTHFRcTB5dEVVK0lGZGppWHEKaHJLeFR0NUhHM3M3ZUNWaTRXdlZPelVGUitJbWRlQzBRZTBXeG5iZlZUMnJkVitQL1FaVXhWSEVtWnBPc0k2LwpmczhlK1dsMlduWXY1TTg5MWkxZER3Zi9lMDdiN20xQVRKdDRtTGRldzBtd1V4UGFGT2pDMDh6cU94NmF0cGhLClU1eHNWQmhGNVhyME9DeTQyMzN0MU5URXdWUEFDOFcwQmhHdldTRXBQTXNTKzM1b2lueEFrcFQzL01ibFpjNisKcXhSYUh6MHJhSksvVGIzelVKVWxWZFkxbGl5MVYyVjNxWEU2NWlsOUFHZ2pIaHhBNFBwSktCbzZ0WVRUT3pnTworL25mc0toMk95aE8zUWxBZ0JFUHlYUm5wL0xGSTVuQ2gzdjNiOXlabFNrSk05NkVoWEJ1bHhWUWN3L2p3N2NxCkRLSlBEeHFUQy9rWUs1V0FVZGhkWG1KQkRNMFBLcngzUGVOYjRsYnQzSTFIZW1QRDBoZktiWFd6alhiVTJQdWQKdjZmT0dXTDRLSFpaem9KZ1ljMFovRXRUMEpCR09GM09mMW42N2c5dDRlUnAzbEVSL09NM0FPY1dRbWFvOHlVQwpBd0VBQWFOVE1GRXdIUVlEVlIwT0JCWUVGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUI4R0ExVWRJd1FZCk1CYUFGTU00SjA4WG8wUGY1cTlOSWZiMGYyRzZqc1FoTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWkkKaHZjTkFRRUxCUUFEZ2dJQkFBRmxrWVJkdzA0Zm9vT29BelUyaU5ORGV1aiszemhIeFQ5eU9iSkdwREZIRitoZQpuY1ZRWGZpMitHNjBWY0xuZERsWFhmbDZLOSs4ME55aEg4QjR1UEJNTWhoWG01MjJmYnJac1dFcnR3WE1rM2prClZ5UVA3MGk2NHE1ZGVrZzhoYzI0SXhFUlVsam9XM2lDTTdrb0VxaG15VkpGeDNxMVdobFEwdzNkWVpMQVNRclYKU0RpL2JGWjlqOXVtWVdoc0Y4QjFPSThPVjNlL0YyakU1UCtoTlJJazAzbW9zWE1Rdy9iZ3ZzV0hvSkZ5blB4UApHNGUzUjBob2NnbzI0Q2xOQ21YMWFBUms5c1pyN2h0NlVsM1F1d0dMdzZkK2I5emxrUW56TzFXQzc5ekVNU1R0ClRRRzFNT2ZlL2dTVkR3dThTSnpBOHV1Z0pYTktWWkxCZlpaNW41Tk9sOHdpOVVLa1BVUW4wOHo3VWNYVDR5ZnQKZHdrbnZnWDRvMFloUnNQNHpPWDF6eWxObzhqRDhRNlV1SkdQSksrN1JnUm8zVERPV3k4MEZpUzBxRmxrSFdMKwptT0pUWGxzaEpwdHE5b1c1eGx6N1lxTnFwZFVnRmNyTjJLQWNmaGVlNnV3SUFnOFJteTQvRlhRZjhKdXluSG5oClFhVlFnTEpEeHByZTZVNk5EdWg1Y1VsMUZTcWNCUGFPY0x0Q0ViVWg5ckQxajBIdkRnTUUvTTU2TGp1UGdGZlEKMS9xeXlDUkFjc2NCSnVMYjRxcXRUb25tZVZ3T1BBbzBsNXBjcC9JcjRTcTdwM0NML0kwT0o1SEhjcmY3d3JWSgpQVWgzdU1LbWVHVDRyeDdrWlQzQzBXenhUU0loc0lZOU12MVRtelF4MEprQm93c2NYaUYrcXkvUkl5UVgKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=" - key: "LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRd0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Mwd2dna3BBZ0VBQW9JQ0FRRFV1VWpVRC9nNzFIY2sKSjd0Sy9VdGRURUltV0V5TWRnblZaQXhXRCtQL29QS1RoSTEvallBb0hiaTFFVDZJTmpReUxhUVNFaXBYRXRZNwpzZDFlNUhzcGZpVkY1cFJVTVF3cGRCdzgvODlmcDJpbDVWSTlsRlhrYml5b3NoWTlCMHhZZU9nY0NXNk9MSzF1ClVoRk5DQXBLMzdhT2NNQUxzYW9RTXNNWnJtMU5jTG9wQmtLYndONk1nMURmZUY3b3ZlMEtFQVhFamRtbHlhVVkKcW1qc2xTdEUrYkhZNnd1cENyVEswUlQ0Z1YyT0plcUdzckZPM2tjYmV6dDRKV0xoYTlVN05RVkg0aVoxNExSQgo3UmJHZHQ5VlBhdDFYNC85QmxURlVjU1ptazZ3anI5K3p4NzVhWFphZGkva3p6M1dMVjBQQi85N1R0dnViVUJNCm0zaVl0MTdEU2JCVEU5b1U2TUxUek9vN0hwcTJtRXBUbkd4VUdFWGxldlE0TExqYmZlM1UxTVRCVThBTHhiUUcKRWE5WklTazh5eEw3Zm1pS2ZFQ1NsUGY4eHVWbHpyNnJGRm9mUFN0b2tyOU52Zk5RbFNWVjFqV1dMTFZYWlhlcApjVHJtS1gwQWFDTWVIRURnK2trb0dqcTFoTk03T0E3NytkK3dxSFk3S0U3ZENVQ0FFUS9KZEdlbjhzVWptY0tICmUvZHYzSm1WS1FrejNvU0ZjRzZYRlZCekQrUER0eW9Nb2s4UEdwTUwrUmdybFlCUjJGMWVZa0VNelE4cXZIYzkKNDF2aVZ1M2NqVWQ2WThQU0Y4cHRkYk9OZHRUWSs1Mi9wODRaWXZnb2Rsbk9nbUJoelJuOFMxUFFrRVk0WGM1LwpXZnJ1RDIzaDVHbmVVUkg4NHpjQTV4WkNacWp6SlFJREFRQUJBb0lDQUFmY2lScDlOSmxSY3MyOVFpaTFUN0cwCi9jVFpBb3MyV1lxdlZkMWdYUGEzaGY5NXFKa01LNjVQMnVHbUwzOXRNV1NoVnl6cnl2REkyMjM5VnNjSS9wdzcKOHppd0dzODV1TTlYWVN2SDhHd0NqZFdEc2hSZ2hRUWFKa0JkeElDZzRtdHFuSGxjeDk4dE80T1dPTmwxOEp0dgp4UmxpaFZacFRIV295cGtLWHpPN2RNWExXMjdTSStkaGV2Mm5QeXF1eWpIVEFjT1AwbmxVQ0d2dThFMjkvWWxoCkNQZVJTQzhKSEVGYWxNSFNWaGpJd2ZBVWJvVVJwZU1ZSE15RjVTK2JncGZiajhSbVVUR09DbHRkWGJnYjhJai8KN0hROEFlQkIrYVFKTDVEVnFRN1JWN1ppQlMwR2ZyODlHdXdEMUs4em9mcktPdURkdXpjR2hwZk9MeGpGdmhTOApSQ2Y1Z3BFMzg0aWlHc2tWZC9mZDJLK3NhSmk0L09HbHo0aHhhc1hDcTN1TXB5OTZPNFRrMXZzM3BXdWZNVmJXCnR2d1Mrcjhvbk9uOXZqa3lqOU11eUpId1BpSlNGMUt0ZzhPUU5WMlVST0xXcHlYMWk4Z2xoMXdSelRTQ2diQnMKZ3ZxWkFvaU1pWFh3SlVXN3Zpb0RLZjI0TnZvcjViaVNzeUh0MHVKUVZJaW1iK1prTFJwTWdwRlkyTlcrTnd6LwoxOW9DS2ZUVVpWNkJia09IK0NoOUowLy9hTTRGNnUvMTI4V0UxalJQU05mdWQ0b0dpdGVPNXRsRDNWSXRsb1hlCjNyWVMrcTNuYXU1RStWc2FRZGFVNzhrSnpXYmUrWURmQ1JwWGd6TkloSkMyQ1k5d0RSK3hIaVFwbzdLSHV6dngKUkpuRjhIcGwzdWhIdWxEam44dEpBb0lCQVFEeGxhVVIwN1l6TGF2OVZtamZCenpZMjcwOU9tWnhpa3NtRnlhWApKTkJMQVB3SGdXOEVCUHdKOEprSDhXR1NTekp1OXZGd1JDVEVqZ1J5dWUvS05DWnNmUWF2UDg3dzhablJHaEhjCklHUUV1MFN3bmJzZXFJK1VWa0M5amZjaFE4dlowM0dQTGZ6bWpsSW9PNkNLTVM3TlV2Ynk5MksvOHRVVWRtWWgKMmJJa2N4V0J1RDJoenh3K1ZId3ArWktMQ0FPZi9sOG8vQ20xQ1dZSFNGdVYzTkl3T016Z2FKaExJODJNR08zQwpuODZTMXcweGc2MHB5dUV6L0hXZS9JMFZkRGNsWlgyNC9jalVBb01kQlkvSGY4Tkh2ZUNhZExQeXI3eGpRY2NLClAzN0RhdFRyK2RTZ2RoVkxzUDRRRzVVZEZxNUlMSHoxTXBkb2xXZ2pDSlZqcTZMekFvSUJBUURoYXNYdVRzMDIKNEkvYkRlSGRZSmw2Q1NzVUh2NmJXL3dpYlRhd2dpbDh5RUNWS2x6eFY4eENwWnoxWVhRQlY1YnVvQlArbjZCWApnVHgzTTJHc2R5UU1xdGRCWG9qdGp1czB6ekFNQVQzOWNmdWlHMGR0YXF3eWJMVlEwYThDZnFmMDVyUmZ0ekVmCmtTUDk2d01kVUEyTGdCbnU4akwzOU41UkxtK2RpZUdxeDAwYmJTa3l5UE9HNHIvcDl6KzN6TmVmeUhmbm94bTkKUnQza1RpeGhVNkd4UGhOSnZpWEUrWUpwT0dKVXMvK2dUWWpjUE1zRW9ONHIyR215cUs3S21NZExFa3Y1SHliWgprbmNsV2FMVFlhNEpjMjJUaWZJd01NTWMwaCtBMkJVckdjZFZ6MTA0UXluUFZQZDdXcEszenhqcjRPUHh1YnQ2CjZvTWk2REdRSVNlSEFvSUJBUURTK1YyVHFQRDMxczNaU3VvQXc2Qld2ZWVRbmZ5eThSUFpxdVFQb0oycXNxeG0KblpsbXlEZVhNcDloK1dHOVVhQTBtY0dWeWx6VnJqU2lRRkR4cEFOZVFQMWlkSFh6b3ZveVN2TUg2dDJONkVELwpnRy9XUVZ4S0xkMFI3UFhCL2lQN0VaV2RkWXJqaWF5ajZCYTJPR2RuOWlrbFcvZklLM2Y4QzczN2w5TGoxQUVYCkxOL2QvREh0R1BqcDYwTVgyYUxZeVZzdlBxL3BvdENRVVpkeDA4dFhRM05nRXRmVTN1cDFpNXV2bU1IZEtLTWoKOTV0MDRQRTA1aWVOOVgzOEcyYkJhTldYaFVJcUxCdDJiOUgxWmxVU3hQWnR6TGNObkgwSHJYejJMU2MxMzRrYwpueXdhQ2FWbFdhYzJSL0E3Mi8vTmxkUjJpWDBDWDEvM0lGcmVGUmtUQW9JQkFBbGt0S2pRbWRhZWx3QU8zUW1uCm05MnRBaUdOaFJpZVJheDlscGpXWTdveWNoYUZOR2hPTzFIUHF2SEN4TjNGYzZHd0JBVkpTNW81NVhZbUt2elAKM2kyMDlORmhpaDAwSm5NRjZ6K2swWnQ5STNwRzNyd2RoTjE1RURrMDg3RUw3QjNWZTFDOXhvdEZOaFcvdEZxRgpXbnNrdEcvem9kSVpYeVpNNUJQUmloamV3MFRRVUxZd0Q0M2daeFR0MjdiaUQxNDJNV0R5dUFEZU1pTHdhd01IClJDYXBxbzRaSVdQSzdmZEtoVFo0WmIrZFc0V3A5dC9UZ0U2ZGJ4SWwyMXJQOFFZYzFoT2tpNjduWHBXczNZOG4KYytRcTdqY0d1WlB1aEVMd01xWGcyMGozZ3duOVlTb1dDbWo4Wm0rNmY0Q3ZYWjkrdUtEN0YyZncyOVFaanU4dApvb01DZ2dFQkFPbVVHZ1VoT0tUVys1eEpkZlFKRUVXUncyVFF6Z2l6dSt3aVkzaDYrYXNTejRNY0srVGx6bWxVCmFHT013dFhTUzc0RXIxVmlCVXMrZnJKekFPR21IV0ExZWdtaGVlY1BvaE9ybTh5WkVueVJOSkRhWC9UUXBSUnEKaVdoWENBbjJTWFQxcFlsYVBzMjdkbXpFWnQ3UlVUSkJZZ1hHZXQ4dXFjUXZaVDJZK3N6cHFNV3UzaEpWdmIxdgpZNGRJWE12RG1aV1BPVjFwbHJEaTVoc214VW05TDVtWk1IblllNzFOYkhsaEIxK0VUNXZmWFZjOERzU1RRZWRRCitDRHJKNGQ0em85dFNCa2pwYTM5M2RDRjhCSURESUQyWkVJNCtBVW52NWhTNm82NitOLzBONlp3cXkwc2pKY0cKQ21LeS9tNUpqVzFJWDMxSmZ1UU5Ldm9YNkRFN0Zkaz0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=" + ## Expects base 64 encoded values for certificate and key. + certificate: "" + key: "" sslProtocols: "" # if set, override default Nginx SSL protocols setting + ## cert-manager values + ## If cert-manager is enabled: + ## If genSelfsigned: true: + ## Create a self-signed issuer/clusterIssuer + ## Generate a rootCA using the above issuer. + ## Generate a tls certificate with secret name as: {{ .Release.Name }}-yugaware-tls-cert + ## Else if genSelfsigned: false: + ## Expect a clusterIssuer/issuer to be provided by user + ## Generate a tls cert based on above issuer with secret name as: {{ .Release.Name }}-yugaware-tls-cert + certManager: + enabled: false + genSelfsigned: true + useClusterIssuer: false + clusterIssuer: cluster-ca + issuer: yugaware-ca + ## Configuration for the TLS certificate requested from Issuer/ClusterIssuer + configuration: + duration: 8760h # 90d + renewBefore: 240h # 15d + algorithm: RSA # ECDSA or RSA + # Can be 2048, 4096 or 8192 for RSA + # Or 256, 384 or 521 for ECDSA + keySize: 2048 ## yugaware pod Security Context ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: - enabled: false + enabled: true ## fsGroup related values are set at the pod level. fsGroup: 10001 fsGroupChangePolicy: "OnRootMismatch" - ## The following values are set for yugaware and prometheus containers. - ## Setting runAsUser other than 10001 will fail the VM universe deployment flow. + ## Expected to have runAsUser values != 0 when + ## runAsNonRoot is set to true, otherwise container creation fails. runAsUser: 10001 runAsGroup: 10001 runAsNonRoot: true @@ -150,15 +213,66 @@ ocpCompatibility: # Extra containers to add to the pod. sidecars: [] +## Following two controls for placement of pod - nodeSelector and AZ affinity. +## Note: Remember to also provide a yugaware.StorageClass that has a olumeBindingMode of +## WaitForFirstConsumer so that the PVC is created in the right topology visible to this pod. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector +## eg. +## nodeSelector: +## topology.kubernetes.io/region: us-west1 +nodeSelector: {} + +## Affinity to a particular zone for the pod. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity +## eg. +## nodeAffinity: +## requiredDuringSchedulingIgnoredDuringExecution: +## nodeSelectorTerms: +## - matchExpressions: +## - key: failure-domain.beta.kubernetes.io/zone +## operator: In +## values: +## - us-west1-a +## - us-west1-b +zoneAffinity: {} + +## The tolerations that the pod should have. +## See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ +tolerations: [] + +## @param dnsPolicy DNS Policy for pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsPolicy: ClusterFirst +dnsPolicy: "" +## @param dnsConfig DNS Configuration pod +## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/ +## E.g. +## dnsConfig: +## options: +## - name: ndots +## value: "4" +dnsConfig: {} + ## Don't want prometheus to scrape nodes and evaluate alert rules in some cases (for example - cloud). prometheus: + ## Setting this to false will disable scraping of TServer and Master + ## nodes (could be pods or VMs) scrapeNodes: true evaluateAlertRules: true retentionTime: 15d + queryConcurrency: 20 + queryMaxSamples: 5000000 + queryTimeout: 30s + ## Set this to false to disable scraping of Kubernetes worker + ## nodes. Setting this to false will results in blank graphs of + ## resource utilization for Kubernetes universes. Useful for + ## scenarios where only VM based universes are being created. + scrapeKubernetesNodes: true resources: requests: - cpu: 2 + cpu: "2" memory: 4Gi ## Prometheus remote write config, as described here: @@ -179,8 +293,10 @@ prometheus: # Arbitrary key=value config entries for application.docker.conf additionalAppConf: - stringConf: - nonStringConf: + stringConf: {} + nonStringConf: {} + +jdbcParams: "" ## Override the APIVersion used by policy group for ## PodDisruptionBudget resources. The chart selects the correct @@ -188,3 +304,25 @@ additionalAppConf: ## to modify this unless you are using helm template command i.e. GKE ## app's deployer image against a Kubernetes cluster >= 1.21. # pdbPolicyVersionOverride: "v1beta1" +pdbPolicyVersionOverride: "" + +initContainers: + prometheusConfiguration: + resources: + ## https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#resource-requests-and-limits-of-pod-and-container + ## Use the above link to learn more about Kubernetes resources configuration. + requests: + cpu: "0.25" + memory: 500Mi + + postgresUpgrade: + resources: + requests: + cpu: "0.5" + memory: 500Mi + + postgresInit: + resources: + requests: + cpu: "0.25" + memory: 500Mi diff --git a/index.yaml b/index.yaml index 7ca9dc514..4d8f4105a 100644 --- a/index.yaml +++ b/index.yaml @@ -80,6 +80,63 @@ entries: - assets/datawiza/access-broker-0.1.1.tgz version: 0.1.1 airflow: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Airflow + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: airflow + category: WorkFlow + images: | + - name: airflow-exporter + image: docker.io/bitnami/airflow-exporter:0.20220314.0-debian-11-r448 + - name: airflow-scheduler + image: docker.io/bitnami/airflow-scheduler:2.8.1-debian-11-r4 + - name: airflow-worker + image: docker.io/bitnami/airflow-worker:2.8.1-debian-11-r4 + - name: airflow + image: docker.io/bitnami/airflow:2.8.1-debian-11-r4 + - name: git + image: docker.io/bitnami/git:2.43.0-debian-11-r9 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 2.8.1 + created: "2024-02-09T14:31:09.856191433Z" + dependencies: + - condition: redis.enabled + name: redis + repository: file://./charts/redis + version: 18.x.x + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 13.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Airflow is a tool to express and execute workflows as directed + acyclic graphs (DAGs). It includes utilities to schedule tasks, monitor task + progress and handle task dependencies. + digest: b5c46cc38d883ca225ae74247556a976eeb643c62757829c12c9eeda197799c9 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/airflow-1.svg + keywords: + - apache + - airflow + - workflow + - dag + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: airflow + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/airflow + urls: + - assets/bitnami/airflow-16.5.5.tgz + version: 16.5.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Airflow @@ -2509,6 +2566,38 @@ entries: - assets/bitnami/airflow-13.1.7.tgz version: 13.1.7 amd-gpu: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: AMD GPU Device Plugin + catalog.cattle.io/kube-version: '>= 1.18.0-0' + catalog.cattle.io/release-name: amd-gpu + apiVersion: v2 + appVersion: 1.25.2.7 + created: "2024-02-09T14:30:39.232685861Z" + dependencies: + - condition: nfd.enabled + name: node-feature-discovery + repository: file://./charts/node-feature-discovery + version: '>= 0.8.1-0' + description: A Helm chart for deploying Kubernetes AMD GPU device plugin + digest: 589af86bce648c0227954c8790a5e04b14308a83ed9d69e5a8a5bd748acde06e + home: https://github.com/ROCm/k8s-device-plugin + icon: https://raw.githubusercontent.com/ROCm/k8s-device-plugin/master/helm/logo.png + keywords: + - kubernetes + - cluster + - hardware + - gpu + kubeVersion: '>= 1.18.0-0' + maintainers: + - name: Kenny Ho + name: amd-gpu + sources: + - https://github.com/ROCm/k8s-device-plugin + type: application + urls: + - assets/amd/amd-gpu-0.12.0.tgz + version: 0.12.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: AMD GPU Device Plugin @@ -2609,7 +2698,7 @@ entries: - annotations: artifacthub.io/changes: | - kind: changed - description: Updated documented default value for application.instanceLabelKey. + description: Improved documentation for various ingress setups artifacthub.io/signKey: | fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 url: https://argoproj.github.io/argo-helm/pgp_keys.asc @@ -2619,8 +2708,8 @@ entries: catalog.cattle.io/kube-version: '>=1.23.0-0' catalog.cattle.io/release-name: argo-cd apiVersion: v2 - appVersion: v2.9.5 - created: "2024-01-23T16:21:03.497014854Z" + appVersion: v2.10.0 + created: "2024-02-09T14:31:08.682483776Z" dependencies: - condition: redis-ha.enabled name: redis-ha @@ -2628,7 +2717,46 @@ entries: version: 4.23.0 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. - digest: 8095830a4888f1dca991082de6327a722eb2b7ca99ffa61c1a2faf57bd91a368 + digest: 185bca83d12a9a6245b766dbc71cb341c93daae8b5e1fc6a031f26b7e629e5c4 + home: https://github.com/argoproj/argo-helm + icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png + keywords: + - argoproj + - argocd + - gitops + kubeVersion: '>=1.23.0-0' + maintainers: + - name: argoproj + url: https://argoproj.github.io/ + name: argo-cd + sources: + - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd + - https://github.com/argoproj/argo-cd + urls: + - assets/argo/argo-cd-6.0.5.tgz + version: 6.0.5 + - annotations: + artifacthub.io/changes: | + - kind: changed + description: Updated documented default value for application.instanceLabelKey. + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Argo CD + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/release-name: argo-cd + apiVersion: v2 + appVersion: v2.9.5 + created: "2024-02-09T14:30:40.04247417Z" + dependencies: + - condition: redis-ha.enabled + name: redis-ha + repository: file://./charts/redis-ha + version: 4.23.0 + description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery + tool for Kubernetes. + digest: 63026ee221cd3778ba74c794094f543a12df2d2b74988593d3307717e99c602f home: https://github.com/argoproj/argo-helm icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png keywords: @@ -6171,6 +6299,39 @@ entries: - assets/argo/argo-cd-5.8.0.tgz version: 5.8.0 artifactory-ha: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Artifactory HA + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-ha + apiVersion: v2 + appVersion: 7.77.5 + created: "2024-02-09T14:31:14.467956316Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 10.3.18 + description: Universal Repository Manager supporting all major packaging formats, + build tools and CI servers. + digest: eb29e5dd197f2c9d8c0e3121e4da70b23bb5e5458b5c35fcc141dc664cbacf50 + home: https://www.jfrog.com/artifactory/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-ha/logo/artifactory-logo.png + keywords: + - artifactory + - jfrog + - devops + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: installers@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-ha + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-ha-107.77.5.tgz + version: 107.77.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Artifactory HA @@ -7650,6 +7811,40 @@ entries: - assets/jfrog/artifactory-ha-3.0.1400.tgz version: 3.0.1400 artifactory-jcr: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: JFrog Container Registry + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: artifactory-jcr + apiVersion: v2 + appVersion: 7.77.5 + created: "2024-02-09T14:31:14.832172511Z" + dependencies: + - name: artifactory + repository: file://./charts/artifactory + version: 107.77.5 + description: JFrog Container Registry + digest: 912936ae13d65083b5f0a4d9998449b78fe6c8812cbca1984fdb495f334723e4 + home: https://jfrog.com/container-registry/ + icon: https://raw.githubusercontent.com/jfrog/charts/ea5c3112c24a973f64f3ccd99747323db292a369/stable/artifactory-jcr/logo/jcr-logo.png + keywords: + - artifactory + - jfrog + - container + - registry + - devops + - jfrog-container-registry + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: helm@jfrog.com + name: Chart Maintainers at JFrog + name: artifactory-jcr + sources: + - https://github.com/jfrog/charts + type: application + urls: + - assets/jfrog/artifactory-jcr-107.77.5.tgz + version: 107.77.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: JFrog Container Registry @@ -11719,6 +11914,48 @@ entries: - assets/asserts/asserts-1.6.0.tgz version: 1.6.0 cassandra: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Cassandra + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: cassandra + category: Database + images: | + - name: cassandra-exporter + image: docker.io/bitnami/cassandra-exporter:2.3.8-debian-11-r436 + - name: cassandra + image: docker.io/bitnami/cassandra:4.1.3-debian-11-r85 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 4.1.3 + created: "2024-02-09T14:31:09.931559258Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Cassandra is an open source distributed database management + system designed to handle large amounts of data across many servers, providing + high availability with no single point of failure. + digest: 08d04a4e0af87e29ec2e4d0660ac4c116c7de4aad7f811d9b2ba1fc629996648 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/cassandra-4.svg + keywords: + - cassandra + - database + - nosql + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: cassandra + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/cassandra + urls: + - assets/bitnami/cassandra-10.9.0.tgz + version: 10.9.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Cassandra @@ -13093,6 +13330,40 @@ entries: - assets/bitnami/cassandra-9.7.3.tgz version: 9.7.3 cert-manager: + - annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E + url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: cert-manager + catalog.cattle.io/kube-version: '>= 1.22.0-0' + catalog.cattle.io/namespace: cert-manager + catalog.cattle.io/release-name: cert-manager + apiVersion: v1 + appVersion: v1.14.2 + created: "2024-02-09T14:31:12.389004266Z" + description: A Helm chart for cert-manager + digest: b75a618d24c0472cdeffdf5ed57033bf6d9c3aec6b2e02dee1aeab60fca2282b + home: https://github.com/cert-manager/cert-manager + icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png + keywords: + - cert-manager + - kube-lego + - letsencrypt + - tls + kubeVersion: '>= 1.22.0-0' + maintainers: + - email: cert-manager-maintainers@googlegroups.com + name: cert-manager-maintainers + url: https://cert-manager.io + name: cert-manager + sources: + - https://github.com/cert-manager/cert-manager + urls: + - assets/cert-manager/cert-manager-v1.14.2.tgz + version: v1.14.2 - annotations: artifacthub.io/license: Apache-2.0 artifacthub.io/prerelease: "false" @@ -14738,6 +15009,27 @@ entries: - assets/cloudcasa/cloudcasa-0.1.000.tgz version: 0.1.000 cockroachdb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CockroachDB + catalog.cattle.io/kube-version: '>=1.8-0' + catalog.cattle.io/release-name: cockroachdb + apiVersion: v1 + appVersion: 23.2.0 + created: "2024-02-09T14:31:12.506752473Z" + description: CockroachDB is a scalable, survivable, strongly-consistent SQL database. + digest: 8f4f8e3f71bd57ffda8a167885e6ae44f0f87a118b873af16380db1b8b9facac + home: https://www.cockroachlabs.com + icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png + maintainers: + - email: helm-charts@cockroachlabs.com + name: cockroachlabs + name: cockroachdb + sources: + - https://github.com/cockroachdb/cockroach + urls: + - assets/cockroach-labs/cockroachdb-12.0.0.tgz + version: 12.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CockroachDB @@ -15972,6 +16264,47 @@ entries: - assets/confluent/confluent-for-kubernetes-0.174.2101.tgz version: 0.174.2101 consul: + - annotations: + artifacthub.io/images: | + - name: consul + image: hashicorp/consul:1.17.2 + - name: consul-k8s-control-plane + image: hashicorp/consul-k8s-control-plane:1.3.2 + - name: consul-dataplane + image: hashicorp/consul-dataplane:1.3.2 + - name: envoy + image: envoyproxy/envoy:v1.25.11 + artifacthub.io/license: MPL-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://www.consul.io/docs/k8s + - name: hashicorp/consul + url: https://github.com/hashicorp/consul + - name: hashicorp/consul-k8s + url: https://github.com/hashicorp/consul-k8s + artifacthub.io/prerelease: "false" + artifacthub.io/signKey: | + fingerprint: C874011F0AB405110D02105534365D9472D7468F + url: https://keybase.io/hashicorp/pgp_keys.asc + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Hashicorp Consul + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: consul + apiVersion: v2 + appVersion: 1.17.2 + created: "2024-02-09T14:31:13.872190112Z" + description: Official HashiCorp Consul Chart + digest: 0d4b36076dbc0baf4ab7c6520688e35a618f647b412f5b5a3a7f47d7b52d1c09 + home: https://www.consul.io + icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png + kubeVersion: '>=1.22.0-0' + name: consul + sources: + - https://github.com/hashicorp/consul + - https://github.com/hashicorp/consul-k8s + urls: + - assets/hashicorp/consul-1.3.2.tgz + version: 1.3.2 - annotations: artifacthub.io/images: | - name: consul @@ -16684,8 +17017,26 @@ entries: catalog.cattle.io/featured: "1" catalog.cattle.io/release-name: cost-analyzer apiVersion: v2 + appVersion: 2.0.2 + created: "2024-02-09T14:31:36.181461841Z" + description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor + cloud costs. + digest: ed363aae17afbde55bace477a1828d21c971127c99d0cd567ed65673f8ea0edc + icon: https://partner-charts.rancher.io/assets/logos/kubecost.png + name: cost-analyzer + urls: + - assets/kubecost/cost-analyzer-2.0.2.tgz + version: 2.0.2 + - annotations: + artifacthub.io/links: | + - name: Homepage + url: https://www.kubecost.com + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kubecost + catalog.cattle.io/release-name: cost-analyzer + apiVersion: v2 appVersion: 1.108.1 - created: "2024-01-12T17:06:51.840530718Z" + created: "2024-02-09T14:31:15.903350788Z" dependencies: - condition: global.grafana.enabled name: grafana @@ -16701,7 +17052,7 @@ entries: version: ~0.29.0 description: A Helm chart that sets up Kubecost, Prometheus, and Grafana to monitor cloud costs. - digest: 2f5ded432818ec345f1ac834df454611ae49b64dc9dec5d856be76b71f508d34 + digest: 95ada1e956075b8e401e954bb0dd5cc92149bb532d6fa1fbc2e653a6b862ecaa icon: https://partner-charts.rancher.io/assets/logos/kubecost.png name: cost-analyzer urls: @@ -17671,6 +18022,28 @@ entries: - assets/kubecost/cost-analyzer-1.70.000.tgz version: 1.70.000 crate-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrateDB Operator + catalog.cattle.io/release-name: crate-operator + apiVersion: v2 + appVersion: 2.34.1 + created: "2024-02-09T14:31:12.657753402Z" + dependencies: + - condition: crate-operator-crds.enabled + name: crate-operator-crds + repository: file://./charts/crate-operator-crds + version: 2.34.1 + description: Crate Operator - Helm chart for installing and upgrading Crate Operator. + digest: f772071d314c379bba917a3259031271a0a8053362b93121c8cd58c30f1c7087 + icon: https://raw.githubusercontent.com/crate/crate/master/docs/_static/crate-logo.svg + maintainers: + - name: Crate.io + name: crate-operator + type: application + urls: + - assets/crate/crate-operator-2.34.1.tgz + version: 2.34.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrateDB Operator @@ -18112,6 +18485,32 @@ entries: - assets/crate/crate-operator-2.16.0.tgz version: 2.16.0 csi-isilon: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerScale + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/release-name: isilon + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-02-09T14:31:13.291031779Z" + description: 'PowerScale CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as an Isilon + StorageClass. ' + digest: 53af8b38e05a03aab45e4c580df3d2110db781087a245977e807e9327227ba32 + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-isilon + sources: + - https://github.com/dell/csi-isilon + type: application + urls: + - assets/dell/csi-isilon-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerScale @@ -18189,6 +18588,38 @@ entries: - assets/dell/csi-isilon-2.6.1.tgz version: 2.6.1 csi-powermax: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerMax + catalog.cattle.io/kube-version: '>= 1.23.0 < 1.29.0' + catalog.cattle.io/release-name: csi-powermax + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-02-09T14:31:13.299371115Z" + dependencies: + - condition: required + name: csireverseproxy + repository: file://./charts/csireverseproxy + version: 2.8.1 + description: 'PowerMax CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerMax + StorageClass. ' + digest: a6bbd30f8688cf92237d0e5c15708c04276c1e22aa7f77e8e14179975828c1ee + home: https://github.com/dell/csi-powermax + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.23.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-powermax + sources: + - https://github.com/dell/csi-powermax + type: application + urls: + - assets/dell/csi-powermax-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerMax @@ -18317,6 +18748,33 @@ entries: - assets/dell/csi-powermax-2.6.0.tgz version: 2.6.0 csi-powerstore: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerStore + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/release-name: powerstore + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-02-09T14:31:13.304179769Z" + description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a PowerStore + StorageClass. ' + digest: 93d4d23a02d82c410f48e9d81d80a6a1e73685f123a55dc171931500b8ac0809 + home: https://github.com/dell/csi-powerstore + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-powerstore + sources: + - https://github.com/dell/csi-powerstore + type: application + urls: + - assets/dell/csi-powerstore-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerStore @@ -18475,6 +18933,32 @@ entries: - assets/dell/csi-powerstore-2.4.0.tgz version: 2.4.0 csi-unity: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI Unity + catalog.cattle.io/kube-version: '>= 1.24.0 < 1.29.0' + catalog.cattle.io/release-name: unity + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-02-09T14:31:13.307555508Z" + description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a Unity + XT StorageClass. ' + digest: b2d7994312382a0bb2253e564a9c09d3314652f6fad0db8cd83b3025690d65cb + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.24.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-unity + sources: + - https://github.com/dell/csi-unity + type: application + urls: + - assets/dell/csi-unity-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI Unity @@ -18604,6 +19088,32 @@ entries: - assets/dell/csi-unity-2.4.0.tgz version: 2.4.0 csi-vxflexos: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Dell CSI PowerFlex + catalog.cattle.io/kube-version: '>= 1.21.0 < 1.29.0' + catalog.cattle.io/namespace: vxflexos + catalog.cattle.io/release-name: vxflexos + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-02-09T14:31:13.312875396Z" + description: 'VxFlex OS CSI (Container Storage Interface) driver Kubernetes integration. + This chart includes everything required to provision via CSI as well as a VxFlex + OS StorageClass. ' + digest: abea54b84504254bcb9441b4da3b11e5123ad4de2caf111f657309f5bc88030a + icon: https://partner-charts.rancher.io/assets/logos/dell.png + keywords: + - csi + - storage + kubeVersion: '>= 1.21.0 < 1.29.0' + maintainers: + - name: DellEMC + name: csi-vxflexos + sources: + - https://github.com/dell/csi-vxflexos + urls: + - assets/dell/csi-vxflexos-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Dell CSI PowerFlex @@ -19252,6 +19762,43 @@ entries: - assets/weka/csi-wekafsplugin-0.6.400.tgz version: 0.6.400 datadog: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Datadog + catalog.cattle.io/kube-version: '>=1.10-0' + catalog.cattle.io/release-name: datadog + apiVersion: v1 + appVersion: "7" + created: "2024-02-09T14:31:13.19784614Z" + dependencies: + - condition: clusterAgent.metricsProvider.useDatadogMetrics + name: datadog-crds + repository: https://helm.datadoghq.com + tags: + - install-crds + version: 1.0.1 + - condition: datadog.kubeStateMetricsEnabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 2.13.2 + description: Datadog Agent + digest: a549e5c2a0b53d7af07a8b3d61d918b5a4a57e0e9e774ec75cd98b8bbbd980eb + home: https://www.datadoghq.com + icon: https://datadog-live.imgix.net/img/dd_logo_70x75.png + keywords: + - monitoring + - alerting + - metric + maintainers: + - email: support@datadoghq.com + name: Datadog + name: datadog + sources: + - https://app.datadoghq.com/account/settings#agent/kubernetes + - https://github.com/DataDog/datadog-agent + urls: + - assets/datadog/datadog-3.53.3.tgz + version: 3.53.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Datadog @@ -22927,6 +23474,29 @@ entries: - assets/datadog/datadog-operator-0.8.8.tgz version: 0.8.8 dxemssql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: DxEnterprise for Microsoft SQL AG + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/release-name: dxemssql + charts.openshift.io/name: DxEnterprise for Microsoft SQL AG + apiVersion: v2 + appVersion: "23.0" + created: "2024-02-09T14:31:13.314639958Z" + description: Helm chart for DH2i's DxEnterprise clustering solution with SQL Server + availability groups + digest: 1c237f2131565aaa78636e51361f9e4f44ac3f2ad1820e45e4eff427f82f4fb2 + icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png + kubeVersion: '>= 1.20.0-0' + maintainers: + - email: support@dh2i.com + name: DH2i Company + url: https://dh2i.com + name: dxemssql + type: application + urls: + - assets/dh2i/dxemssql-1.0.5.tgz + version: 1.0.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: DxEnterprise for Microsoft SQL AG @@ -23631,6 +24201,30 @@ entries: - assets/elastic/elasticsearch-7.17.3.tgz version: 7.17.3 external-secrets: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: External Secrets Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: external-secrets + apiVersion: v2 + appVersion: v0.9.12 + created: "2024-02-09T14:31:13.406319855Z" + description: External secret management for Kubernetes + digest: 053be5a7748614fa0cbdadc37772799af693b4648d115f3a2e25e576f4ee3fde + home: https://github.com/external-secrets/external-secrets + icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png + keywords: + - kubernetes-external-secrets + - secrets + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: kellinmcavoy@gmail.com + name: mcavoyk + name: external-secrets + type: application + urls: + - assets/external-secrets/external-secrets-0.9.12.tgz + version: 0.9.12 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: External Secrets Operator @@ -24442,6 +25036,38 @@ entries: - assets/f5/f5-bigip-ctlr-0.0.1901.tgz version: 0.0.1901 falcon-sensor: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: CrowdStrike Falcon Platform + catalog.cattle.io/kube-version: '>1.22.0-0' + catalog.cattle.io/release-name: falcon-sensor + apiVersion: v2 + appVersion: 1.25.2 + created: "2024-02-09T14:31:12.675401516Z" + description: A Helm chart to deploy CrowdStrike Falcon sensors into Kubernetes + clusters. + digest: 944637e5175dfc49b3871be0500812543fdad536d3012ec03fb3760fb51f7bb0 + home: https://crowdstrike.com + icon: https://raw.githubusercontent.com/CrowdStrike/falcon-helm/main/images/crowdstrike-logo.svg + keywords: + - CrowdStrike + - Falcon + - EDR + - kubernetes + - security + - monitoring + - alerting + kubeVersion: '>1.22.0-0' + maintainers: + - email: integrations@crowdstrike.com + name: CrowdStrike Solutions Architecture + name: falcon-sensor + sources: + - https://github.com/CrowdStrike/falcon-helm + type: application + urls: + - assets/crowdstrike/falcon-sensor-1.25.2.tgz + version: 1.25.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: CrowdStrike Falcon Platform @@ -30367,6 +30993,62 @@ entries: - assets/jaeger/jaeger-operator-2.36.0.tgz version: 2.36.0 jenkins: + - annotations: + artifacthub.io/category: integration-delivery + artifacthub.io/changes: | + - Update `docker.io/kiwigrid/k8s-sidecar` to version `docker.io/kiwigrid/k8s-sidecar` + artifacthub.io/images: | + - name: jenkins + image: docker.io/jenkins/jenkins:2.426.3-jdk17 + - name: k8s-sidecar + image: docker.io/kiwigrid/k8s-sidecar:1.25.4 + - name: inbound-agent + image: jenkins/inbound-agent:3206.vb_15dcf73f6a_9-3 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/jenkinsci/helm-charts/tree/main/charts/jenkins + - name: Jenkins + url: https://www.jenkins.io/ + - name: support + url: https://github.com/jenkinsci/helm-charts/issues + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Jenkins + catalog.cattle.io/kube-version: '>=1.14-0' + catalog.cattle.io/release-name: jenkins + apiVersion: v2 + appVersion: 2.426.3 + created: "2024-02-09T14:31:14.137662786Z" + description: Jenkins - Build great things at any scale! The leading open source + automation server, Jenkins provides over 1800 plugins to support building, deploying + and automating any project. + digest: 1683bd62091a639558c2da27c60112c825cb7abfc241c661cefccbabcd73bc2e + home: https://jenkins.io/ + icon: https://get.jenkins.io/art/jenkins-logo/logo.svg + keywords: + - jenkins + - ci + - devops + maintainers: + - email: maor.friedman@redhat.com + name: maorfr + - email: mail@torstenwalter.de + name: torstenwalter + - email: garridomota@gmail.com + name: mogaal + - email: wmcdona89@gmail.com + name: wmcdona89 + - email: timjacomb1@gmail.com + name: timja + name: jenkins + sources: + - https://github.com/jenkinsci/jenkins + - https://github.com/jenkinsci/docker-inbound-agent + - https://github.com/maorfr/kube-tasks + - https://github.com/jenkinsci/configuration-as-code-plugin + urls: + - assets/jenkins/jenkins-5.0.13.tgz + version: 5.0.13 - annotations: artifacthub.io/category: integration-delivery artifacthub.io/changes: | @@ -33622,6 +34304,62 @@ entries: - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz version: v2.0.200 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.4 + created: "2024-02-09T14:31:15.342822958Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.1.0 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.8.0 + description: Kasten’s K10 Data Management Platform + digest: f28091df3e1c37e137a1eb13c5e7755ae5f172d13886dd90eb3746307aba9277 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.401.tgz + version: 6.5.401 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 6.5.3 + created: "2024-02-09T14:31:15.331172466Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: file://./charts/grafana + version: 7.1.0 + - condition: prometheus.server.enabled + name: prometheus + repository: file://./charts/prometheus + version: 25.8.0 + description: Kasten’s K10 Data Management Platform + digest: 98e069fa48ff5a90ed2856476afd9206f37233aa4b320cbcaaaa14796d838615 + home: https://kasten.io/ + icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-6.5.301.tgz + version: 6.5.301 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -34619,6 +35357,58 @@ entries: - assets/kasten/k10-4.5.900.tgz version: 4.5.900 kafka: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Kafka + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: kafka + category: Infrastructure + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 + - name: kafka-exporter + image: docker.io/bitnami/kafka-exporter:1.7.0-debian-11-r140 + - name: kafka + image: docker.io/bitnami/kafka:3.6.1-debian-11-r6 + - name: kubectl + image: docker.io/bitnami/kubectl:1.29.1-debian-11-r3 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.6.1 + created: "2024-02-09T14:31:10.419201787Z" + dependencies: + - condition: zookeeper.enabled + name: zookeeper + repository: file://./charts/zookeeper + version: 12.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Kafka is a distributed streaming platform designed to build + real-time pipelines and can be used as a message broker or as a replacement + for a log aggregation solution for big data applications. + digest: f21cada330f5547c62820dfb50b58100f6bf2c1109327b5575567e0650d57468 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/kafka.svg + keywords: + - kafka + - zookeeper + - streaming + - producer + - consumer + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: kafka + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/kafka + urls: + - assets/bitnami/kafka-26.8.5.tgz + version: 26.8.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Kafka @@ -37704,6 +38494,33 @@ entries: - assets/bitnami/kafka-19.0.1.tgz version: 19.0.1 kamaji: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kamaji + catalog.cattle.io/kube-version: '>=1.21.0-0' + catalog.cattle.io/release-name: kamaji + apiVersion: v2 + appVersion: v0.4.1 + created: "2024-02-09T14:31:12.452573574Z" + description: Kamaji is a Kubernetes Control Plane Manager. + digest: edd7a1f071323baa8ba0cec39f209b192c1452b55dd3e2f98d62b8750a1e4a2b + home: https://github.com/clastix/kamaji + icon: https://github.com/clastix/kamaji/raw/master/assets/logo-colored.png + kubeVersion: '>=1.21.0-0' + maintainers: + - email: dario@tranchitella.eu + name: Dario Tranchitella + - email: me@maxgio.it + name: Massimiliano Giovagnoli + - email: me@bsctl.io + name: Adriano Pezzuto + name: kamaji + sources: + - https://github.com/clastix/kamaji + type: application + urls: + - assets/clastix/kamaji-0.14.1.tgz + version: 0.14.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kamaji @@ -38328,6 +39145,31 @@ entries: - assets/elastic/kibana-7.17.3.tgz version: 7.17.3 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.5" + created: "2024-02-09T14:31:15.595528005Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: 0def00f6ae7c6d73b3eb2330b8da75c791e4c38e5ac90e30b127517853168b87 + home: https://konghq.com/ + icon: https://s3.amazonaws.com/downloads.kong/universe/assets/icon-kong-inc-large.png + maintainers: + - email: team-k8s@konghq.com + name: team-k8s-bot + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.35.1.tgz + version: 2.35.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -40312,6 +41154,33 @@ entries: - assets/avesha/kubeslice-worker-0.4.5.tgz version: 0.4.5 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.6.0 + created: "2024-02-09T14:31:36.24068617Z" + description: A Helm chart for the Kuma Control Plane + digest: 87e8cfba2d9e108bd5ebd700a8e96748206879f2d9eb793707065f91205d9a95 + home: https://github.com/kumahq/kuma + icon: https://kuma.io/assets/images/brand/kuma-logo-new.svg + keywords: + - service mesh + - control plane + maintainers: + - email: austin.cawley@gmail.com + name: austince + - email: jakub.dyszkiewicz@konghq.com + name: jakubdyszkiewicz + - email: nikolay.nikolaev@konghq.com + name: nickolaev + name: kuma + type: application + urls: + - assets/kuma/kuma-2.6.0.tgz + version: 2.6.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -41166,6 +42035,41 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 loft: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Loft + catalog.cattle.io/kube-version: '>=1.22-0' + catalog.cattle.io/release-name: loft + apiVersion: v2 + created: "2024-02-09T14:31:36.267068294Z" + description: Secure Cluster Sharing, Self-Service Namespace Provisioning and Virtual + Clusters + digest: fd24e7fd3127542b5f84c5435eda2c341568b36e298e849e8e30b3cfdeee145b + home: https://loft.sh + icon: https://static.loft.sh/loft/logo/loft-logo.svg + keywords: + - developer + - development + - sharing + - share + - multi-tenancy + - tenancy + - cluster + - space + - namespace + - vcluster + - vclusters + maintainers: + - email: info@loft.sh + name: Loft Labs, Inc. + url: https://twitter.com/loft_sh + name: loft + sources: + - https://github.com/loft-sh/loft + type: application + urls: + - assets/loft/loft-3.3.4.tgz + version: 3.3.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Loft @@ -41770,6 +42674,50 @@ entries: - assets/elastic/logstash-7.17.3.tgz version: 7.17.3 mariadb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MariaDB + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mariadb + category: Database + images: | + - name: mariadb + image: docker.io/bitnami/mariadb:11.2.3-debian-11-r0 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r6 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 11.2.3 + created: "2024-02-09T14:31:10.560899978Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MariaDB is an open source, community-developed SQL database server + that is widely in use around the world due to its enterprise features, flexibility, + and collaboration with leading tech firms. + digest: d8c9b5d2273147416f74357fd48c1a7bf74edec9d079834ae3a5333924620e1f + home: https://bitnami.com + icon: https://mariadb.com/wp-content/uploads/2019/11/mariadb-logo-vert_black-transparent.png + keywords: + - mariadb + - mysql + - database + - sql + - prometheus + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mariadb + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mariadb + urls: + - assets/bitnami/mariadb-16.0.1.tgz + version: 16.0.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MariaDB @@ -43628,6 +44576,37 @@ entries: - assets/bitnami/mariadb-11.3.3.tgz version: 11.3.3 metallb: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MetalLB + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/namespace: metallb-system + catalog.cattle.io/release-name: metallb + apiVersion: v2 + appVersion: v0.14.3 + created: "2024-02-09T14:31:36.279713775Z" + dependencies: + - condition: crds.enabled + name: crds + repository: file://./charts/crds + version: 0.14.3 + - condition: frrk8s.enabled + name: frr-k8s + repository: file://./charts/frr-k8s + version: 0.0.8 + description: A network load-balancer implementation for Kubernetes using standard + routing protocols + digest: 201260d67c0960dddaa35572e5fbb2a774354013596ecf6f525016d216d9e487 + home: https://metallb.universe.tf + icon: https://metallb.universe.tf/images/logo/metallb-blue.png + kubeVersion: '>= 1.19.0-0' + name: metallb + sources: + - https://github.com/metallb/metallb + type: application + urls: + - assets/metallb/metallb-0.14.3.tgz + version: 0.14.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MetalLB @@ -43762,6 +44741,32 @@ entries: - assets/metallb/metallb-0.13.7.tgz version: 0.13.7 minio-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Minio Operator + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: minio-operator + apiVersion: v2 + appVersion: v5.0.12 + created: "2024-02-09T14:31:36.291490399Z" + description: A Helm chart for MinIO Operator + digest: 79c4de7dcf753469fa969ef47ec377a0cfe630b23bec263dc0407e8ffc7391e7 + home: https://min.io + icon: https://min.io/resources/img/logo/MINIO_wordmark.png + keywords: + - storage + - object-storage + - S3 + maintainers: + - email: dev@minio.io + name: MinIO, Inc + name: minio-operator + sources: + - https://github.com/minio/operator + type: application + urls: + - assets/minio/minio-operator-5.0.12.tgz + version: 5.0.12 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Minio Operator @@ -44205,6 +45210,50 @@ entries: - assets/minio/minio-operator-4.4.1700.tgz version: 4.4.1700 mysql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: MySQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: mysql + category: Database + images: | + - name: mysql + image: docker.io/bitnami/mysql:8.0.36-debian-11-r4 + - name: mysqld-exporter + image: docker.io/bitnami/mysqld-exporter:0.15.1-debian-11-r5 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 8.0.36 + created: "2024-02-09T14:31:10.63204707Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: MySQL is a fast, reliable, scalable, and easy to use open source + relational database system. Designed to handle mission-critical, heavy-load + production applications. + digest: df461fab2b95fa932a4e6d29e718cb042f58cd7497acab55856159c68d916a2a + home: https://bitnami.com + icon: https://www.mysql.com/common/logos/logo-mysql-170x115.png + keywords: + - mysql + - database + - sql + - cluster + - high availability + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: mysql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/mysql + urls: + - assets/bitnami/mysql-9.19.1.tgz + version: 9.19.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: MySQL @@ -45757,6 +46806,31 @@ entries: - assets/bitnami/mysql-9.4.1.tgz version: 9.4.1 nats: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NATS Server + catalog.cattle.io/kube-version: '>=1.16-0' + catalog.cattle.io/release-name: nats + apiVersion: v2 + appVersion: 2.10.10 + created: "2024-02-09T14:31:36.353589691Z" + description: A Helm chart for the NATS.io High Speed Cloud Native Distributed + Communications Technology. + digest: ef02b1840e053f5cb93921c2eaeaffe4b84f72bdc08cf590ccd5b065938a317e + home: http://github.com/nats-io/k8s + icon: https://nats.io/img/nats-icon-color.png + keywords: + - nats + - messaging + - cncf + maintainers: + - email: info@nats.io + name: The NATS Authors + url: https://github.com/nats-io + name: nats + urls: + - assets/nats/nats-1.1.8.tgz + version: 1.1.8 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NATS Server @@ -47219,6 +48293,88 @@ entries: - assets/f5/nginx-service-mesh-0.2.100.tgz version: 0.2.100 nri-bundle: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: New Relic + catalog.cattle.io/release-name: nri-bundle + apiVersion: v2 + created: "2024-02-09T14:31:36.841109283Z" + dependencies: + - condition: infrastructure.enabled,newrelic-infrastructure.enabled + name: newrelic-infrastructure + repository: file://./charts/newrelic-infrastructure + version: 3.30.0 + - condition: prometheus.enabled,nri-prometheus.enabled + name: nri-prometheus + repository: file://./charts/nri-prometheus + version: 2.1.17 + - condition: newrelic-prometheus-agent.enabled + name: newrelic-prometheus-agent + repository: file://./charts/newrelic-prometheus-agent + version: 1.10.0 + - condition: webhook.enabled,nri-metadata-injection.enabled + name: nri-metadata-injection + repository: file://./charts/nri-metadata-injection + version: 4.17.0 + - condition: metrics-adapter.enabled,newrelic-k8s-metrics-adapter.enabled + name: newrelic-k8s-metrics-adapter + repository: file://./charts/newrelic-k8s-metrics-adapter + version: 1.9.0 + - condition: ksm.enabled,kube-state-metrics.enabled + name: kube-state-metrics + repository: file://./charts/kube-state-metrics + version: 5.12.1 + - condition: kubeEvents.enabled,nri-kube-events.enabled + name: nri-kube-events + repository: file://./charts/nri-kube-events + version: 3.8.0 + - condition: logging.enabled,newrelic-logging.enabled + name: newrelic-logging + repository: file://./charts/newrelic-logging + version: 1.20.0 + - condition: newrelic-pixie.enabled + name: newrelic-pixie + repository: file://./charts/newrelic-pixie + version: 2.1.2 + - alias: pixie-chart + condition: pixie-chart.enabled + name: pixie-operator-chart + repository: file://./charts/pixie-operator-chart + version: 0.1.4 + - condition: newrelic-infra-operator.enabled + name: newrelic-infra-operator + repository: file://./charts/newrelic-infra-operator + version: 2.9.0 + description: Groups together the individual charts for the New Relic Kubernetes + solution for a more comfortable deployment. + digest: 59930096ba81e9b31081e6812f5620e15207adcb5fe15969176aa6ac395ced05 + home: https://github.com/newrelic/helm-charts + icon: https://newrelic.com/themes/custom/erno/assets/mediakit/new_relic_logo_vertical.svg + keywords: + - infrastructure + - newrelic + - monitoring + maintainers: + - name: juanjjaramillo + url: https://github.com/juanjjaramillo + - name: csongnr + url: https://github.com/csongnr + name: nri-bundle + sources: + - https://github.com/newrelic/nri-bundle/ + - https://github.com/newrelic/nri-bundle/tree/master/charts/nri-bundle + - https://github.com/newrelic/nri-kubernetes/tree/master/charts/newrelic-infrastructure + - https://github.com/newrelic/nri-prometheus/tree/master/charts/nri-prometheus + - https://github.com/newrelic/newrelic-prometheus-configurator/tree/master/charts/newrelic-prometheus-agent + - https://github.com/newrelic/k8s-metadata-injection/tree/master/charts/nri-metadata-injection + - https://github.com/newrelic/newrelic-k8s-metrics-adapter/tree/master/charts/newrelic-k8s-metrics-adapter + - https://github.com/newrelic/nri-kube-events/tree/master/charts/nri-kube-events + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-logging + - https://github.com/newrelic/helm-charts/tree/master/charts/newrelic-pixie + - https://github.com/newrelic/newrelic-infra-operator/tree/master/charts/newrelic-infra-operator + urls: + - assets/new-relic/nri-bundle-5.0.63.tgz + version: 5.0.63 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: New Relic @@ -52409,6 +53565,51 @@ entries: - assets/portworx/portworx-essentials-2.9.100.tgz version: 2.9.100 postgresql: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: PostgreSQL + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: postgresql + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + - name: postgres-exporter + image: docker.io/bitnami/postgres-exporter:0.15.0-debian-11-r9 + - name: postgresql + image: docker.io/bitnami/postgresql:16.2.0-debian-11-r1 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 16.2.0 + created: "2024-02-09T14:31:10.939884776Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: PostgreSQL (Postgres) is an open source object-relational database + known for reliability and data integrity. ACID-compliant, it supports foreign + keys, joins, views, triggers and stored procedures. + digest: 73825bd7730d31d4eb7a659e62b81230b0589c92a85f3cac68a2ae06ffd09a1b + home: https://bitnami.com + icon: https://wiki.postgresql.org/images/a/a4/PostgreSQL_logo.3colors.svg + keywords: + - postgresql + - postgres + - database + - sql + - replication + - cluster + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: postgresql + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/postgresql + urls: + - assets/bitnami/postgresql-14.0.4.tgz + version: 14.0.4 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: PostgreSQL @@ -55320,6 +56521,28 @@ entries: - assets/bitnami/postgresql-11.9.12.tgz version: 11.9.12 psmdb-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Server for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-db + apiVersion: v2 + appVersion: 1.15.0 + created: "2024-02-09T14:31:37.182537322Z" + description: A Helm chart for installing Percona Server MongoDB Cluster Databases + using the PSMDB Operator. + digest: 2f26287ed89cdbf6274268eedf0727dc560eb95f5abc13d73f273a2702fbf5a3 + home: https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + name: psmdb-db + urls: + - assets/percona/psmdb-db-1.15.3.tgz + version: 1.15.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Server for MongoDB @@ -55497,6 +56720,29 @@ entries: - assets/percona/psmdb-db-1.13.0.tgz version: 1.13.0 psmdb-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator for MongoDB + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: psmdb-operator + apiVersion: v2 + appVersion: 1.15.0 + created: "2024-02-09T14:31:37.207016779Z" + description: A Helm chart for deploying the Percona Operator for MongoDB + digest: d0a48d588f7c495505d9a94c8e4703ce91ea009c4d8386cc6d05b5f282e4daf7 + home: https://docs.percona.com/percona-operator-for-mongodb/ + icon: https://raw.githubusercontent.com/percona/percona-server-mongodb-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: psmdb-operator + urls: + - assets/percona/psmdb-operator-1.15.2.tgz + version: 1.15.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator for MongoDB @@ -55681,6 +56927,30 @@ entries: - assets/percona/psmdb-operator-1.13.1.tgz version: 1.13.1 pxc-db: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-db + apiVersion: v2 + appVersion: 1.13.0 + created: "2024-02-09T14:31:37.218497927Z" + description: A Helm chart for installing Percona XtraDB Cluster Databases using + the PXC Operator. + digest: ea30975e4e054423e9296ed0ef97080392daabb06b4cf6af68d236ba1fcaed51 + home: https://www.percona.com/doc/kubernetes-operator-for-pxc/kubernetes.html + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: sergey.pronin@percona.com + name: spron-in + - email: natalia.marukovich@percona.com + name: nmarukovich + name: pxc-db + urls: + - assets/percona/pxc-db-1.13.6.tgz + version: 1.13.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona XtraDB Cluster @@ -55880,6 +57150,31 @@ entries: - assets/percona/pxc-db-1.12.0.tgz version: 1.12.0 pxc-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona + XtraDB Cluster + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: pxc-operator + apiVersion: v2 + appVersion: 1.13.0 + created: "2024-02-09T14:31:37.231490235Z" + description: A Helm chart for deploying the Percona Operator for MySQL (based + on Percona XtraDB Cluster) + digest: 472398808b924b3ed8f6fe2cfdeda46ce2130bb484563f6660ae359a56826ab5 + home: https://docs.percona.com/percona-operator-for-mysql/pxc/ + icon: https://raw.githubusercontent.com/percona/percona-xtradb-cluster-operator/main/operator.png + maintainers: + - email: tomislav.plavcic@percona.com + name: tplavcic + - email: natalia.marukovich@percona.com + name: nmarukovich + - email: sergey.pronin@percona.com + name: spron-in + name: pxc-operator + urls: + - assets/percona/pxc-operator-1.13.5.tgz + version: 1.13.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Percona Operator For MySQL based on Percona @@ -56174,6 +57469,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.5.tgz version: 0.1.5 redis: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redis + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: redis + category: Database + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + - name: redis-exporter + image: docker.io/bitnami/redis-exporter:1.57.0-debian-11-r2 + - name: redis-sentinel + image: docker.io/bitnami/redis-sentinel:7.2.4-debian-11-r6 + - name: redis + image: docker.io/bitnami/redis:7.2.4-debian-11-r5 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 7.2.4 + created: "2024-02-09T14:31:11.20203393Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Redis(R) is an open source, advanced key-value store. It is often + referred to as a data structure server since keys can contain strings, hashes, + lists, sets and sorted sets. + digest: 2f5e14caa60d29eeb18cca57d83b92b3367dada622c4ff61cb62ea2bf54a3c12 + home: https://bitnami.com + icon: https://redis.com/wp-content/uploads/2021/08/redis-logo.png + keywords: + - redis + - keyvalue + - database + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: redis + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/redis + urls: + - assets/bitnami/redis-18.12.1.tgz + version: 18.12.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Redis @@ -58670,6 +60009,50 @@ entries: - assets/bitnami/redis-17.3.7.tgz version: 17.3.7 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v23.3.4 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.8.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v23.3.4 + created: "2024-02-09T14:31:37.649273222Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: e4a36e0a2c66d3439130a82e381144ae9e2195c6da745d1f7922532bc181e1c3 + icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.7.23.tgz + version: 5.7.23 - annotations: artifacthub.io/images: | - name: redpanda @@ -63055,6 +64438,43 @@ entries: - assets/shipa/shipa-1.4.0.tgz version: 1.4.0 spark: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Spark + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: spark + category: Infrastructure + images: | + - name: spark + image: docker.io/bitnami/spark:3.5.0-debian-11-r22 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.5.0 + created: "2024-02-09T14:31:11.346357663Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Spark is a high-performance engine for large-scale computing + tasks, such as data processing, machine learning and real-time data streaming. + It includes APIs for Java, Python, Scala and R. + digest: 343482c693429ae166243840c31cd96a6e0acd9ca71d47bfcc501e8079626279 + home: https://bitnami.com + icon: https://www.apache.org/logos/res/spark/default.png + keywords: + - apache + - spark + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: spark + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/spark + urls: + - assets/bitnami/spark-8.5.2.tgz + version: 8.5.2 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Spark @@ -64505,6 +65925,37 @@ entries: - assets/bitnami/spark-6.3.8.tgz version: 6.3.8 speedscale-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Speedscale Operator + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: speedscale-operator + apiVersion: v1 + appVersion: 2.1.1 + created: "2024-02-09T14:31:37.74382007Z" + description: Stress test your APIs with real world scenarios. Collect and replay + traffic without scripting. + digest: 3d4dcc7b51b3eead7f8fc63bb3fcf06932b1494774ad2da8ff6087768816d989 + home: https://speedscale.com + icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png + keywords: + - speedscale + - test + - testing + - regression + - reliability + - load + - replay + - network + - traffic + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: support@speedscale.com + name: Speedscale Support + name: speedscale-operator + urls: + - assets/speedscale/speedscale-operator-2.0.11.tgz + version: 2.0.11 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Speedscale Operator @@ -66766,6 +68217,34 @@ entries: - assets/speedscale/speedscale-operator-0.9.12600.tgz version: 0.9.12600 stackstate-k8s-agent: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: StackState Agent + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: stackstate-k8s-agent + apiVersion: v2 + appVersion: 2.19.1 + created: "2024-02-09T14:31:37.763176415Z" + dependencies: + - alias: httpHeaderInjectorWebhook + name: http-header-injector + repository: file://./charts/http-header-injector + version: 0.0.8 + description: Helm chart for the StackState Agent. + digest: fa56bf93b4b323ece283d2062079c147611205f545673d45988b94db3758a78c + home: https://github.com/StackVista/stackstate-agent + icon: https://raw.githubusercontent.com/StackVista/helm-charts/master/stable/stackstate-k8s-agent/logo.svg + keywords: + - monitoring + - observability + - stackstate + maintainers: + - email: ops@stackstate.com + name: Stackstate + name: stackstate-k8s-agent + urls: + - assets/stackstate/stackstate-k8s-agent-1.0.68.tgz + version: 1.0.68 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: StackState Agent @@ -68861,6 +70340,51 @@ entries: - assets/intel/tcs-issuer-0.1.0.tgz version: 0.1.0 tomcat: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Tomcat + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: tomcat + category: ApplicationServer + images: | + - name: jmx-exporter + image: docker.io/bitnami/jmx-exporter:0.20.0-debian-11-r6 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + - name: tomcat + image: docker.io/bitnami/tomcat:10.1.18-debian-11-r4 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 10.1.18 + created: "2024-02-09T14:31:11.376730194Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache Tomcat is an open-source web server designed to host and run + Java-based web applications. It is a lightweight server with a good performance + for applications running in production environments. + digest: 1a0f31f55c86024d53daa194b5c50392c0d007f59330748cc668f4f0d4d8188a + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/tomcat.svg + keywords: + - tomcat + - java + - http + - web + - application server + - jsp + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: tomcat + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/tomcat + urls: + - assets/bitnami/tomcat-10.13.5.tgz + version: 10.13.5 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Tomcat @@ -71878,6 +73402,33 @@ entries: - assets/triggermesh/triggermesh-0.3.401.tgz version: 0.3.401 vals-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Vals-Operator + catalog.cattle.io/kube-version: '>= 1.19.0-0' + catalog.cattle.io/release-name: vals-operator + apiVersion: v2 + appVersion: v0.7.9 + created: "2024-02-09T14:31:13.322000425Z" + description: 'This helm chart installs the Digitalis Vals Operator to manage and + sync secrets from supported backends into Kubernetes. ## About Vals-Operator + Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals), + it''s a tool we use daily to keep secrets stored securely. Inspired by this + tool, we have created an operator to manage Kubernetes secrets. *vals-operator* + syncs secrets from any secrets store supported by [vals](https://github.com/helmfile/vals) + into Kubernetes. Also, `vals-operator` supports database secrets as provider + by [HashiCorp Vault Secret Engine](https://developer.hashicorp.com/vault/docs/secrets/databases). ' + digest: cf6bb7a6724ede7314d926ccc89dc4bd88cc24531eaf4d3e377667432173a023 + icon: https://digitalis.io/wp-content/uploads/2020/06/cropped-Digitalis-512x512-Blue_Digitalis-512x512-Blue-32x32.png + kubeVersion: '>= 1.19.0-0' + maintainers: + - email: info@digitalis.io + name: Digitalis.IO + name: vals-operator + type: application + urls: + - assets/digitalis/vals-operator-0.7.9.tgz + version: 0.7.9 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Vals-Operator @@ -72477,6 +74028,60 @@ entries: - assets/hashicorp/vault-0.22.0.tgz version: 0.22.0 wordpress: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: WordPress + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: wordpress + category: CMS + images: | + - name: apache-exporter + image: docker.io/bitnami/apache-exporter:1.0.6-debian-11-r2 + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + - name: wordpress + image: docker.io/bitnami/wordpress:6.4.3-debian-11-r4 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 6.4.3 + created: "2024-02-09T14:31:12.239519932Z" + dependencies: + - condition: memcached.enabled + name: memcached + repository: file://./charts/memcached + version: 6.x.x + - condition: mariadb.enabled + name: mariadb + repository: file://./charts/mariadb + version: 15.x.x + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: WordPress is the world's most popular blogging and content management + platform. Powerful yet simple, everyone from students to global corporations + use it to build beautiful, functional websites. + digest: 766a0cb3e8bf5b88be2a4111d3578292df895e8ca7240d6ce8b8a2456f881d81 + home: https://bitnami.com + icon: https://s.w.org/style/images/about/WordPress-logotype-simplified.png + keywords: + - application + - blog + - cms + - http + - php + - web + - wordpress + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: wordpress + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/wordpress + urls: + - assets/bitnami/wordpress-19.2.6.tgz + version: 19.2.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: WordPress @@ -77446,6 +79051,32 @@ entries: - assets/bitnami/wordpress-15.2.6.tgz version: 15.2.6 yugabyte: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugabyte + charts.openshift.io/name: yugabyte + apiVersion: v2 + appVersion: 2.18.6.0-b73 + created: "2024-02-09T14:31:38.417075545Z" + description: YugabyteDB is the high-performance distributed SQL database for building + global, internet-scale apps. + digest: 034bb533c87e8f6dea9c24c5023a4ae8813b14015ec87695a1874002266b47c1 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugabyte + sources: + - https://github.com/yugabyte/yugabyte-db + urls: + - assets/yugabyte/yugabyte-2.18.6.tgz + version: 2.18.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB @@ -77602,6 +79233,32 @@ entries: urls: - assets/yugabyte/yugabyte-2.18.0.tgz version: 2.18.0 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugabyte + charts.openshift.io/name: yugabyte + apiVersion: v2 + appVersion: 2.16.9.0-b67 + created: "2024-02-09T14:31:38.40149703Z" + description: YugabyteDB is the high-performance distributed SQL database for building + global, internet-scale apps. + digest: 7064fdbfa5d6b5cd5330cddc6de6d3860121eeb13d431d7f097c214811341594 + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugabyte + sources: + - https://github.com/yugabyte/yugabyte-db + urls: + - assets/yugabyte/yugabyte-2.16.9.tgz + version: 2.16.9 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB @@ -78143,6 +79800,32 @@ entries: - assets/yugabyte/yugabyte-2.14.3.tgz version: 2.14.3 yugaware: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB Anywhere + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugaware + charts.openshift.io/name: yugaware + apiVersion: v2 + appVersion: 2.18.6.0-b73 + created: "2024-02-09T14:31:38.455949777Z" + description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB + cluster with multiple pods provided by Kubernetes or OpenShift and logically + grouped together to form one logical distributed database. + digest: 4ba2bf730ff60930c8edbff984d10afdfa0ce05592ed1ceec286cd0e4163936c + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugaware + urls: + - assets/yugabyte/yugaware-2.18.6.tgz + version: 2.18.6 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB Anywhere @@ -78299,6 +79982,32 @@ entries: urls: - assets/yugabyte/yugaware-2.18.0.tgz version: 2.18.0 + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: YugabyteDB Anywhere + catalog.cattle.io/kube-version: '>=1.18-0' + catalog.cattle.io/release-name: yugaware + charts.openshift.io/name: yugaware + apiVersion: v2 + appVersion: 2.16.9.0-b67 + created: "2024-02-09T14:31:38.443591141Z" + description: YugabyteDB Anywhere provides deployment, orchestration, and monitoring + for managing YugabyteDB clusters. YugabyteDB Anywhere can create a YugabyteDB + cluster with multiple pods provided by Kubernetes or OpenShift and logically + grouped together to form one logical distributed database. + digest: 74b703f49e97e53d56afbbc59058beca1eb8387228071d7d6e869de5ca91bc8b + home: https://www.yugabyte.com + icon: https://avatars0.githubusercontent.com/u/17074854?s=200&v=4 + kubeVersion: '>=1.18-0' + maintainers: + - email: sanketh@yugabyte.com + name: Sanketh Indarapu + - email: gjalla@yugabyte.com + name: Govardhan Reddy Jalla + name: yugaware + urls: + - assets/yugabyte/yugaware-2.16.9.tgz + version: 2.16.9 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: YugabyteDB Anywhere @@ -78810,6 +80519,43 @@ entries: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 zookeeper: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Apache Zookeeper + catalog.cattle.io/kube-version: '>=1.19-0' + catalog.cattle.io/release-name: zookeeper + category: Infrastructure + images: | + - name: os-shell + image: docker.io/bitnami/os-shell:11-debian-11-r96 + - name: zookeeper + image: docker.io/bitnami/zookeeper:3.9.1-debian-11-r8 + licenses: Apache-2.0 + apiVersion: v2 + appVersion: 3.9.1 + created: "2024-02-09T14:31:12.332570262Z" + dependencies: + - name: common + repository: file://./charts/common + tags: + - bitnami-common + version: 2.x.x + description: Apache ZooKeeper provides a reliable, centralized register of configuration + data and services for distributed applications. + digest: 383cfed5c1ff446a87b8d7e51c2b686279d29740055c79c019f2febe2a63d722 + home: https://bitnami.com + icon: https://svn.apache.org/repos/asf/comdev/project-logos/originals/zookeeper.svg + keywords: + - zookeeper + maintainers: + - name: VMware, Inc. + url: https://github.com/bitnami/charts + name: zookeeper + sources: + - https://github.com/bitnami/charts/tree/main/bitnami/zookeeper + urls: + - assets/bitnami/zookeeper-12.8.1.tgz + version: 12.8.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Apache Zookeeper