andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

external-secrets/external-secrets:
    - 0.10.5
  instana/instana-agent:
    - 1.2.74
  percona/psmdb-operator:
    - 1.17.1
  redpanda/redpanda:
    - 5.9.9
pull/1085/head
github-actions[bot] 2024-10-26 00:37:43 +00:00
parent b51aa4ed4e
commit 281c040c95
191 changed files with 66571 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/external-secrets/external-secrets-0.10.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/instana/instana-agent-1.2.74.tgz Normal file
View File

Binary file not shown.

BIN
assets/percona/psmdb-operator-1.17.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/redpanda/redpanda-5.9.9.tgz Normal file
View File

Binary file not shown.

6
charts/external-secrets/external-secrets/0.10.5/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: bitwarden-sdk-server
repository: oci://ghcr.io/external-secrets/charts
version: v0.3.1
digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
generated: "2024-09-20T12:57:07.63511+02:00"

25
charts/external-secrets/external-secrets/0.10.5/Chart.yaml Normal file
View File

@ -0,0 +1,25 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: External Secrets Operator
catalog.cattle.io/kube-version: '>= 1.19.0-0'
catalog.cattle.io/release-name: external-secrets
apiVersion: v2
appVersion: v0.10.5
dependencies:
- condition: bitwarden-sdk-server.enabled
name: bitwarden-sdk-server
repository: oci://ghcr.io/external-secrets/charts
version: v0.3.1
description: External secret management for Kubernetes
home: https://github.com/external-secrets/external-secrets
icon: file://assets/icons/external-secrets.png
keywords:
- kubernetes-external-secrets
- secrets
kubeVersion: '>= 1.19.0-0'
maintainers:
- email: kellinmcavoy@gmail.com
name: mcavoyk
name: external-secrets
type: application
version: 0.10.5

225
charts/external-secrets/external-secrets/0.10.5/README.md Normal file
View File

@ -0,0 +1,225 @@
# External Secrets
<p><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" alt="external-secrets"></p>
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.10.5](https://img.shields.io/badge/Version-0.10.5-informational?style=flat-square)
External secret management for Kubernetes
## TL;DR
```bash
helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets
```
## Installing the Chart
To install the chart with the release name `external-secrets`:
```bash
helm install external-secrets external-secrets/external-secrets
```
### Custom Resources
By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
## Uninstalling the Chart
To uninstall the `external-secrets` deployment:
```bash
helm uninstall external-secrets
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| affinity | object | `{}` | |
| bitwarden-sdk-server.enabled | bool | `false` | |
| certController.affinity | object | `{}` | |
| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| certController.extraArgs | object | `{}` | |
| certController.extraEnv | list | `[]` | |
| certController.extraVolumeMounts | list | `[]` | |
| certController.extraVolumes | list | `[]` | |
| certController.fullnameOverride | string | `""` | |
| certController.hostNetwork | bool | `false` | Run the certController on the host network |
| certController.image.flavour | string | `""` | |
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
| certController.image.tag | string | `""` | |
| certController.imagePullSecrets | list | `[]` | |
| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
| certController.metrics.listen.port | int | `8080` | |
| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
| certController.nameOverride | string | `""` | |
| certController.nodeSelector | object | `{}` | |
| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| certController.podLabels | object | `{}` | |
| certController.podSecurityContext.enabled | bool | `true` | |
| certController.priorityClassName | string | `""` | Pod priority class name. |
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| certController.readinessProbe.address | string | `""` | Address for readiness probe |
| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
| certController.replicaCount | int | `1` | |
| certController.requeueInterval | string | `"5m"` | |
| certController.resources | object | `{}` | |
| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| certController.securityContext.enabled | bool | `true` | |
| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
| certController.securityContext.runAsNonRoot | bool | `true` | |
| certController.securityContext.runAsUser | int | `1000` | |
| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| certController.tolerations | list | `[]` | |
| certController.topologySpreadConstraints | list | `[]` | |
| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
| crds.annotations | object | `{}` | |
| crds.conversion.enabled | bool | `true` | |
| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
| extraArgs | object | `{}` | |
| extraContainers | list | `[]` | |
| extraEnv | list | `[]` | |
| extraObjects | list | `[]` | |
| extraVolumeMounts | list | `[]` | |
| extraVolumes | list | `[]` | |
| fullnameOverride | string | `""` | |
| global.affinity | object | `{}` | |
| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
| global.nodeSelector | object | `{}` | |
| global.tolerations | list | `[]` | |
| global.topologySpreadConstraints | list | `[]` | |
| hostNetwork | bool | `false` | Run the controller on the host network |
| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
| imagePullSecrets | list | `[]` | |
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
| metrics.listen.port | int | `8080` | |
| metrics.service.annotations | object | `{}` | Additional service annotations |
| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| metrics.service.port | int | `8080` | Metrics service port to scrape |
| nameOverride | string | `""` | |
| namespaceOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| podAnnotations | object | `{}` | Annotations to add to Pod |
| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| podLabels | object | `{}` | |
| podSecurityContext.enabled | bool | `true` | |
| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
| priorityClassName | string | `""` | Pod priority class name. |
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
| securityContext.allowPrivilegeEscalation | bool | `false` | |
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
| securityContext.enabled | bool | `true` | |
| securityContext.readOnlyRootFilesystem | bool | `true` | |
| securityContext.runAsNonRoot | bool | `true` | |
| securityContext.runAsUser | int | `1000` | |
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
| tolerations | list | `[]` | |
| topologySpreadConstraints | list | `[]` | |
| webhook.affinity | object | `{}` | |
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
| webhook.certDir | string | `"/tmp/certs"` | |
| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificates expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
| webhook.extraArgs | object | `{}` | |
| webhook.extraEnv | list | `[]` | |
| webhook.extraVolumeMounts | list | `[]` | |
| webhook.extraVolumes | list | `[]` | |
| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
| webhook.fullnameOverride | string | `""` | |
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
| webhook.imagePullSecrets | list | `[]` | |
| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
| webhook.metrics.listen.port | int | `8080` | |
| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
| webhook.nameOverride | string | `""` | |
| webhook.nodeSelector | object | `{}` | |
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| webhook.podLabels | object | `{}` | |
| webhook.podSecurityContext.enabled | bool | `true` | |
| webhook.port | int | `10250` | The port the webhook will listen to |
| webhook.priorityClassName | string | `""` | Pod priority class name. |
| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
| webhook.replicaCount | int | `1` | |
| webhook.resources | object | `{}` | |
| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
| webhook.securityContext.enabled | bool | `true` | |
| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
| webhook.securityContext.runAsNonRoot | bool | `true` | |
| webhook.securityContext.runAsUser | int | `1000` | |
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| webhook.tolerations | list | `[]` | |
| webhook.topologySpreadConstraints | list | `[]` | |

7
charts/external-secrets/external-secrets/0.10.5/app-readme.md Normal file
View File

@ -0,0 +1,7 @@
**External Secrets Operator** is a Kubernetes operator that integrates external secret management systems like [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), [HashiCorp Vault](https://www.vaultproject.io/), [Google Secrets Manager](https://cloud.google.com/secret-manager), [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) and many more.
The operator reads information from external APIs and automatically injects the values into a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
### What is the goal of External Secrets Operator?
The goal of External Secrets Operator is to synchronize secrets from external APIs into Kubernetes. ESO is a collection of custom API resources - `ExternalSecret`, `SecretStore` and `ClusterSecretStore` that provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.

23
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

6
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: v0.3.1
description: A Helm chart for Kubernetes
name: bitwarden-sdk-server
type: application
version: v0.3.1

22
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden-sdk-server.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden-sdk-server.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden-sdk-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden-sdk-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "bitwarden-sdk-server.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "bitwarden-sdk-server.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "bitwarden-sdk-server.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "bitwarden-sdk-server.labels" -}}
helm.sh/chart: {{ include "bitwarden-sdk-server.chart" . }}
{{ include "bitwarden-sdk-server.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "bitwarden-sdk-server.selectorLabels" -}}
app.kubernetes.io/name: {{ include "bitwarden-sdk-server.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "bitwarden-sdk-server.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "bitwarden-sdk-server.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

77
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/deployment.yaml Normal file
View File

@ -0,0 +1,77 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "bitwarden-sdk-server.fullname" . }}
labels:
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Chart.Name }}
{{- if not .Values.image.tls.enabled }}
args:
- --insecure
{{- end }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.image.tls.enabled }}
volumeMounts:
{{- toYaml .Values.image.tls.volumeMounts | nindent 10 }}
{{- end}}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
httpGet:
path: /live
port: http
{{- if .Values.image.tls.enabled }}
scheme: HTTPS
{{- end }}
readinessProbe:
httpGet:
path: /ready
port: http
{{- if .Values.image.tls.enabled }}
scheme: HTTPS
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.image.tls.enabled }}
volumes:
{{- toYaml .Values.image.tls.volumes | nindent 8 }}
{{- end}}

14
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "bitwarden-sdk-server.fullname" . }}
labels:
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
name: http
selector:
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 4 }}

12
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
labels:
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

60
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap Normal file
View File

@ -0,0 +1,60 @@
deployment should match snapshot:
1: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: bitwarden-sdk-server
app.kubernetes.io/version: 1.16.0
helm.sh/chart: bitwarden-sdk-server-0.1.0
name: bitwarden-sdk-server
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: bitwarden-sdk-server
template:
metadata:
labels:
app.kubernetes.io/instance: RELEASE-NAME
app.kubernetes.io/name: bitwarden-sdk-server
spec:
containers:
- image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.8.0
imagePullPolicy: IfNotPresent
livenessProbe:
httpGet:
path: /live
port: http
scheme: HTTPS
name: bitwarden-sdk-server
ports:
- containerPort: 9998
name: http
protocol: TCP
readinessProbe:
httpGet:
path: /ready
port: http
scheme: HTTPS
resources: {}
securityContext: {}
volumeMounts:
- mountPath: /certs
name: bitwarden-tls-certs
securityContext: {}
serviceAccountName: bitwarden-sdk-server
volumes:
- name: bitwarden-tls-certs
secret:
items:
- key: tls.crt
path: cert.pem
- key: tls.key
path: key.pem
- key: ca.crt
path: ca.pem
secretName: bitwarden-tls-certs

9
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/deployment_test.yaml Normal file
View File

@ -0,0 +1,9 @@
suite: test deployment
templates:
- deployment.yaml
tests:
- it: deployment should match snapshot
set:
image.tag: v0.8.0
asserts:
- matchSnapshot: {}

98
charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/values.yaml Normal file
View File

@ -0,0 +1,98 @@
# Default values for bitwarden-sdk-server.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: ghcr.io/external-secrets/bitwarden-sdk-server
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
tls:
enabled: true
volumeMounts:
- mountPath: "/certs"
name: "bitwarden-tls-certs"
volumes:
- name: "bitwarden-tls-certs"
secret:
secretName: "bitwarden-tls-certs"
items:
- key: "tls.crt"
path: "cert.pem"
- key: "tls.key"
path: "key.pem"
- key: "ca.crt"
path: "ca.pem"
imagePullSecrets: []
nameOverride: "bitwarden-sdk-server"
fullnameOverride: "bitwarden-sdk-server"
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 9998
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}

8
charts/external-secrets/external-secrets/0.10.5/questions.yaml Normal file
View File

@ -0,0 +1,8 @@
questions:
- variable: installCRDs
default: false
required: true
description: "If true, Install and upgrade CRDs through helm chart"
type: boolean
label: Install CRDs

7
charts/external-secrets/external-secrets/0.10.5/templates/NOTES.txt Normal file
View File

@ -0,0 +1,7 @@
external-secrets has been deployed successfully in namespace {{ template "external-secrets.namespace" . }}!
In order to begin using ExternalSecrets, you will need to set up a SecretStore
or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
More information on the different types of SecretStores and how to configure them
can be found in our Github: {{ .Chart.Home }}

198
charts/external-secrets/external-secrets/0.10.5/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,198 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "external-secrets.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "external-secrets.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Define namespace of chart, useful for multi-namespace deployments
*/}}
{{- define "external-secrets.namespace" -}}
{{- if .Values.namespaceOverride }}
{{- .Values.namespaceOverride }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "external-secrets.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "external-secrets.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- define "external-secrets-webhook.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets-webhook.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- define "external-secrets-webhook-metrics.labels" -}}
{{ include "external-secrets-webhook.selectorLabels" . }}
app.kubernetes.io/metrics: "webhook"
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- define "external-secrets-cert-controller.labels" -}}
helm.sh/chart: {{ include "external-secrets.chart" . }}
{{ include "external-secrets-cert-controller.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{- define "external-secrets-cert-controller-metrics.labels" -}}
{{ include "external-secrets-cert-controller.selectorLabels" . }}
app.kubernetes.io/metrics: "cert-controller"
{{- with .Values.commonLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "external-secrets.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "external-secrets-webhook.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}-webhook
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "external-secrets-cert-controller.selectorLabels" -}}
app.kubernetes.io/name: {{ include "external-secrets.name" . }}-cert-controller
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets-webhook.serviceAccountName" -}}
{{- if .Values.webhook.serviceAccount.create }}
{{- default "external-secrets-webhook" .Values.webhook.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.webhook.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "external-secrets-cert-controller.serviceAccountName" -}}
{{- if .Values.certController.serviceAccount.create }}
{{- default "external-secrets-cert-controller" .Values.certController.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.certController.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Determine the image to use, including if using a flavour.
*/}}
{{- define "external-secrets.image" -}}
{{- if .image.flavour -}}
{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }}
{{- else }}
{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
{{- end }}
{{- end }}
{{/*
Renders a complete tree, even values that contains template.
*/}}
{{- define "external-secrets.render" -}}
{{- if typeIs "string" .value }}
{{- tpl .value .context }}
{{ else }}
{{- tpl (.value | toYaml) .context }}
{{- end }}
{{- end -}}
{{/*
Return true if the OpenShift is the detected platform
Usage:
{{- include "external-secrets.isOpenShift" . -}}
*/}}
{{- define "external-secrets.isOpenShift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Render the securityContext based on the provided securityContext
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}}
*/}}
{{- define "external-secrets.renderSecurityContext" -}}
{{- $adaptedContext := .securityContext -}}
{{- if .context.Values.global.compatibility -}}
{{- if .context.Values.global.compatibility.openshift -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}}
{{/* Remove OpenShift managed fields */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .securityContext.seLinuxOptions -}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

124
charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-deployment.yaml Normal file
View File

@ -0,0 +1,124 @@
{{- if and .Values.certController.create (not .Values.webhook.certManager.enabled) }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.certController.replicaCount }}
revisionHistoryLimit: {{ .Values.certController.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.certController.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 8 }}
{{- with .Values.certController.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.certController.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
{{- with .Values.certController.podSecurityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
hostNetwork: {{ .Values.certController.hostNetwork }}
containers:
- name: cert-controller
{{- with .Values.certController.securityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
{{- end }}
{{- end }}
image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
args:
- certcontroller
- --crd-requeue-interval={{ .Values.certController.requeueInterval }}
- --service-name={{ include "external-secrets.fullname" . }}-webhook
- --service-namespace={{ template "external-secrets.namespace" . }}
- --secret-name={{ include "external-secrets.fullname" . }}-webhook
- --secret-namespace={{ template "external-secrets.namespace" . }}
- --metrics-addr=:{{ .Values.certController.metrics.listen.port }}
- --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
- --loglevel={{ .Values.certController.log.level }}
- --zap-time-encoding={{ .Values.certController.log.timeEncoding }}
{{- if not .Values.crds.createClusterSecretStore }}
- --crd-names=externalsecrets.external-secrets.io
- --crd-names=secretstores.external-secrets.io
{{- end }}
{{- if .Values.installCRDs }}
- --enable-partial-cache=true
{{- end }}
{{- range $key, $value := .Values.certController.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.certController.metrics.listen.port }}
protocol: TCP
name: metrics
readinessProbe:
httpGet:
port: {{ .Values.certController.readinessProbe.port }}
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
{{- with .Values.certController.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.certController.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.certController.extraVolumeMounts }}
volumeMounts:
{{- toYaml .Values.certController.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.certController.extraVolumes }}
volumes:
{{- toYaml .Values.certController.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.certController.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.certController.affinity | default .Values.global.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.certController.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.certController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.certController.priorityClassName }}
priorityClassName: {{ .Values.certController.priorityClassName }}
{{- end }}
{{- end }}

19
charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled (not .Values.webhook.certManager.enabled) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-pdb
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
spec:
{{- if .Values.certController.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.certController.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.certController.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.certController.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
{{- end }}

86
charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-rbac.yaml Normal file
View File

@ -0,0 +1,86 @@
{{- if and .Values.certController.create .Values.certController.rbac.create (not .Values.webhook.certManager.enabled) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- "customresourcedefinitions"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
verbs:
- "list"
- "watch"
- "get"
- apiGroups:
- "admissionregistration.k8s.io"
resources:
- "validatingwebhookconfigurations"
resourceNames:
- "secretstore-validate"
- "externalsecret-validate"
verbs:
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "endpoints"
verbs:
- "list"
- "get"
- "watch"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "update"
- "patch"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "external-secrets.fullname" . }}-cert-controller
subjects:
- name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
kind: ServiceAccount
{{- end }}

28
charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-service.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if and .Values.certController.create .Values.certController.metrics.service.enabled (not .Values.webhook.certManager.enabled) }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: {{ .Values.certController.metrics.service.port }}
protocol: TCP
targetPort: metrics
name: metrics
selector:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.certController.create .Values.certController.serviceAccount.create (not .Values.webhook.certManager.enabled) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- with .Values.certController.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.certController.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

204
charts/external-secrets/external-secrets/0.10.5/templates/crds/acraccesstoken.yaml Normal file
View File

@ -0,0 +1,204 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: acraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: ACRAccessToken
listKind: ACRAccessTokenList
plural: acraccesstokens
shortNames:
- acraccesstoken
singular: acraccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ACRAccessToken returns a Azure Container Registry token
that can be used for pushing/pulling images.
Note: by default it will return an ACR Refresh Token with full access
(depending on the identity).
This can be scoped down to the repository level using .spec.scope.
In case scope is defined it will return an ACR Access Token.
See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: |-
ACRAccessTokenSpec defines how to generate the access token
e.g. how to authenticate and which registry to use.
see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
properties:
auth:
properties:
managedIdentity:
description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
properties:
identityId:
description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
type: string
type: object
servicePrincipal:
description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
properties:
secretRef:
description: |-
Configuration used to authenticate with Azure using static
credentials stored in a Kind=Secret.
properties:
clientId:
description: The Azure clientId of the service principle used for authentication.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
clientSecret:
description: The Azure ClientSecret of the service principle used for authentication.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
required:
- secretRef
type: object
workloadIdentity:
description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
properties:
serviceAccountRef:
description: |-
ServiceAccountRef specified the service account
that should be used when authenticating with WorkloadIdentity.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
type: object
type: object
environmentType:
default: PublicCloud
description: |-
EnvironmentType specifies the Azure cloud environment endpoints to use for
connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
enum:
- PublicCloud
- USGovernmentCloud
- ChinaCloud
- GermanCloud
type: string
registry:
description: |-
the domain name of the ACR registry
e.g. foobarexample.azurecr.io
type: string
scope:
description: |-
Define the scope for the access token, e.g. pull/push access for a repository.
if not provided it will return a refresh token that has full scope.
Note: you need to pin it down to the repository level, there is no wildcard available.
examples:
repository:my-repository:pull,push
repository:my-repository:pull
see docs for details: https://docs.docker.com/registry/spec/auth/scope/
type: string
tenantId:
description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
type: string
required:
- auth
- registry
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

666
charts/external-secrets/external-secrets/0.10.5/templates/crds/clusterexternalsecret.yaml Normal file
View File

@ -0,0 +1,666 @@
{{- if and (.Values.installCRDs) (.Values.crds.createClusterExternalSecret) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: clusterexternalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- external-secrets
kind: ClusterExternalSecret
listKind: ClusterExternalSecretList
plural: clusterexternalsecrets
shortNames:
- ces
singular: clusterexternalsecret
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.externalSecretSpec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshTime
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
properties:
externalSecretMetadata:
description: The metadata of the external secrets to be created
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
externalSecretName:
description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
type: string
externalSecretSpec:
description: The spec for the ExternalSecrets to be created
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: |-
RemoteRef points to the remote secret and defines
which secret (version/property/..) to fetch.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
description: |-
SecretKey defines the key in which the controller stores
the value. This is the key in the Kind=Secret
type: string
sourceRef:
description: |-
SourceRef allows you to override the source
from which the value will pulled from.
maxProperties: 1
properties:
generatorRef:
description: |-
GeneratorRef points to a generator custom resource.
Deprecated: The generatorRef is not implemented in .data[].
this will be removed with v1.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
type: string
required:
- kind
- name
type: object
storeRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
type: object
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: |-
DataFrom is used to fetch all properties from a specific Provider data
If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
description: |-
Used to extract multiple key/value pairs from one secret
Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
find:
description: |-
Used to find secrets based on tags or regular expressions
Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
name:
description: Finds secrets based on the name.
properties:
regexp:
description: Finds secrets base
type: string
type: object
path:
description: A root path to start the find operations.
type: string
tags:
additionalProperties:
type: string
description: Find secrets based on tags.
type: object
type: object
rewrite:
description: |-
Used to rewrite secret Keys after getting them from the secret Provider
Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
description: |-
Used to rewrite with regular expressions.
The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
type: string
target:
description: Used to define the target pattern of a ReplaceAll operation.
type: string
required:
- source
- target
type: object
transform:
description: |-
Used to apply string transformation on the secrets.
The resulting key will be the output of the template applied by the operation.
properties:
template:
description: |-
Used to define the template to apply on the secret name.
`.value ` will specify the secret name in the template.
type: string
required:
- template
type: object
type: object
type: array
sourceRef:
description: |-
SourceRef points to a store or generator
which contains secret values ready to use.
Use this in combination with Extract or Find pull values out of
a specific SecretStore.
When sourceRef points to a generator Extract or Find is not supported.
The generator returns a static map of values
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
type: string
required:
- kind
- name
type: object
storeRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
type: object
type: object
type: array
refreshInterval:
default: 1h
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
description: |-
ExternalSecretTarget defines the Kubernetes Secret to be created
There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: |-
CreationPolicy defines rules on how to create the resulting Secret
Defaults to 'Owner'
enum:
- Owner
- Orphan
- Merge
- None
type: string
deletionPolicy:
default: Retain
description: |-
DeletionPolicy defines rules on how to delete the resulting Secret
Defaults to 'Retain'
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: |-
Name defines the name of the Secret resource to be managed
This field is immutable
Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v2
description: |-
EngineVersion specifies the template engine version
that should be used to compile/execute the
template specified in .data and .templateFrom[].
enum:
- v1
- v2
type: string
mergePolicy:
default: Replace
enum:
- Replace
- Merge
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
literal:
type: string
secret:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
target:
default: Data
enum:
- Data
- Annotations
- Labels
type: string
type: object
type: array
type:
type: string
type: object
type: object
type: object
namespaceSelector:
description: |-
The labels to select by to find the Namespaces to create the ExternalSecrets in.
Deprecated: Use NamespaceSelectors instead.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
namespaceSelectors:
description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
items:
description: |-
A label selector is a label query over a set of resources. The result of matchLabels and
matchExpressions are ANDed. An empty label selector matches all objects. A null
label selector matches no objects.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
type: array
namespaces:
description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
items:
type: string
type: array
refreshTime:
description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
type: string
required:
- externalSecretSpec
type: object
status:
description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
properties:
conditions:
items:
properties:
message:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
externalSecretName:
description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
type: string
failedNamespaces:
description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
items:
description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
properties:
namespace:
description: Namespace is the namespace that failed when trying to apply an ExternalSecret
type: string
reason:
description: Reason is why the ExternalSecret failed to apply to the namespace
type: string
required:
- namespace
type: object
type: array
provisionedNamespaces:
description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
items:
type: string
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

4643
charts/external-secrets/external-secrets/0.10.5/templates/crds/clustersecretstore.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

178
charts/external-secrets/external-secrets/0.10.5/templates/crds/ecrauthorizationtoken.yaml Normal file
View File

@ -0,0 +1,178 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: ecrauthorizationtokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: ECRAuthorizationToken
listKind: ECRAuthorizationTokenList
plural: ecrauthorizationtokens
shortNames:
- ecrauthorizationtoken
singular: ecrauthorizationtoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
authorization token.
The authorization token is valid for 12 hours.
The authorizationToken returned is a base64 encoded string that can be decoded
and used in a docker login command to authenticate to a registry.
For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
auth:
description: Auth defines how to authenticate with AWS
properties:
jwt:
description: Authenticate against AWS using service account tokens.
properties:
serviceAccountRef:
description: A reference to a ServiceAccount resource.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
type: object
secretRef:
description: |-
AWSAuthSecretRef holds secret references for AWS credentials
both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
properties:
accessKeyIDSecretRef:
description: The AccessKeyID is used for authentication
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
description: |-
The SessionToken used for authentication
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
type: object
region:
description: Region specifies the region to operate in.
type: string
role:
description: |-
You can assume a role before making calls to the
desired AWS service.
type: string
required:
- region
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

820
charts/external-secrets/external-secrets/0.10.5/templates/crds/externalsecret.yaml Normal file
View File

@ -0,0 +1,820 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: externalsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- external-secrets
kind: ExternalSecret
listKind: ExternalSecretList
plural: externalsecrets
shortNames:
- es
singular: externalsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
deprecated: true
name: v1alpha1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ExternalSecretSpec defines the desired state of ExternalSecret.
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
type: string
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: |-
DataFrom is used to fetch all properties from a specific Provider data
If multiple entries are specified, the Secret keys are merged in the specified order
items:
description: ExternalSecretDataRemoteRef defines Provider data location.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
type: array
refreshInterval:
default: 1h
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
description: |-
ExternalSecretTarget defines the Kubernetes Secret to be created
There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: |-
CreationPolicy defines rules on how to create the resulting Secret
Defaults to 'Owner'
enum:
- Owner
- Merge
- None
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: |-
Name defines the name of the Secret resource to be managed
This field is immutable
Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v1
description: |-
EngineVersion specifies the template engine version
that should be used to compile/execute the
template specified in .data and .templateFrom[].
enum:
- v1
- v2
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
maxProperties: 1
minProperties: 1
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
type: object
type: array
type:
type: string
type: object
type: object
required:
- secretStoreRef
- target
type: object
status:
properties:
binding:
description: Binding represents a servicebinding.io Provisioned Service reference to the secret
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: |-
refreshTime is the time and date the external secret was fetched and
the target secret updated
format: date-time
nullable: true
type: string
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version
type: string
type: object
type: object
served: true
storage: false
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.secretStoreRef.name
name: Store
type: string
- jsonPath: .spec.refreshInterval
name: Refresh Interval
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
- jsonPath: .status.conditions[?(@.type=="Ready")].status
name: Ready
type: string
name: v1beta1
schema:
openAPIV3Schema:
description: ExternalSecret is the Schema for the external-secrets API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: ExternalSecretSpec defines the desired state of ExternalSecret.
properties:
data:
description: Data defines the connection between the Kubernetes Secret keys and the Provider data
items:
description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
properties:
remoteRef:
description: |-
RemoteRef points to the remote secret and defines
which secret (version/property/..) to fetch.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
secretKey:
description: |-
SecretKey defines the key in which the controller stores
the value. This is the key in the Kind=Secret
type: string
sourceRef:
description: |-
SourceRef allows you to override the source
from which the value will pulled from.
maxProperties: 1
properties:
generatorRef:
description: |-
GeneratorRef points to a generator custom resource.
Deprecated: The generatorRef is not implemented in .data[].
this will be removed with v1.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
type: string
required:
- kind
- name
type: object
storeRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
type: object
required:
- remoteRef
- secretKey
type: object
type: array
dataFrom:
description: |-
DataFrom is used to fetch all properties from a specific Provider data
If multiple entries are specified, the Secret keys are merged in the specified order
items:
properties:
extract:
description: |-
Used to extract multiple key/value pairs from one secret
Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
key:
description: Key is the key used in the Provider, mandatory
type: string
metadataPolicy:
default: None
description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
enum:
- None
- Fetch
type: string
property:
description: Used to select a specific property of the Provider value (if a map), if supported
type: string
version:
description: Used to select a specific version of the Provider value, if supported
type: string
required:
- key
type: object
find:
description: |-
Used to find secrets based on tags or regular expressions
Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
properties:
conversionStrategy:
default: Default
description: Used to define a conversion Strategy
enum:
- Default
- Unicode
type: string
decodingStrategy:
default: None
description: Used to define a decoding Strategy
enum:
- Auto
- Base64
- Base64URL
- None
type: string
name:
description: Finds secrets based on the name.
properties:
regexp:
description: Finds secrets base
type: string
type: object
path:
description: A root path to start the find operations.
type: string
tags:
additionalProperties:
type: string
description: Find secrets based on tags.
type: object
type: object
rewrite:
description: |-
Used to rewrite secret Keys after getting them from the secret Provider
Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
items:
properties:
regexp:
description: |-
Used to rewrite with regular expressions.
The resulting key will be the output of a regexp.ReplaceAll operation.
properties:
source:
description: Used to define the regular expression of a re.Compiler.
type: string
target:
description: Used to define the target pattern of a ReplaceAll operation.
type: string
required:
- source
- target
type: object
transform:
description: |-
Used to apply string transformation on the secrets.
The resulting key will be the output of the template applied by the operation.
properties:
template:
description: |-
Used to define the template to apply on the secret name.
`.value ` will specify the secret name in the template.
type: string
required:
- template
type: object
type: object
type: array
sourceRef:
description: |-
SourceRef points to a store or generator
which contains secret values ready to use.
Use this in combination with Extract or Find pull values out of
a specific SecretStore.
When sourceRef points to a generator Extract or Find is not supported.
The generator returns a static map of values
maxProperties: 1
properties:
generatorRef:
description: GeneratorRef points to a generator custom resource.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
type: string
required:
- kind
- name
type: object
storeRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
type: object
type: object
type: array
refreshInterval:
default: 1h
description: |-
RefreshInterval is the amount of time before the values are read again from the SecretStore provider
Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
May be set to zero to fetch and create it once. Defaults to 1h.
type: string
secretStoreRef:
description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
properties:
kind:
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
name:
description: Name of the SecretStore resource
type: string
required:
- name
type: object
target:
default:
creationPolicy: Owner
deletionPolicy: Retain
description: |-
ExternalSecretTarget defines the Kubernetes Secret to be created
There can be only one target per ExternalSecret.
properties:
creationPolicy:
default: Owner
description: |-
CreationPolicy defines rules on how to create the resulting Secret
Defaults to 'Owner'
enum:
- Owner
- Orphan
- Merge
- None
type: string
deletionPolicy:
default: Retain
description: |-
DeletionPolicy defines rules on how to delete the resulting Secret
Defaults to 'Retain'
enum:
- Delete
- Merge
- Retain
type: string
immutable:
description: Immutable defines if the final secret will be immutable
type: boolean
name:
description: |-
Name defines the name of the Secret resource to be managed
This field is immutable
Defaults to the .metadata.name of the ExternalSecret resource
type: string
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v2
description: |-
EngineVersion specifies the template engine version
that should be used to compile/execute the
template specified in .data and .templateFrom[].
enum:
- v1
- v2
type: string
mergePolicy:
default: Replace
enum:
- Replace
- Merge
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
literal:
type: string
secret:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
target:
default: Data
enum:
- Data
- Annotations
- Labels
type: string
type: object
type: array
type:
type: string
type: object
type: object
type: object
status:
properties:
binding:
description: Binding represents a servicebinding.io Provisioned Service reference to the secret
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: |-
refreshTime is the time and date the external secret was fetched and
the target secret updated
format: date-time
nullable: true
type: string
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

87
charts/external-secrets/external-secrets/0.10.5/templates/crds/fake.yaml Normal file
View File

@ -0,0 +1,87 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: fakes.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: Fake
listKind: FakeList
plural: fakes
shortNames:
- fake
singular: fake
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
Fake generator is used for testing. It lets you define
a static set of credentials that is always returned.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: FakeSpec contains the static data.
properties:
controller:
description: |-
Used to select the correct ESO controller (think: ingress.ingressClassName)
The ESO controller is instantiated with a specific controller name and filters VDS based on this property
type: string
data:
additionalProperties:
type: string
description: |-
Data defines the static data returned
by this generator.
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

139
charts/external-secrets/external-secrets/0.10.5/templates/crds/gcraccesstoken.yaml Normal file
View File

@ -0,0 +1,139 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: gcraccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: GCRAccessToken
listKind: GCRAccessTokenList
plural: gcraccesstokens
shortNames:
- gcraccesstoken
singular: gcraccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
GCRAccessToken generates an GCP access token
that can be used to authenticate with GCR.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
auth:
description: Auth defines the means for authenticating with GCP
properties:
secretRef:
properties:
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
workloadIdentity:
properties:
clusterLocation:
type: string
clusterName:
type: string
clusterProjectID:
type: string
serviceAccountRef:
description: A reference to a ServiceAccount resource.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
required:
- clusterLocation
- clusterName
- serviceAccountRef
type: object
type: object
projectID:
description: ProjectID defines which project to use to authenticate with
type: string
required:
- auth
- projectID
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

113
charts/external-secrets/external-secrets/0.10.5/templates/crds/githubaccesstoken.yaml Normal file
View File

@ -0,0 +1,113 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: githubaccesstokens.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: GithubAccessToken
listKind: GithubAccessTokenList
plural: githubaccesstokens
shortNames:
- githubaccesstoken
singular: githubaccesstoken
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: GithubAccessToken generates ghs_ accessToken
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
appID:
type: string
auth:
description: Auth configures how ESO authenticates with a Github instance.
properties:
privateKey:
properties:
secretRef:
description: |-
A reference to a specific 'key' within a Secret resource,
In some instances, `key` is a required field.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
required:
- secretRef
type: object
required:
- privateKey
type: object
installID:
type: string
url:
description: URL configures the Github instance URL. Defaults to https://github.com/.
type: string
required:
- appID
- auth
- installID
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

109
charts/external-secrets/external-secrets/0.10.5/templates/crds/password.yaml Normal file
View File

@ -0,0 +1,109 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: passwords.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: Password
listKind: PasswordList
plural: passwords
shortNames:
- password
singular: password
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
Password generates a random password based on the
configuration parameters in spec.
You can specify the length, characterset and other attributes.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PasswordSpec controls the behavior of the password generator.
properties:
allowRepeat:
default: false
description: set AllowRepeat to true to allow repeating characters.
type: boolean
digits:
description: |-
Digits specifies the number of digits in the generated
password. If omitted it defaults to 25% of the length of the password
type: integer
length:
default: 24
description: |-
Length of the password to be generated.
Defaults to 24
type: integer
noUpper:
default: false
description: Set NoUpper to disable uppercase characters
type: boolean
symbolCharacters:
description: |-
SymbolCharacters specifies the special characters that should be used
in the generated password.
type: string
symbols:
description: |-
Symbols specifies the number of symbol characters in the generated
password. If omitted it defaults to 25% of the length of the password
type: integer
required:
- allowRepeat
- length
- noUpper
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

405
charts/external-secrets/external-secrets/0.10.5/templates/crds/pushsecret.yaml Normal file
View File

@ -0,0 +1,405 @@
{{- if and (.Values.installCRDs) (.Values.crds.createPushSecret) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: pushsecrets.external-secrets.io
spec:
group: external-secrets.io
names:
categories:
- external-secrets
kind: PushSecret
listKind: PushSecretList
plural: pushsecrets
singular: pushsecret
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].reason
name: Status
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: PushSecretSpec configures the behavior of the PushSecret.
properties:
data:
description: Secret Data that should be pushed to providers
items:
properties:
conversionStrategy:
default: None
description: Used to define a conversion Strategy for the secret keys
enum:
- None
- ReverseUnicode
type: string
match:
description: Match a given Secret Key to be pushed to the provider.
properties:
remoteRef:
description: Remote Refs to push to providers.
properties:
property:
description: Name of the property in the resulting secret
type: string
remoteKey:
description: Name of the resulting provider secret.
type: string
required:
- remoteKey
type: object
secretKey:
description: Secret Key to be pushed
type: string
required:
- remoteRef
type: object
metadata:
description: |-
Metadata is metadata attached to the secret.
The structure of metadata is provider specific, please look it up in the provider documentation.
x-kubernetes-preserve-unknown-fields: true
required:
- match
type: object
type: array
deletionPolicy:
default: None
description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
enum:
- Delete
- None
type: string
refreshInterval:
description: The Interval to which External Secrets will try to push a secret definition
type: string
secretStoreRefs:
items:
properties:
kind:
default: SecretStore
description: |-
Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
Defaults to `SecretStore`
type: string
labelSelector:
description: Optionally, sync to secret stores with label selector
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
name:
description: Optionally, sync to the SecretStore of the given name
type: string
type: object
type: array
selector:
description: The Secret Selector (k8s source) for the Push Secret
maxProperties: 1
minProperties: 1
properties:
generatorRef:
description: Point to a generator to create a Secret.
properties:
apiVersion:
default: generators.external-secrets.io/v1alpha1
description: Specify the apiVersion of the generator resource
type: string
kind:
description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
type: string
name:
description: Specify the name of the generator resource
type: string
required:
- kind
- name
type: object
secret:
description: Select a Secret to Push.
properties:
name:
description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
type: string
required:
- name
type: object
type: object
template:
description: Template defines a blueprint for the created Secret resource.
properties:
data:
additionalProperties:
type: string
type: object
engineVersion:
default: v2
description: |-
EngineVersion specifies the template engine version
that should be used to compile/execute the
template specified in .data and .templateFrom[].
enum:
- v1
- v2
type: string
mergePolicy:
default: Replace
enum:
- Replace
- Merge
type: string
metadata:
description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
templateFrom:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
literal:
type: string
secret:
properties:
items:
items:
properties:
key:
type: string
templateAs:
default: Values
enum:
- Values
- KeysAndValues
type: string
required:
- key
type: object
type: array
name:
type: string
required:
- items
- name
type: object
target:
default: Data
enum:
- Data
- Annotations
- Labels
type: string
type: object
type: array
type:
type: string
type: object
updatePolicy:
default: Replace
description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
enum:
- Replace
- IfNotExists
type: string
required:
- secretStoreRefs
- selector
type: object
status:
description: PushSecretStatus indicates the history of the status of PushSecret.
properties:
conditions:
items:
description: PushSecretStatusCondition indicates the status of the PushSecret.
properties:
lastTransitionTime:
format: date-time
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
description: PushSecretConditionType indicates the condition of the PushSecret.
type: string
required:
- status
- type
type: object
type: array
refreshTime:
description: |-
refreshTime is the time and date the external secret was fetched and
the target secret updated
format: date-time
nullable: true
type: string
syncedPushSecrets:
additionalProperties:
additionalProperties:
properties:
conversionStrategy:
default: None
description: Used to define a conversion Strategy for the secret keys
enum:
- None
- ReverseUnicode
type: string
match:
description: Match a given Secret Key to be pushed to the provider.
properties:
remoteRef:
description: Remote Refs to push to providers.
properties:
property:
description: Name of the property in the resulting secret
type: string
remoteKey:
description: Name of the resulting provider secret.
type: string
required:
- remoteKey
type: object
secretKey:
description: Secret Key to be pushed
type: string
required:
- remoteRef
type: object
metadata:
description: |-
Metadata is metadata attached to the secret.
The structure of metadata is provider specific, please look it up in the provider documentation.
x-kubernetes-preserve-unknown-fields: true
required:
- match
type: object
type: object
description: |-
Synced PushSecrets, including secrets that already exist in provider.
Matches secret stores to PushSecretData that was stored to that secret store.
type: object
syncedResourceVersion:
description: SyncedResourceVersion keeps track of the last synced version.
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

4643
charts/external-secrets/external-secrets/0.10.5/templates/crds/secretstore.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

72
charts/external-secrets/external-secrets/0.10.5/templates/crds/uuid.yaml Normal file
View File

@ -0,0 +1,72 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: uuids.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: UUID
listKind: UUIDList
plural: uuids
shortNames:
- uuids
singular: uuid
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: UUIDSpec controls the behavior of the uuid generator.
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

708
charts/external-secrets/external-secrets/0.10.5/templates/crds/vaultdynamicsecret.yaml Normal file
View File

@ -0,0 +1,708 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: vaultdynamicsecrets.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: VaultDynamicSecret
listKind: VaultDynamicSecretList
plural: vaultdynamicsecrets
shortNames:
- vaultdynamicsecret
singular: vaultdynamicsecret
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
properties:
controller:
description: |-
Used to select the correct ESO controller (think: ingress.ingressClassName)
The ESO controller is instantiated with a specific controller name and filters VDS based on this property
type: string
method:
description: Vault API method to use (GET/POST/other)
type: string
parameters:
description: Parameters to pass to Vault write (for non-GET methods)
x-kubernetes-preserve-unknown-fields: true
path:
description: Vault path to obtain the dynamic secret from
type: string
provider:
description: Vault provider common spec
properties:
auth:
description: Auth configures how secret-manager authenticates with the Vault server.
properties:
appRole:
description: |-
AppRole authenticates with Vault using the App Role auth mechanism,
with the role and secret stored in a Kubernetes Secret resource.
properties:
path:
default: approle
description: |-
Path where the App Role authentication backend is mounted
in Vault, e.g: "approle"
type: string
roleId:
description: |-
RoleID configured in the App Role authentication backend when setting
up the authentication backend in Vault.
type: string
roleRef:
description: |-
Reference to a key in a Secret that contains the App Role ID used
to authenticate with Vault.
The `key` field must be specified and denotes which entry within the Secret
resource is used as the app role id.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
secretRef:
description: |-
Reference to a key in a Secret that contains the App Role secret used
to authenticate with Vault.
The `key` field must be specified and denotes which entry within the Secret
resource is used as the app role secret.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
required:
- path
- secretRef
type: object
cert:
description: |-
Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
Cert authentication method
properties:
clientCert:
description: |-
ClientCert is a certificate to authenticate using the Cert Vault
authentication method
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
secretRef:
description: |-
SecretRef to a key in a Secret resource containing client private key to
authenticate with Vault using the Cert authentication method
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
iam:
description: |-
Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
AWS IAM authentication method
properties:
externalID:
description: AWS External ID set on assumed IAM roles
type: string
jwt:
description: Specify a service account with IRSA enabled
properties:
serviceAccountRef:
description: A reference to a ServiceAccount resource.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
type: object
path:
description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
type: string
region:
description: AWS region
type: string
role:
description: This is the AWS role to be assumed before talking to vault
type: string
secretRef:
description: Specify credentials in a Secret object
properties:
accessKeyIDSecretRef:
description: The AccessKeyID is used for authentication
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
secretAccessKeySecretRef:
description: The SecretAccessKey is used for authentication
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
sessionTokenSecretRef:
description: |-
The SessionToken used for authentication
This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
vaultAwsIamServerID:
description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
type: string
vaultRole:
description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
type: string
required:
- vaultRole
type: object
jwt:
description: |-
Jwt authenticates with Vault by passing role and JWT token using the
JWT/OIDC authentication method
properties:
kubernetesServiceAccountToken:
description: |-
Optional ServiceAccountToken specifies the Kubernetes service account for which to request
a token for with the `TokenRequest` API.
properties:
audiences:
description: |-
Optional audiences field that will be used to request a temporary Kubernetes service
account token for the service account referenced by `serviceAccountRef`.
Defaults to a single audience `vault` it not specified.
Deprecated: use serviceAccountRef.Audiences instead
items:
type: string
type: array
expirationSeconds:
description: |-
Optional expiration time in seconds that will be used to request a temporary
Kubernetes service account token for the service account referenced by
`serviceAccountRef`.
Deprecated: this will be removed in the future.
Defaults to 10 minutes.
format: int64
type: integer
serviceAccountRef:
description: Service account field containing the name of a kubernetes ServiceAccount.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
required:
- serviceAccountRef
type: object
path:
default: jwt
description: |-
Path where the JWT authentication backend is mounted
in Vault, e.g: "jwt"
type: string
role:
description: |-
Role is a JWT role to authenticate using the JWT/OIDC Vault
authentication method
type: string
secretRef:
description: |-
Optional SecretRef that refers to a key in a Secret resource containing JWT token to
authenticate with Vault using the JWT/OIDC authentication method.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
required:
- path
type: object
kubernetes:
description: |-
Kubernetes authenticates with Vault by passing the ServiceAccount
token stored in the named Secret resource to the Vault server.
properties:
mountPath:
default: kubernetes
description: |-
Path where the Kubernetes authentication backend is mounted in Vault, e.g:
"kubernetes"
type: string
role:
description: |-
A required field containing the Vault Role to assume. A Role binds a
Kubernetes ServiceAccount with a set of Vault policies.
type: string
secretRef:
description: |-
Optional secret field containing a Kubernetes ServiceAccount JWT used
for authenticating with Vault. If a name is specified without a key,
`token` is the default. If one is not specified, the one bound to
the controller will be used.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
serviceAccountRef:
description: |-
Optional service account field containing the name of a kubernetes ServiceAccount.
If the service account is specified, the service account secret token JWT will be used
for authenticating with Vault. If the service account selector is not supplied,
the secretRef will be used instead.
properties:
audiences:
description: |-
Audience specifies the `aud` claim for the service account token
If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
then this audiences will be appended to the list
items:
type: string
type: array
name:
description: The name of the ServiceAccount resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
required:
- name
type: object
required:
- mountPath
- role
type: object
ldap:
description: |-
Ldap authenticates with Vault by passing username/password pair using
the LDAP authentication method
properties:
path:
default: ldap
description: |-
Path where the LDAP authentication backend is mounted
in Vault, e.g: "ldap"
type: string
secretRef:
description: |-
SecretRef to a key in a Secret resource containing password for the LDAP
user used to authenticate with Vault using the LDAP authentication
method
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
username:
description: |-
Username is a LDAP user name used to authenticate using the LDAP Vault
authentication method
type: string
required:
- path
- username
type: object
namespace:
description: |-
Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
Namespaces is a set of features within Vault Enterprise that allows
Vault environments to support Secure Multi-tenancy. e.g: "ns1".
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
This will default to Vault.Namespace field if set, or empty otherwise
type: string
tokenSecretRef:
description: TokenSecretRef authenticates with Vault by presenting a token.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
userPass:
description: UserPass authenticates with Vault by passing username/password pair
properties:
path:
default: user
description: |-
Path where the UserPassword authentication backend is mounted
in Vault, e.g: "user"
type: string
secretRef:
description: |-
SecretRef to a key in a Secret resource containing password for the
user used to authenticate with Vault using the UserPass authentication
method
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
username:
description: |-
Username is a user name used to authenticate using the UserPass Vault
authentication method
type: string
required:
- path
- username
type: object
type: object
caBundle:
description: |-
PEM encoded CA bundle used to validate Vault server certificate. Only used
if the Server URL is using HTTPS protocol. This parameter is ignored for
plain HTTP protocol connection. If not set the system root certificates
are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate Vault server certificate.
properties:
key:
description: The key where the CA certificate can be found in the Secret or ConfigMap.
type: string
name:
description: The name of the object located at the provider type.
type: string
namespace:
description: |-
The namespace the Provider type is in.
Can only be defined when used in a ClusterSecretStore.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
enum:
- Secret
- ConfigMap
type: string
required:
- name
- type
type: object
forwardInconsistent:
description: |-
ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
leader instead of simply retrying within a loop. This can increase performance if
the option is enabled serverside.
https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
type: boolean
headers:
additionalProperties:
type: string
description: Headers to be added in Vault request
type: object
namespace:
description: |-
Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
Vault environments to support Secure Multi-tenancy. e.g: "ns1".
More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
type: string
path:
description: |-
Path is the mount path of the Vault KV backend endpoint, e.g:
"secret". The v2 KV secret engine version specific "/data" path suffix
for fetching secrets from Vault is optional and will be appended
if not present in specified path.
type: string
readYourWrites:
description: |-
ReadYourWrites ensures isolated read-after-write semantics by
providing discovered cluster replication states in each request.
More information about eventual consistency in Vault can be found here
https://www.vaultproject.io/docs/enterprise/consistency
type: boolean
server:
description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
type: string
tls:
description: |-
The configuration used for client side related TLS communication, when the Vault server
requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
This parameter is ignored for plain HTTP protocol connection.
It's worth noting this configuration is different from the "TLS certificates auth method",
which is available under the `auth.cert` section.
properties:
certSecretRef:
description: |-
CertSecretRef is a certificate added to the transport layer
when communicating with the Vault server.
If no key for the Secret is specified, external-secret will default to 'tls.crt'.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
keySecretRef:
description: |-
KeySecretRef to a key in a Secret resource containing client private key
added to the transport layer when communicating with the Vault server.
If no key for the Secret is specified, external-secret will default to 'tls.key'.
properties:
key:
description: |-
The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
defaulted, in others it may be required.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
namespace:
description: |-
Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
to the namespace of the referent.
type: string
type: object
type: object
version:
default: v2
description: |-
Version is the Vault KV secret engine version. This can be either "v1" or
"v2". Version defaults to "v2".
enum:
- v1
- v2
type: string
required:
- auth
- server
type: object
resultType:
default: Data
description: |-
Result type defines which data is returned from the generator.
By default it is the "data" section of the Vault API response.
When using e.g. /auth/token/create the "data" section is empty but
the "auth" section contains the generated token.
Please refer to the vault docs regarding the result data structure.
enum:
- Data
- Auth
type: string
required:
- path
- provider
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

158
charts/external-secrets/external-secrets/0.10.5/templates/crds/webhook.yaml Normal file
View File

@ -0,0 +1,158 @@
{{- if .Values.installCRDs }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4}}
{{- end }}
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
controller-gen.kubebuilder.io/version: v0.16.3
labels:
external-secrets.io/component: controller
name: webhooks.generators.external-secrets.io
spec:
group: generators.external-secrets.io
names:
categories:
- external-secrets
- external-secrets-generators
kind: Webhook
listKind: WebhookList
plural: webhooks
shortNames:
- webhookl
singular: webhook
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
Webhook connects to a third party API server to handle the secrets generation
configuration parameters in spec.
You can specify the server, the token, and additional body parameters.
See documentation for the full API specification for requests and responses.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
properties:
body:
description: Body
type: string
caBundle:
description: |-
PEM encoded CA bundle used to validate webhook server certificate. Only used
if the Server URL is using HTTPS protocol. This parameter is ignored for
plain HTTP protocol connection. If not set the system root certificates
are used to validate the TLS connection.
format: byte
type: string
caProvider:
description: The provider for the CA bundle to use to validate webhook server certificate.
properties:
key:
description: The key the value inside of the provider type to use, only used with "Secret" type
type: string
name:
description: The name of the object located at the provider type.
type: string
namespace:
description: The namespace the Provider type is in.
type: string
type:
description: The type of provider to use such as "Secret", or "ConfigMap".
enum:
- Secret
- ConfigMap
type: string
required:
- name
- type
type: object
headers:
additionalProperties:
type: string
description: Headers
type: object
method:
description: Webhook Method
type: string
result:
description: Result formatting
properties:
jsonPath:
description: Json path of return value
type: string
type: object
secrets:
description: |-
Secrets to fill in templates
These secrets will be passed to the templating function as key value pairs under the given name
items:
properties:
name:
description: Name of this secret in templates
type: string
secretRef:
description: Secret ref to fill in credentials
properties:
key:
description: The key where the token is found.
type: string
name:
description: The name of the Secret resource being referred to.
type: string
type: object
required:
- name
- secretRef
type: object
type: array
timeout:
description: Timeout
type: string
url:
description: Webhook url to call
type: string
required:
- result
- url
type: object
type: object
served: true
storage: true
subresources:
status: {}
{{- if .Values.crds.conversion.enabled }}
conversion:
strategy: Webhook
webhook:
conversionReviewVersions:
- v1
clientConfig:
service:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ .Release.Namespace | quote }}
path: /convert
{{- end }}
{{- end }}

146
charts/external-secrets/external-secrets/0.10.5/templates/deployment.yaml Normal file
View File

@ -0,0 +1,146 @@
{{- if .Values.createOperator }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- with .Values.podSecurityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
hostNetwork: {{ .Values.hostNetwork }}
containers:
- name: {{ .Chart.Name }}
{{- with .Values.securityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
{{- end }}
{{- end }}
image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }}
args:
{{- if .Values.leaderElect }}
- --enable-leader-election=true
{{- end }}
{{- if .Values.scopedNamespace }}
- --namespace={{ .Values.scopedNamespace }}
{{- end }}
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
- --enable-cluster-store-reconciler=false
- --enable-cluster-external-secret-reconciler=false
{{- else }}
{{- if not .Values.processClusterStore }}
- --enable-cluster-store-reconciler=false
{{- end }}
{{- if not .Values.processClusterExternalSecret }}
- --enable-cluster-external-secret-reconciler=false
{{- end }}
{{- end }}
{{- if not .Values.processPushSecret }}
- --enable-push-secret-reconciler=false
{{- end }}
{{- if .Values.controllerClass }}
- --controller-class={{ .Values.controllerClass }}
{{- end }}
{{- if .Values.extendedMetricLabels }}
- --enable-extended-metric-labels={{ .Values.extendedMetricLabels }}
{{- end }}
{{- if .Values.concurrent }}
- --concurrent={{ .Values.concurrent }}
{{- end }}
{{- range $key, $value := .Values.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
{{- end }}
- --metrics-addr=:{{ .Values.metrics.listen.port }}
- --loglevel={{ .Values.log.level }}
- --zap-time-encoding={{ .Values.log.timeEncoding }}
ports:
- containerPort: {{ .Values.metrics.listen.port }}
protocol: TCP
name: metrics
{{- with .Values.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- if .Values.extraVolumeMounts }}
volumeMounts:
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
{{- if .Values.extraContainers }}
{{ toYaml .Values.extraContainers | nindent 8}}
{{- end }}
dnsPolicy: {{ .Values.dnsPolicy }}
{{- if .Values.dnsConfig }}
dnsConfig:
{{- toYaml .Values.dnsConfig | nindent 8 }}
{{- end }}
{{- if .Values.extraVolumes }}
volumes:
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity | default .Values.global.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
{{- if .Values.podSpecExtra }}
{{- toYaml .Values.podSpecExtra | nindent 6 }}
{{- end }}
{{- end }}

4
charts/external-secrets/external-secrets/0.10.5/templates/extra-manifests.yaml Normal file
View File

@ -0,0 +1,4 @@
{{- range .Values.extraObjects }}
---
{{ include "external-secrets.render" (dict "value" . "context" $) }}
{{- end }}

19
charts/external-secrets/external-secrets/0.10.5/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-pdb
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
spec:
{{- if .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
{{- end }}

301
charts/external-secrets/external-secrets/0.10.5/templates/rbac.yaml Normal file
View File

@ -0,0 +1,301 @@
{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "secretstores"
- "clustersecretstores"
- "externalsecrets"
- "clusterexternalsecrets"
- "pushsecrets"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "externalsecrets/status"
- "externalsecrets/finalizers"
- "secretstores"
- "secretstores/status"
- "secretstores/finalizers"
- "clustersecretstores"
- "clustersecretstores/status"
- "clustersecretstores/finalizers"
- "clusterexternalsecrets"
- "clusterexternalsecrets/status"
- "clusterexternalsecrets/finalizers"
- "pushsecrets"
- "pushsecrets/status"
- "pushsecrets/finalizers"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "serviceaccounts"
- "namespaces"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- ""
resources:
- "secrets"
verbs:
- "get"
- "list"
- "watch"
- "create"
- "update"
- "delete"
- "patch"
- apiGroups:
- ""
resources:
- "serviceaccounts/token"
verbs:
- "create"
- apiGroups:
- ""
resources:
- "events"
verbs:
- "create"
- "patch"
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
verbs:
- "create"
- "update"
- "delete"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-view
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
verbs:
- "get"
- "watch"
- "list"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
verbs:
- "get"
- "watch"
- "list"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-edit
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
- "secretstores"
- "clustersecretstores"
- "pushsecrets"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
- apiGroups:
- "generators.external-secrets.io"
resources:
- "acraccesstokens"
- "ecrauthorizationtokens"
- "fakes"
- "gcraccesstokens"
- "githubaccesstokens"
- "passwords"
- "vaultdynamicsecrets"
- "webhooks"
verbs:
- "create"
- "delete"
- "deletecollection"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: RoleBinding
{{- else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ include "external-secrets.fullname" . }}-controller
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
namespace: {{ .Values.scopedNamespace | quote }}
{{- end }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
name: {{ include "external-secrets.fullname" . }}-controller
subjects:
- name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
kind: ServiceAccount
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- "configmaps"
resourceNames:
- "external-secrets-controller"
verbs:
- "get"
- "update"
- "patch"
- apiGroups:
- ""
resources:
- "configmaps"
verbs:
- "create"
- apiGroups:
- "coordination.k8s.io"
resources:
- "leases"
verbs:
- "get"
- "create"
- "update"
- "patch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "external-secrets.fullname" . }}-leaderelection
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "external-secrets.fullname" . }}-leaderelection
subjects:
- kind: ServiceAccount
name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
{{- if .Values.rbac.servicebindings.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "external-secrets.fullname" . }}-servicebindings
labels:
servicebinding.io/controller: "true"
{{- include "external-secrets.labels" . | nindent 4 }}
rules:
- apiGroups:
- "external-secrets.io"
resources:
- "externalsecrets"
verbs:
- "get"
- "list"
- "watch"
{{- end }}
{{- end }}

28
charts/external-secrets/external-secrets/0.10.5/templates/service.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.metrics.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: {{ .Values.metrics.service.port }}
protocol: TCP
targetPort: metrics
name: metrics
selector:
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.10.5/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

164
charts/external-secrets/external-secrets/0.10.5/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,164 @@
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: {{ .Values.metrics.service.port }}
protocol: TCP
name: metrics
selector:
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-metrics
namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "external-secrets.namespace" . }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
---
{{- if .Values.webhook.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook-metrics
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook-metrics.labels" . | nindent 4 }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: {{ .Values.webhook.metrics.service.port }}
protocol: TCP
name: metrics
selector:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-webhook-metrics
namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-webhook-metrics.labels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "external-secrets.namespace" . }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
---
{{- if .Values.certController.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-cert-controller-metrics.labels" . | nindent 4 }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: {{ .Values.certController.metrics.listen.port }}
protocol: TCP
name: metrics
selector:
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
---
apiVersion: "monitoring.coreos.com/v1"
kind: ServiceMonitor
metadata:
labels:
{{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
{{- if .Values.serviceMonitor.additionalLabels }}
{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
spec:
selector:
matchLabels:
{{- include "external-secrets-cert-controller-metrics.labels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ template "external-secrets.namespace" . }}
endpoints:
- port: metrics
interval: {{ .Values.serviceMonitor.interval }}
scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end }}
{{- end }}

78
charts/external-secrets/external-secrets/0.10.5/templates/validatingwebhook.yaml Normal file
View File

@ -0,0 +1,78 @@
{{- if .Values.webhook.create }}
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: secretstore-validate
labels:
external-secrets.io/component: webhook
{{- with .Values.commonLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
annotations:
cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
webhooks:
- name: "validate.secretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["secretstores"]
scope: "Namespaced"
clientConfig:
service:
namespace: {{ template "external-secrets.namespace" . }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-secretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
- name: "validate.clustersecretstore.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["clustersecretstores"]
scope: "Cluster"
clientConfig:
service:
namespace: {{ template "external-secrets.namespace" . }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-clustersecretstore
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: externalsecret-validate
labels:
external-secrets.io/component: webhook
{{- with .Values.commonLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
annotations:
cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
{{- end }}
webhooks:
- name: "validate.externalsecret.external-secrets.io"
rules:
- apiGroups: ["external-secrets.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["externalsecrets"]
scope: "Namespaced"
clientConfig:
service:
namespace: {{ template "external-secrets.namespace" . }}
name: {{ include "external-secrets.fullname" . }}-webhook
path: /validate-external-secrets-io-v1beta1-externalsecret
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
failurePolicy: {{ .Values.webhook.failurePolicy}}
{{- end }}

30
charts/external-secrets/external-secrets/0.10.5/templates/webhook-certificate.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if and .Values.webhook.create .Values.webhook.certManager.enabled .Values.webhook.certManager.cert.create }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
{{- with .Values.webhook.certManager.cert.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
commonName: {{ include "external-secrets.fullname" . }}-webhook
dnsNames:
- {{ include "external-secrets.fullname" . }}-webhook
- {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}
- {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
issuerRef:
{{- toYaml .Values.webhook.certManager.cert.issuerRef | nindent 4 }}
{{- with .Values.webhook.certManager.cert.duration }}
duration: {{ . | quote }}
{{- end }}
{{- with .Values.webhook.certManager.cert.renewBefore }}
renewBefore: {{ . | quote }}
{{- end }}
secretName: {{ include "external-secrets.fullname" . }}-webhook
{{- end }}

128
charts/external-secrets/external-secrets/0.10.5/templates/webhook-deployment.yaml Normal file
View File

@ -0,0 +1,128 @@
{{- if .Values.webhook.create }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.webhook.replicaCount }}
revisionHistoryLimit: {{ .Values.webhook.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.webhook.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 8 }}
{{- with .Values.webhook.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.webhook.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.webhook.hostNetwork}}
serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
{{- with .Values.webhook.podSecurityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
{{- end }}
{{- end }}
containers:
- name: webhook
{{- with .Values.webhook.securityContext }}
{{- if and (.enabled) (gt (keys . | len) 1) }}
securityContext:
{{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
{{- end }}
{{- end }}
image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }}
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
args:
- webhook
- --port={{ .Values.webhook.port }}
- --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
- --cert-dir={{ .Values.webhook.certDir }}
- --check-interval={{ .Values.webhook.certCheckInterval }}
- --metrics-addr=:{{ .Values.webhook.metrics.listen.port }}
- --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }}
- --loglevel={{ .Values.webhook.log.level }}
- --zap-time-encoding={{ .Values.webhook.log.timeEncoding }}
{{- if .Values.webhook.lookaheadInterval }}
- --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
{{- end }}
{{- range $key, $value := .Values.webhook.extraArgs }}
{{- if $value }}
- --{{ $key }}={{ $value }}
{{- else }}
- --{{ $key }}
{{- end }}
{{- end }}
ports:
- containerPort: {{ .Values.webhook.metrics.listen.port }}
protocol: TCP
name: metrics
- containerPort: {{ .Values.webhook.port }}
protocol: TCP
name: webhook
readinessProbe:
httpGet:
port: {{ .Values.webhook.readinessProbe.port }}
path: /readyz
initialDelaySeconds: 20
periodSeconds: 5
{{- with .Values.webhook.extraEnv }}
env:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.webhook.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: certs
mountPath: {{ .Values.webhook.certDir }}
readOnly: true
{{- if .Values.webhook.extraVolumeMounts }}
{{- toYaml .Values.webhook.extraVolumeMounts | nindent 12 }}
{{- end }}
volumes:
- name: certs
secret:
secretName: {{ include "external-secrets.fullname" . }}-webhook
{{- if .Values.webhook.extraVolumes }}
{{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
{{- end }}
{{- with .Values.webhook.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.affinity | default .Values.global.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.webhook.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.webhook.priorityClassName }}
priorityClassName: {{ .Values.webhook.priorityClassName }}
{{- end }}
{{- end }}

20
charts/external-secrets/external-secrets/0.10.5/templates/webhook-poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if and .Values.webhook.create .Values.webhook.podDisruptionBudget.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook-pdb
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
spec:
{{- if .Values.webhook.podDisruptionBudget.minAvailable }}
minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
{{- end }}
{{- if .Values.webhook.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
{{- end }}
selector:
matchLabels:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
{{- end }}

14
charts/external-secrets/external-secrets/0.10.5/templates/webhook-secret.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if and .Values.webhook.create (not .Values.webhook.certManager.enabled) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
{{- with .Values.webhook.secretAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

37
charts/external-secrets/external-secrets/0.10.5/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,37 @@
{{- if .Values.webhook.create }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "external-secrets.fullname" . }}-webhook
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
external-secrets.io/component: webhook
{{- if .Values.webhook.metrics.service.enabled }}
{{- with .Values.webhook.metrics.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
spec:
type: ClusterIP
{{- if .Values.service.ipFamilyPolicy }}
ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
{{- end }}
{{- if .Values.service.ipFamilies }}
ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
{{- end }}
ports:
- port: 443
targetPort: {{ .Values.webhook.port }}
protocol: TCP
name: webhook
{{- if .Values.webhook.metrics.service.enabled }}
- port: {{ .Values.webhook.metrics.service.port }}
protocol: TCP
targetPort: metrics
name: metrics
{{- end }}
selector:
{{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
{{- end }}

16
charts/external-secrets/external-secrets/0.10.5/templates/webhook-serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.webhook.create .Values.webhook.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "external-secrets-webhook.serviceAccountName" . }}
namespace: {{ template "external-secrets.namespace" . }}
labels:
{{- include "external-secrets-webhook.labels" . | nindent 4 }}
{{- with .Values.webhook.serviceAccount.extraLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

905
charts/external-secrets/external-secrets/0.10.5/values.schema.json Normal file
View File

@ -0,0 +1,905 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"properties": {
"affinity": {
"properties": {},
"type": "object"
},
"bitwarden-sdk-server": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"certController": {
"properties": {
"affinity": {
"properties": {},
"type": "object"
},
"create": {
"type": "boolean"
},
"deploymentAnnotations": {
"properties": {},
"type": "object"
},
"extraArgs": {
"properties": {},
"type": "object"
},
"extraEnv": {
"type": "array"
},
"extraVolumeMounts": {
"type": "array"
},
"extraVolumes": {
"type": "array"
},
"fullnameOverride": {
"type": "string"
},
"hostNetwork": {
"type": "boolean"
},
"image": {
"properties": {
"flavour": {
"type": "string"
},
"pullPolicy": {
"type": "string"
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"type": "object"
},
"imagePullSecrets": {
"type": "array"
},
"log": {
"properties": {
"level": {
"type": "string"
},
"timeEncoding": {
"type": "string"
}
},
"type": "object"
},
"metrics": {
"properties": {
"listen": {
"properties": {
"port": {
"type": "integer"
}
},
"type": "object"
},
"service": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"port": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"nameOverride": {
"type": "string"
},
"nodeSelector": {
"properties": {},
"type": "object"
},
"podAnnotations": {
"properties": {},
"type": "object"
},
"podDisruptionBudget": {
"properties": {
"enabled": {
"type": "boolean"
},
"minAvailable": {
"type": "integer"
}
},
"type": "object"
},
"podLabels": {
"properties": {},
"type": "object"
},
"podSecurityContext": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"priorityClassName": {
"type": "string"
},
"rbac": {
"properties": {
"create": {
"type": "boolean"
}
},
"type": "object"
},
"readinessProbe": {
"properties": {
"address": {
"type": "string"
},
"port": {
"type": "integer"
}
},
"type": "object"
},
"replicaCount": {
"type": "integer"
},
"requeueInterval": {
"type": "string"
},
"resources": {
"properties": {},
"type": "object"
},
"revisionHistoryLimit": {
"type": "integer"
},
"securityContext": {
"properties": {
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"properties": {
"drop": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"readOnlyRootFilesystem": {
"type": "boolean"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer"
},
"seccompProfile": {
"properties": {
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"serviceAccount": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"automount": {
"type": "boolean"
},
"create": {
"type": "boolean"
},
"extraLabels": {
"properties": {},
"type": "object"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"tolerations": {
"type": "array"
},
"topologySpreadConstraints": {
"type": "array"
}
},
"type": "object"
},
"commonLabels": {
"properties": {},
"type": "object"
},
"concurrent": {
"type": "integer"
},
"controllerClass": {
"type": "string"
},
"crds": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"conversion": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"createClusterExternalSecret": {
"type": "boolean"
},
"createClusterSecretStore": {
"type": "boolean"
},
"createPushSecret": {
"type": "boolean"
}
},
"type": "object"
},
"createOperator": {
"type": "boolean"
},
"deploymentAnnotations": {
"properties": {},
"type": "object"
},
"dnsConfig": {
"properties": {},
"type": "object"
},
"dnsPolicy": {
"type": "string"
},
"extendedMetricLabels": {
"type": "boolean"
},
"extraArgs": {
"properties": {},
"type": "object"
},
"extraContainers": {
"type": "array"
},
"extraEnv": {
"type": "array"
},
"extraObjects": {
"type": "array"
},
"extraVolumeMounts": {
"type": "array"
},
"extraVolumes": {
"type": "array"
},
"fullnameOverride": {
"type": "string"
},
"global": {
"properties": {
"affinity": {
"properties": {},
"type": "object"
},
"compatibility": {
"properties": {
"openshift": {
"properties": {
"adaptSecurityContext": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"nodeSelector": {
"properties": {},
"type": "object"
},
"tolerations": {
"type": "array"
},
"topologySpreadConstraints": {
"type": "array"
}
},
"type": "object"
},
"hostNetwork": {
"type": "boolean"
},
"image": {
"properties": {
"flavour": {
"type": "string"
},
"pullPolicy": {
"type": "string"
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"type": "object"
},
"imagePullSecrets": {
"type": "array"
},
"installCRDs": {
"type": "boolean"
},
"leaderElect": {
"type": "boolean"
},
"log": {
"properties": {
"level": {
"type": "string"
},
"timeEncoding": {
"type": "string"
}
},
"type": "object"
},
"metrics": {
"properties": {
"listen": {
"properties": {
"port": {
"type": "integer"
}
},
"type": "object"
},
"service": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"port": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"nameOverride": {
"type": "string"
},
"namespaceOverride": {
"type": "string"
},
"nodeSelector": {
"properties": {},
"type": "object"
},
"podAnnotations": {
"properties": {},
"type": "object"
},
"podDisruptionBudget": {
"properties": {
"enabled": {
"type": "boolean"
},
"minAvailable": {
"type": "integer"
}
},
"type": "object"
},
"podLabels": {
"properties": {},
"type": "object"
},
"podSecurityContext": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"podSpecExtra": {
"properties": {},
"type": "object"
},
"priorityClassName": {
"type": "string"
},
"processClusterExternalSecret": {
"type": "boolean"
},
"processClusterStore": {
"type": "boolean"
},
"processPushSecret": {
"type": "boolean"
},
"rbac": {
"properties": {
"create": {
"type": "boolean"
},
"servicebindings": {
"properties": {
"create": {
"type": "boolean"
}
},
"type": "object"
}
},
"type": "object"
},
"replicaCount": {
"type": "integer"
},
"resources": {
"properties": {},
"type": "object"
},
"revisionHistoryLimit": {
"type": "integer"
},
"scopedNamespace": {
"type": "string"
},
"scopedRBAC": {
"type": "boolean"
},
"securityContext": {
"properties": {
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"properties": {
"drop": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"readOnlyRootFilesystem": {
"type": "boolean"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer"
},
"seccompProfile": {
"properties": {
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"service": {
"properties": {
"ipFamilies": {
"type": "array"
},
"ipFamilyPolicy": {
"type": "string"
}
},
"type": "object"
},
"serviceAccount": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"automount": {
"type": "boolean"
},
"create": {
"type": "boolean"
},
"extraLabels": {
"properties": {},
"type": "object"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"serviceMonitor": {
"properties": {
"additionalLabels": {
"properties": {},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"honorLabels": {
"type": "boolean"
},
"interval": {
"type": "string"
},
"metricRelabelings": {
"type": "array"
},
"namespace": {
"type": "string"
},
"relabelings": {
"type": "array"
},
"scrapeTimeout": {
"type": "string"
}
},
"type": "object"
},
"tolerations": {
"type": "array"
},
"topologySpreadConstraints": {
"type": "array"
},
"webhook": {
"properties": {
"affinity": {
"properties": {},
"type": "object"
},
"certCheckInterval": {
"type": "string"
},
"certDir": {
"type": "string"
},
"certManager": {
"properties": {
"addInjectorAnnotations": {
"type": "boolean"
},
"cert": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"create": {
"type": "boolean"
},
"duration": {
"type": "string"
},
"issuerRef": {
"properties": {
"group": {
"type": "string"
},
"kind": {
"type": "string"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"renewBefore": {
"type": "string"
}
},
"type": "object"
},
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"create": {
"type": "boolean"
},
"deploymentAnnotations": {
"properties": {},
"type": "object"
},
"extraArgs": {
"properties": {},
"type": "object"
},
"extraEnv": {
"type": "array"
},
"extraVolumeMounts": {
"type": "array"
},
"extraVolumes": {
"type": "array"
},
"failurePolicy": {
"type": "string"
},
"fullnameOverride": {
"type": "string"
},
"hostNetwork": {
"type": "boolean"
},
"image": {
"properties": {
"flavour": {
"type": "string"
},
"pullPolicy": {
"type": "string"
},
"repository": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"type": "object"
},
"imagePullSecrets": {
"type": "array"
},
"log": {
"properties": {
"level": {
"type": "string"
},
"timeEncoding": {
"type": "string"
}
},
"type": "object"
},
"lookaheadInterval": {
"type": "string"
},
"metrics": {
"properties": {
"listen": {
"properties": {
"port": {
"type": "integer"
}
},
"type": "object"
},
"service": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"port": {
"type": "integer"
}
},
"type": "object"
}
},
"type": "object"
},
"nameOverride": {
"type": "string"
},
"nodeSelector": {
"properties": {},
"type": "object"
},
"podAnnotations": {
"properties": {},
"type": "object"
},
"podDisruptionBudget": {
"properties": {
"enabled": {
"type": "boolean"
},
"minAvailable": {
"type": "integer"
}
},
"type": "object"
},
"podLabels": {
"properties": {},
"type": "object"
},
"podSecurityContext": {
"properties": {
"enabled": {
"type": "boolean"
}
},
"type": "object"
},
"port": {
"type": "integer"
},
"priorityClassName": {
"type": "string"
},
"rbac": {
"properties": {
"create": {
"type": "boolean"
}
},
"type": "object"
},
"readinessProbe": {
"properties": {
"address": {
"type": "string"
},
"port": {
"type": "integer"
}
},
"type": "object"
},
"replicaCount": {
"type": "integer"
},
"resources": {
"properties": {},
"type": "object"
},
"revisionHistoryLimit": {
"type": "integer"
},
"secretAnnotations": {
"properties": {},
"type": "object"
},
"securityContext": {
"properties": {
"allowPrivilegeEscalation": {
"type": "boolean"
},
"capabilities": {
"properties": {
"drop": {
"items": {
"type": "string"
},
"type": "array"
}
},
"type": "object"
},
"enabled": {
"type": "boolean"
},
"readOnlyRootFilesystem": {
"type": "boolean"
},
"runAsNonRoot": {
"type": "boolean"
},
"runAsUser": {
"type": "integer"
},
"seccompProfile": {
"properties": {
"type": {
"type": "string"
}
},
"type": "object"
}
},
"type": "object"
},
"serviceAccount": {
"properties": {
"annotations": {
"properties": {},
"type": "object"
},
"automount": {
"type": "boolean"
},
"create": {
"type": "boolean"
},
"extraLabels": {
"properties": {},
"type": "object"
},
"name": {
"type": "string"
}
},
"type": "object"
},
"tolerations": {
"type": "array"
},
"topologySpreadConstraints": {
"type": "array"
}
},
"type": "object"
}
},
"type": "object"
}

532
charts/external-secrets/external-secrets/0.10.5/values.yaml Normal file
View File

@ -0,0 +1,532 @@
global:
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
compatibility:
openshift:
# -- Manages the securityContext properties to make them compatible with OpenShift.
# Possible values:
# auto - Apply configurations if it is detected that OpenShift is the target platform.
# force - Always apply configurations.
# disabled - No modification applied.
adaptSecurityContext: auto
replicaCount: 1
bitwarden-sdk-server:
enabled: false
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
tag: ""
# -- The flavour of tag you want to use
# There are different image flavours available, like distroless and ubi.
# Please see GitHub release notes for image tags for these flavors.
# By default, the distroless image is used.
flavour: ""
# -- If set, install and upgrade CRDs through helm chart.
installCRDs: true
crds:
# -- If true, create CRDs for Cluster External Secret.
createClusterExternalSecret: true
# -- If true, create CRDs for Cluster Secret Store.
createClusterSecretStore: true
# -- If true, create CRDs for Push Secret.
createPushSecret: true
annotations: {}
conversion:
enabled: true
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
namespaceOverride: ""
# -- Additional labels added to all helm chart resources.
commonLabels: {}
# -- If true, external-secrets will perform leader election between instances to ensure no more
# than one instance of external-secrets operates at a time.
leaderElect: false
# -- If set external secrets will filter matching
# Secret Stores with the appropriate controller values.
controllerClass: ""
# -- If true external secrets will use recommended kubernetes
# annotations as prometheus metric labels.
extendedMetricLabels: false
# -- If set external secrets are only reconciled in the
# provided namespace
scopedNamespace: ""
# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
# and implicitly disable cluster stores and cluster external secrets
scopedRBAC: false
# -- if true, the operator will process cluster external secret. Else, it will ignore them.
processClusterExternalSecret: true
# -- if true, the operator will process cluster store. Else, it will ignore them.
processClusterStore: true
# -- if true, the operator will process push secret. Else, it will ignore them.
processPushSecret: true
# -- Specifies whether an external secret operator deployment be created.
createOperator: true
# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
# a time.
concurrent: 1
# -- Specifices Log Params to the Webhook
log:
level: info
timeEncoding: epoch
service:
# -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
ipFamilyPolicy: ""
# -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
ipFamilies: []
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
servicebindings:
# -- Specifies whether a clusterrole to give servicebindings read access should be created.
create: true
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra Kubernetes objects to deploy with the helm chart
extraObjects: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
## -- Extra containers to add to the pod.
extraContainers: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
serviceMonitor:
# -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
enabled: false
# -- namespace where you want to install ServiceMonitors
namespace: ""
# -- Additional labels
additionalLabels: {}
# -- Interval to scrape metrics
interval: 30s
# -- Timeout if metrics can't be retrieved in given time interval
scrapeTimeout: 25s
# -- Let prometheus add an exported_ prefix to conflicting labels
honorLabels: false
# -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
metricRelabelings: []
# - action: replace
# regex: (.*)
# replacement: $1
# sourceLabels:
# - exported_namespace
# targetLabel: namespace
# -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
metrics:
listen:
port: 8080
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
# -- Run the controller on the host network
hostNetwork: false
webhook:
# -- Specifies whether a webhook deployment be created.
create: true
# -- Specifices the time to check if the cert is valid
certCheckInterval: "5m"
# -- Specifices the lookaheadInterval for certificate validity
lookaheadInterval: ""
replicaCount: 1
# -- Specifices Log Params to the Webhook
log:
level: info
timeEncoding: epoch
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
certDir: /tmp/certs
# -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
failurePolicy: Fail
# -- Specifies if webhook pod should use hostNetwork or not.
hostNetwork: false
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
# -- The image tag to use. The default is the chart appVersion.
tag: ""
# -- The flavour of tag you want to use
flavour: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# -- The port the webhook will listen to
port: 10250
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
certManager:
# -- Enabling cert-manager support will disable the built in secret and
# switch to using cert-manager (installed separately) to automatically issue
# and renew the webhook certificate. This chart does not install
# cert-manager for you, See https://cert-manager.io/docs/
enabled: false
# -- Automatically add the cert-manager.io/inject-ca-from annotation to the
# webhooks and CRDs. As long as you have the cert-manager CA Injector
# enabled, this will automatically setup your webhook's CA to the one used
# by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
addInjectorAnnotations: true
cert:
# -- Create a certificate resource within this chart. See
# https://cert-manager.io/docs/usage/certificate/
create: true
# -- For the Certificate created by this chart, setup the issuer. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
issuerRef:
group: cert-manager.io
kind: "Issuer"
name: "my-issuer"
# -- Set the requested duration (i.e. lifetime) of the Certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
# One year by default.
duration: "8760h"
# -- How long before the currently issued certificates expiry
# cert-manager should renew the certificate. See
# https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
# Note that renewBefore should be greater than .webhook.lookaheadInterval
# since the webhook will check this far in advance that the certificate is
# valid.
renewBefore: ""
# -- Add extra annotations to the Certificate resource.
annotations: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
metrics:
listen:
port: 8080
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Secret
secretAnnotations: {}
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
certController:
# -- Specifies whether a certificate controller deployment be created.
create: true
requeueInterval: "5m"
replicaCount: 1
# -- Specifices Log Params to the Webhook
log:
level: info
timeEncoding: epoch
# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
revisionHistoryLimit: 10
image:
repository: oci.external-secrets.io/external-secrets/external-secrets
pullPolicy: IfNotPresent
tag: ""
flavour: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
rbac:
# -- Specifies whether role and rolebinding resources should be created.
create: true
serviceAccount:
# -- Specifies whether a service account should be created.
create: true
# -- Automounts the service account token in all containers of the pod
automount: true
# -- Annotations to add to the service account.
annotations: {}
# -- Extra Labels to add to the service account.
extraLabels: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: ""
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# -- Run the certController on the host network
hostNetwork: false
# -- Pod priority class name.
priorityClassName: ""
# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
podDisruptionBudget:
enabled: false
minAvailable: 1
# maxUnavailable: 1
metrics:
listen:
port: 8080
service:
# -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
enabled: false
# -- Metrics service port to scrape
port: 8080
# -- Additional service annotations
annotations: {}
readinessProbe:
# -- Address for readiness probe
address: ""
# -- ReadinessProbe port for kubelet
port: 8081
## -- Extra environment variables to add to container.
extraEnv: []
## -- Map of extra arguments to pass to container.
extraArgs: {}
## -- Extra volumes to pass to pod.
extraVolumes: []
## -- Extra volumes to mount to the container.
extraVolumeMounts: []
# -- Annotations to add to Deployment
deploymentAnnotations: {}
# -- Annotations to add to Pod
podAnnotations: {}
podLabels: {}
podSecurityContext:
enabled: true
# fsGroup: 2000
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
enabled: true
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
resources: {}
# requests:
# cpu: 10m
# memory: 32Mi
# -- Specifies `dnsPolicy` to deployment
dnsPolicy: ClusterFirst
# -- Specifies `dnsOptions` to deployment
dnsConfig: {}
# -- Any extra pod spec on the deployment
podSpecExtra: {}

23
charts/instana/instana-agent/1.2.74/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# OWNERS file for helm
OWNERS

27
charts/instana/instana-agent/1.2.74/Chart.yaml Normal file
View File

@ -0,0 +1,27 @@
annotations:
artifacthub.io/links: |
- name: Instana website
url: https://www.ibm.com/products/instana
- name: Instana Helm charts
url: https://github.com/instana/helm-charts
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Instana Agent
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: instana-agent
apiVersion: v2
appVersion: 1.276.0
description: Instana Agent for Kubernetes
home: https://www.instana.com/
icon: file://assets/icons/instana-agent.png
kubeVersion: '>=1.21-0'
maintainers:
- email: felix.marx@ibm.com
name: FelixMarxIBM
- email: henning.treu@ibm.com
name: htreu
- email: torsten.kohn@ibm.com
name: tkohn
name: instana-agent
sources:
- https://github.com/instana/instana-agent-docker
version: 1.2.74

54
charts/instana/instana-agent/1.2.74/DEPLOYMENT.md Normal file
View File

@ -0,0 +1,54 @@
# Kubernetes Deployment Mode (tech preview)
Instana has always endeavored to make the experience of using Instana as seamless as possible from auto-instrumentation to one-liner installs. To date for our customers with Kubernetes clusters containing more than 1,000 entities this wasnt the case. The Kubernetes sensor as a deployment is one of many steps were taking to improve the experience of operating Instana in Kubernetes. This is a tech preview however we have a high degree of confidence it will work well in your production workloads. The fundamental change moves the Kubernetes sensor from the DaemonSet responsible for monitoring your hosts and processes into its own dedicated Deployment where it does not contend for resources with other sensors. An overview of this deployment is below:
![kubernetes.deployment.enabled=true](kubernetes.deployment.enabled.png)
This change provides a few primary benefits including:
* Lower load on the Kubernetes api-server as it eliminates per node pod monitoring.
* Lower load on the Kubernetes api-server as it reduces the endpoint watch to 2 leader elector side cars.
* Lower memory and CPU requests in the DaemonSet as it is no longer responsible for monitoring Kubernetes.
* Elimination of the leader elector sidecar in the DaemonSet as it is only required for the Kubernetes sensor.
* Better performance of the Kubernetes sensor as it is isolated from other sensors and does not contend for CPU and memory.
* Better scaling behaviour as you can adjust the memory and CPU requirements to monitor your clusters without overprovisioning utilisation cluster wide.
The primary drawback of this model in the tech preview include:
* Reduced control and observability of the Kubernetes specific Agents in the Agent dashboard.
* Some unnecessary features are still enabled in the Kubernetes sensor (e.g. trace sinks, and host monitoring).
Some limitations remain unchanged from the previous sensor:
* Clusters with a high number of entities (e.g. pods, deployments, etc) are likely to have non-deterministic behaviour due to limitations we impose on message sizes. This is unlikely to be experienced in clusters with fewer than 500 hosts.
* The ServiceAccount is shared between both the DaemonSet and Deployment meaning no change in the security posture. We plan to add an additional service account to limit access to the api-server to only the Kubernetes sensor Deployment.
## Installation
For clusters with minimal controls you can install the tech preview with the following Helm install command:
```
helm template instana-agent \
--repo https://agents.instana.io/helm \
--namespace instana-agent \
--create-namespace \
--set agent.key=${AGENT_KEY} \
--set agent.endpointHost=${BACKEND_URL} \
--set agent.endpointPort=443 \
--set cluster.name=${CLUSTER_NAME} \
--set zone.name=${ZONE_NAME} \
--set kubernetes.deployment.enabled=true \
instana-agent
```
If your cluster employs Pod Security Policies you will need the following additional flag:
```
--set podSecurityPolicy.enable=true
```
If you are deploying into an OpenShift 4.x cluster you will need the following additional flag:
```
--set openshift=true
```

694
charts/instana/instana-agent/1.2.74/README.md Normal file
View File

@ -0,0 +1,694 @@
# Instana
Instana is an [APM solution](https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring, tracing and root cause analysis.
This solution is optimized for [Kubernetes](https://www.instana.com/automatic-kubernetes-monitoring/).
This chart adds the Instana Agent to all schedulable nodes in your cluster via a privileged `DaemonSet` and accompanying resources like `ConfigurationMap`s, `Secret`s and RBAC settings.
## Prerequisites
* Kubernetes 1.21+ OR OpenShift 4.8+
* Helm 3
## Installation
To configure the installation you can either specify the options on the command line using the **--set** switch, or you can edit **values.yaml**.
First, create a namespace for the instana-agent
```bash
kubectl create namespace instana-agent
```
To install the chart with the release name `instana-agent` and set the values on the command line run:
```bash
$ helm install instana-agent --namespace instana-agent \
--repo https://agents.instana.io/helm \
--set agent.key=INSTANA_AGENT_KEY \
--set agent.endpointHost=HOST \
--set zone.name=ZONE_NAME \
instana-agent
```
**OpenShift:** When targetting an OpenShift 4.x cluster, add `--set openshift=true`.
### Required Settings
#### Configuring the Instana Backend
In order to report the data it collects to the Instana backend for analysis, the Instana agent must know which backend to report to, and which credentials to use to authenticate, known as "agent key".
As described by the [Install Using the Helm Chart](https://www.instana.com/docs/setup_and_manage/host_agent/on/kubernetes#install-using-the-helm-chart) documentation, you will find the right values for the following fields inside Instana itself:
* `agent.endpointHost`
* `agent.endpointPort`
* `agent.key`
_Note:_ You can find the options mentioned in the [configuration section below](#configuration-reference)
If your agents report into a self-managed Instana unit (also known as "on-prem"), you will also need to configure a "download key", which allows the agent to fetch its components from the Instana repository.
The download key is set via the following value:
* `agent.downloadKey`
#### Zone and Cluster
Instana needs to know how to name your Kubernetes cluster and, optionally, how to group your Instana agents in [Custom zones](https://www.instana.com/docs/setup_and_manage/host_agent/configuration/#custom-zones) using the following fields:
* `zone.name`
* `cluster.name`
Either `zone.name` or `cluster.name` are required.
If you omit `cluster.name`, the value of `zone.name` will be used as cluster name as well.
If you omit `zone.name`, the host zone will be automatically determined by the availability zone information provided by the [supported Cloud providers](https://www.instana.com/docs/setup_and_manage/cloud_service_agents).
## Uninstallation
To uninstall/delete the `instana-agent` release:
```bash
helm del instana-agent -n instana-agent
```
## Configuration Reference
The following table lists the configurable parameters of the Instana chart and their default values.
| Parameter | Description | Default |
| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| `agent.configuration_yaml` | Custom content for the agent configuration.yaml file | `nil` See [below](#agent-configuration) for more details |
| `agent.configuration.autoMountConfigEntries` | (Experimental, needs Helm 3.1+) Automatically look up the entries of the default `instana-agent` ConfigMap, and mount as agent configuration files in the `instana-agent` container under the `/opt/instana/agent/etc/instana` directory all ConfigMap entries with keys that match the `configuration-*.yaml` scheme. | `false` |
| `agent.configuration.hotreloadEnabled` | Enables hot-reload of a configuration.yaml upon changes in the `instana-agent` ConfigMap without requiring a restart of a pod | `false` |
| `agent.endpointHost` | Instana Agent backend endpoint host | `ingress-red-saas.instana.io` (US and ROW). If in Europe, please override with `ingress-blue-saas.instana.io` |
| `agent.endpointPort` | Instana Agent backend endpoint port | `443` |
| `agent.key` | Your Instana Agent key | `nil` You must provide your own key unless `agent.keysSecret` is specified |
| `agent.downloadKey` | Your Instana Download key | `nil` Usually not required |
| `agent.keysSecret` | As an alternative to specifying `agent.key` and, optionally, `agent.downloadKey`, you can instead specify the name of the secret in the namespace in which you install the Instana agent that carries the agent key and download key | `nil` Usually not required, see [Bring your own Keys secret](#bring-your-own-keys-secret) for more details |
| `agent.additionalBackends` | List of additional backends to report to; it must specify the `endpointHost` and `key` fields, and optionally `endpointPort` | `[]` Usually not required; see [Configuring Additional Backends](#configuring-additional-backends) for more info and examples |
| `agent.tls.secretName` | The name of the secret of type `kubernetes.io/tls` which contains the TLS relevant data. If the name is provided, `agent.tls.certificate` and `agent.tls.key` will be ignored. | `nil` |
| `agent.tls.certificate` | The certificate data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`. | `nil` |
| `agent.tls.key` | The private key data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`. | `nil` |
| `agent.image.name` | The image name to pull | `instana/agent` |
| `agent.image.digest` | The image digest to pull; if specified, it causes `agent.image.tag` to be ignored | `nil` |
| `agent.image.tag` | The image tag to pull; this property is ignored if `agent.image.digest` is specified | `latest` |
| `agent.image.pullPolicy` | Image pull policy | `Always` |
| `agent.image.pullSecrets` | Image pull secrets; if not specified (default) _and_ `agent.image.name` starts with `containers.instana.io`, it will be automatically set to `[{ "name": "containers-instana-io" }]` to match the default secret created in this case. | `nil` |
| `agent.listenAddress` | List of addresses to listen on, or "*" for all interfaces | `nil` |
| `agent.mode` | Agent mode. Supported values are `APM`, `INFRASTRUCTURE`, `AWS` | `APM` |
| `agent.instanaMvnRepoUrl` | Override for the Maven repository URL when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
| `agent.instanaMvnRepoFeaturesPath` | Override for the Maven repository features path the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
| `agent.instanaMvnRepoSharedPath` | Override for the Maven repository shared path when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
| `agent.updateStrategy.type` | [DaemonSet update strategy type](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/); valid values are `OnDelete` and `RollingUpdate` | `RollingUpdate` |
| `agent.updateStrategy.rollingUpdate.maxUnavailable` | How many agent pods can be updated at once; this value is ignored if `agent.updateStrategy.type` is different than `RollingUpdate` | `1` |
| `agent.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available | `0` |
| `agent.pod.annotations` | Additional annotations to apply to the pod | `{}` |
| `agent.pod.labels` | Additional labels to apply to the Agent pod | `{}` |
| `agent.pod.priorityClassName` | Name of an _existing_ PriorityClass that should be set on the agent pods | `nil` |
| `agent.proxyHost` | Hostname/address of a proxy | `nil` |
| `agent.proxyPort` | Port of a proxy | `nil` |
| `agent.proxyProtocol` | Proxy protocol. Supported proxy types are `http` (for both HTTP and HTTPS proxies), `socks4`, `socks5`. | `nil` |
| `agent.proxyUser` | Username of the proxy auth | `nil` |
| `agent.proxyPassword` | Password of the proxy auth | `nil` |
| `agent.proxyUseDNS` | Boolean if proxy also does DNS | `nil` |
| `agent.pod.limits.cpu` | Container cpu limits in cpu cores | `1.5` |
| `agent.pod.limits.memory` | Container memory limits in MiB | `768Mi` |
| `agent.pod.requests.cpu` | Container cpu requests in cpu cores | `0.5` |
| `agent.pod.requests.memory` | Container memory requests in MiB | `768Mi` |
| `agent.pod.tolerations` | Tolerations for pod assignment | `[]` |
| `agent.pod.affinity` | Affinity for pod assignment | `{}` |
| `agent.serviceMesh.enabled` | Activate Instana Agent JVM monitoring service mesh support for Istio or OpenShift ServiceMesh | `true` |
| `agent.env` | Additional environment variables for the agent | `{}` |
| `agent.redactKubernetesSecrets` | Enable additional secrets redaction for selected Kubernetes resources | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details. |
| `cluster.name` | Display name of the monitored cluster | Value of `zone.name` |
| `leaderElector.port` | Instana leader elector sidecar port | `42655` |
| `leaderElector.image.name` | The elector image name to pull. _Note: leader-elector is deprecated and will no longer be updated._ | `instana/leader-elector` |
| `leaderElector.image.digest` | The image digest to pull; if specified, it causes `leaderElector.image.tag` to be ignored. _Note: leader-elector is deprecated and will no longer be updated._ | `nil` |
| `leaderElector.image.tag` | The image tag to pull; this property is ignored if `leaderElector.image.digest` is specified. _Note: leader-elector is deprecated and will no longer be updated._ | `latest` |
| `k8s_sensor.deployment.enabled` | Isolate k8sensor with a deployment |
| `k8s_sensor.deployment.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available | `0` | `true` |
| `k8s_sensor.image.name` | The k8sensor image name to pull | `gcr.io/instana/k8sensor` |
| `k8s_sensor.image.digest` | The image digest to pull; if specified, it causes `k8s_sensor.image.tag` to be ignored | `nil` |
| `k8s_sensor.image.tag` | The image tag to pull; this property is ignored if `k8s_sensor.image.digest` is specified | `latest` |
| `k8s_sensor.deployment.pod.limits.cpu` | CPU request for the `k8sensor` pods | `4` |
| `k8s_sensor.deployment.pod.limits.memory` | Memory request limits for the `k8sensor` pods | `6144Mi` |
| `k8s_sensor.deployment.pod.requests.cpu` | CPU limit for the `k8sensor` pods | `1.5` |
| `k8s_sensor.deployment.pod.requests.memory` | Memory limit for the `k8sensor` pods | `1024Mi` |
| `podSecurityPolicy.enable` | Whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to be `true` as well and it is available until Kubernetes version v1.25. | `false` See [PodSecurityPolicy](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#podsecuritypolicy) for more details. |
| `podSecurityPolicy.name` | Name of an _existing_ PodSecurityPolicy to authorize for the Instana Agent pods. If not provided and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created for you. | `nil` |
| `rbac.create` | Whether RBAC resources should be created | `true` |
| `openshift` | Whether to install the Helm chart as needed in OpenShift; this setting implies `rbac.create=true` | `false` |
| `opentelemetry.grpc.enabled` | Whether to configure the agent to accept telemetry from OpenTelemetry applications via gRPC. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `true` |
| `opentelemetry.http.enabled` | Whether to configure the agent to accept telemetry from OpenTelemetry applications via HTTP. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `true` |
| `prometheus.remoteWrite.enabled` | Whether to configure the agent to accept metrics over its implementation of the `remote_write` Prometheus endpoint. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `false` |
| `service.create` | Whether to create a service that exposes the agents' Prometheus, OpenTelemetry and other APIs inside the cluster. Requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. The `ServiceInternalTrafficPolicy` feature gate needs to be enabled (default: enabled). | `true` |
| `serviceAccount.create` | Whether a ServiceAccount should be created | `true` |
| `serviceAccount.name` | Name of the ServiceAccount to use | `instana-agent` |
| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
| `zone.name` | Zone that detected technologies will be assigned to | `nil` You must provide either `zone.name` or `cluster.name`, see [above](#installation) for details |
| `zones` | Multi-zone daemonset configuration. | `nil` see [below](#multiple-zones) for details |
| `k8s_sensor.podDisruptionBudget.enabled` | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions | `false` |
| `k8s_sensor.deployment.pod.affinity` | `k8sensor` deployment affinity format | `podAntiAffinity` defined in `values.yaml` |
### Agent Modes
Agent can have either `APM` or `INFRASTRUCTURE`.
Default is APM and if you want to override that, ensure you set value:
* `agent.mode`
For more information on agent modes, refer to the [Host Agent Modes](https://www.instana.com/docs/setup_and_manage/host_agent#host-agent-modes) documentation.
### Agent Configuration
Besides the settings listed above, there are many more settings that can be applied to the agent via the so-called "Agent Configuration File", often also referred to as `configuration.yaml` file.
An overview of the settings that can be applied is provided in the [Agent Configuration File](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#agent-configuration-file) documentation.
To configure the agent, you can either:
* edit the [config map](templates/agent-configmap.yaml), or
* provide the configuration via the `agent.configuration_yaml` parameter in [values.yaml](values.yaml)
This configuration will be used for all Instana Agents on all nodes. Visit the [agent configuration documentation](https://docs.instana.io/setup_and_manage/host_agent/#agent-configuration-file) for more details on configuration options.
_Note:_ This Helm Chart does not support configuring [Multiple Configuration Files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files).
### Agent Pod Sizing
The `agent.pod.requests.cpu`, `agent.pod.requests.memory`, `agent.pod.limits.cpu` and `agent.pod.limits.memory` settings allow you to change the sizing of the `instana-agent` pods.
If you are using the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) functionality, you may be able to reduce the default amount of resources, and especially memory, allocated to the Instana agents that monitor your applications.
Actual sizing data depends very much on how many pods, containers and applications are monitored, and how much traces they generate, so we cannot really provide a rule of thumb for the sizing.
### Bring your own Keys secret
In case you have automation that creates secrets for you, it may not be desirable for this Helm chart to create a secret containing the `agent.key` and `agent.downloadKey`.
In this case, you can instead specify the name of an alread-existing secret in the namespace in which you install the Instana agent that carries the agent key and download key.
The secret you specify The secret you specify _must_ have a field called `key`, which would contain the value you would otherwise set to `agent.key`, and _may_ contain a field called `downloadKey`, which would contain the value you would otherwise set to `agent.downloadKey`.
### Configuring Additional Configuration Files
[Multiple configuration files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files) is a capability of the Instana agent that allows for modularity in its configurations files.
The experimental `agent.configuration.autoMountConfigEntries`, which uses functionality available in Helm 3.1+ to automatically look up the entries of the default `instana-agent` ConfigMap, and mount as agent configuration files in the `instana-agent` container under the `/opt/instana/agent/etc/instana` directory all ConfigMap entries with keys that match the `configuration-*.yaml` scheme.
**IMPORTANT:** Needs Helm 3.1+ as it is built on the `lookup` function
**IMPORTANT:** Editing the ConfigMap adding keys requires a `helm upgrade` to take effect
### Configuring Additional Backends
You may want to have your Instana agents report to multiple backends.
The first backend must be configured as shown in the [Configuring the Instana Backend](#configuring-the-instana-backend); every backend after the first, is configured in the `agent.additionalBackends` list in the [values.yaml](values.yaml) as follows:
```yaml
agent:
additionalBackends:
# Second backend
- endpointHost: my-instana.instana.io # endpoint host; e.g., my-instana.instana.io
endpointPort: 443 # default is 443, so this line could be omitted
key: ABCDEFG # agent key for this backend
# Third backend
- endpointHost: another-instana.instana.io # endpoint host; e.g., my-instana.instana.io
endpointPort: 1444 # default is 443, so this line could be omitted
key: LMNOPQR # agent key for this backend
```
The snippet above configures the agent to report to two additional backends.
The same effect as the above can be accomplished via the command line via:
```sh
$ helm install -n instana-agent instana-agent ... \
--repo https://agents.instana.io/helm \
--set 'agent.additionalBackends[0].endpointHost=my-instana.instana.io' \
--set 'agent.additionalBackends[0].endpointPort=443' \
--set 'agent.additionalBackends[0].key=ABCDEFG' \
--set 'agent.additionalBackends[1].endpointHost=another-instana.instana.io' \
--set 'agent.additionalBackends[1].endpointPort=1444' \
--set 'agent.additionalBackends[1].key=LMNOPQR' \
instana-agent
```
_Note:_ There is no hard limitation on the number of backends an Instana agent can report to, although each comes at the cost of a slight increase in CPU and memory consumption.
### Configuring a Proxy between the Instana agents and the Instana backend
If your infrastructure uses a proxy, you should ensure that you set values for:
* `agent.proxyHost`
* `agent.pod.proxyPort`
* `agent.pod.proxyProtocol`
* `agent.pod.proxyUser`
* `agent.pod.proxyPassword`
* `agent.pod.proxyUseDNS`
#### Same Proxy for Repository and the Instana backend
If the same proxy is utilized for both backend and repository, configure only the 'Agent' proxy settings using the following parameter:
```
--set agent.proxyHost='<Hostname/address of a proxy>'
```
#### Separate Proxies for Repository and the Instana backend
In scenarios where distinct proxy settings are employed for the backend and repository, both proxies must be configured separately. The key is to ensure that `INSTANA_REPOSITORY_PROXY_ENABLED=true` is set.
To use this variant, execute helm install with the following additional parameters:
```
--set agent.proxyHost='Hostname/address of a proxy'
--set agent.env.INSTANA_REPOSITORY_PROXY_ENABLED='true'
--set agent.env.INSTANA_REPOSITORY_PROXY_HOST='Hostname/address of a proxy'
```
Make sure to replace 'Hostname/address of a proxy' with the actual hostname or address of your proxy.
### Configuring which Networks the Instana Agent should listen on
If your infrastructure has multiple networks defined, you might need to allow the agent to listen on all addresses (typically with value set to `*`):
* `agent.listenAddress`
### Setup TLS Encryption for Agent Endpoint
TLS encryption can be added via two variants.
Either an existing secret can be used or a certificate and a private key can be used during the installation.
#### Using existing secret
An existing secret of type `kubernetes.io/tls` can be used.
Only the `secretName` must be provided during the installation with `--set 'agent.tls.secretName=<YOUR_SECRET_NAME>'`.
The files from the provided secret are then mounted into the agent.
#### Provide certificate and private key
On the other side, a certificate and a private key can be added during the installation.
The certificate and private key must be base64 encoded.
To use this variant, execute `helm install` with the following additional parameters:
```
--set 'agent.tls.certificate=<YOUR_CERTIFICATE_BASE64_ENCODED>'
--set 'agent.tls.key=<YOUR_PRIVATE_KEY_BASE64_ENCODED>'
```
If `agent.tls.secretName` is set, then `agent.tls.certificate` and `agent.tls.key` are ignored.
### Development and debugging options
These options will be rarely used outside of development or debugging of the agent.
| Parameter | Description | Default |
| ----------------------- | ------------------------------------------------ | ------- |
| `agent.host.repository` | Host path to mount as the agent maven repository | `nil` |
### Kubernetes Sensor Deployment
_Note: leader-elector and kubernetes sensor is deprecated and will no longer be updated. Instead, k8s_sensor should be used._
The data about Kubernetes resources is collected by the Kubernetes sensor in the Instana agent.
With default configurations, only one Instana agent at any one time is capturing the bulk of Kubernetes data.
Which agent gets the task is coordinated by a leader elector mechanism running inside the `leader-elector` container of the `instana-agent` pods.
However, on large Kubernetes clusters, the load on the one Instana agent that fetches the Kubernetes data can be substantial and, to some extent, has lead to rather "generous" resource requests and limits for all the Instana agents across the cluster, as any one of them could become the leader at some point.
The Helm chart has a special mode, enabled by setting `k8s_sensor.deployment.enabled=true`, that will actually schedule additional Instana agents running _only_ the Kubernetes sensor that run in a dedicated `k8sensor` Deployment inside the `instana-agent` namespace.
The pods containing agents that run only the Kubernetes sensor are called `k8sensor` pods.
When `k8s_sensor.deployment.enabled=true`, the `instana-agent` pods running inside the daemonset do _not_ contain the `leader-elector` container, which is instead scheduled inside the `k8sensor` pods.
The `instana-agent` and `k8sensor` pods share the same configurations in terms of backend-related configurations (including [additional backends](#configuring-additional-backends)).
It is advised to use the `k8s_sensor.deployment.enabled=true` mode on clusters of more than 10 nodes, and in that case, you may be able to reduce the amount of resources assigned to the `instana-agent` pods, especially in terms of memory, using the [Agent Pod Sizing](#agent-pod-sizing) settings.
The `k8s_sensor.deployment.pod.requests.cpu`, `k8s_sensor.deployment.pod.requests.memory`, `k8s_sensor.deployment.pod.limits.cpu` and `k8s_sensor.deployment.pod.limits.memory` settings, on the other hand, allows you to change the sizing of the `k8sensor` pods.
#### Determine Special Mode Enabled
To determine if Kubernetes sensor is running in a decidated `k8sensor` deployment, list deployments in the `instana-agent` namespace.
```
kubectl get deployments -n instana-agent
```
If it shows `k8sensor` in the list, then the special mode is enabled
#### Upgrade Kubernetes Sensor
To upgrade the kubernetes sensor to the lastest version, perform a rolling restart of the `k8sensor` deployment using the following command:
```
kubectl rollout restart deployment k8sensor -n instana-agent
```
### Multiple Zones
You can list zones to use affinities and tolerations as the basis to associate a specific daemonset per tainted node pool. Each zone will have the following data:
* `name` (required) - zone name.
* `mode` (optional) - instana agent mode (e.g. APM, INFRASTRUCTURE, etc).
* `affinity` (optional) - standard kubernetes pod affinity list for the daemonset.
* `tolerations` (optional) - standard kubernetes pod toleration list for the daemonset.
The following is an example that will create 2 zones an api-server and a worker zone:
```yaml
zones:
- name: workers
mode: APM
- name: api-server
mode: INFRASTRUCTURE
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: Exists
tolerations:
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"
```
## Changelog
### 1.2.74
* Enable OTLP by default
### 1.2.73
* Fix label for `io.instana/zone` to reflect the real agent mode
* Change the charts flag from ENABLE_AGENT_SOCKET to serviceMesh.enabled
* Add type: DirectoryOrCreate to DaemonSet definitions to ensure required directories exist
### 1.2.72
* Add minReadySeconds field to agent daemonset yaml
### 1.2.71
* Fix usage of digest for pulling images
### 1.2.70
* Allow the configuration of `minReadySeconds` for the agent daemonset and deployment
### 1.2.69
* Add possibility to set annotations for the serviceAccount.
### 1.2.68
* Add leader elector configuration back to allow for proper deprecation
### 1.2.67
* Fix variable name in the K8s deployment
### 1.2.66
* Allign the default Memory requests to 768Mi for the Agent container.
### 1.2.65
* Ensure we have appropriate SCC when running with new K8s sensor.
### 1.2.64
* Remove RBAC not required by agent when kubernetes-sensor is disabed.
* Add settings override for k8s-sensor affinity
* Add optional pod disruption budget for k8s-sensor
### 1.2.63
* Add RBAC required to allow access to /metrics end-points.
### 1.2.62
* Include k8s-sensor resources in the default static YAML definitions
### 1.2.61
* Increase timeout and initialDelay for the Agent container
* Add OTLP ports to headless service
### 1.2.60
* Enable the k8s_sensor by default
### 1.2.59
* Introduce unique selectorLabels and commonLabels for k8s-sensor deployment
### 1.2.58
* Default to `internalTrafficPolicy` instead of `topologyKeys` for rendering of static YAMLs
### 1.2.57
* Fix vulnerability in the leader-elector image
### 1.2.49
* Add zone name to label `io.instana/zone` in daemonset
### 1.2.48
* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
### 1.2.47
* Roll back the changes from version 1.2.46 to be compatible with the Agent Operator installation
### 1.2.46
* Use K8sensor by default.
* kubernetes.deployment.enabled setting overrides k8s_sensor.deployment.enabled setting.
* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
* Throw failure if customer specifies proxy with k8sensor.
* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
### 1.2.45
* Use agent key secret in k8sensor deployment.
### 1.2.44
* Add support for enabling the hot-reload of `configuration.yaml` when the default `instana-agent` ConfigMap changes
* Enablement is done via the flag `--set agent.configuration.hotreloadEnabled=true`
### 1.2.43
* Bump leader-elector image to v0.5.16 (Update dependencies)
### 1.2.42
* Add support for creating multiple zones within the same cluster using affinity and tolerations.
### 1.2.41
* Add additional permissions (HPA, ResourceQuotas, etc) to k8sensor clusterrole.
### 1.2.40
* Mount all system mounts mountPropagation: HostToContainer.
### 1.2.39
* Add NO_PROXY to k8sensor deployment to prevent api-server requests from being routed to the proxy.
### 1.2.38
* Fix issue related to EKS version format when enabling OTel service.
### 1.2.37
* Fix issue where cluster_zone is used as cluster_name when `k8s_sensor.deployment.enabled=true`.
* Set `HTTPS_PROXY` in k8s deployment when proxy information is set.
### 1.2.36
* Remove Service `topologyKeys`, which was removed in Kubernetes v1.22. Replaced by `internalTrafficPolicy` which is available with Kubernetes v1.21+.
### 1.2.35
* Fix invalid backend port for new Kubernetes sensor (k8sensor)
### 1.2.34
* Add support for new Kubernetes sensor (k8sensor)
* New Kubernetes sensor can be used via the flag `--set k8s_sensor.deployment.enabled=true`
### 1.2.33
* Bump leader-elector image to v0.5.15 (Update dependencies)
### 1.2.32
* Add support for containerd montoring on TKGI
### 1.2.31
* Bump leader-elector image to v0.5.14 (Update dependencies)
### 1.2.30
* Pull agent image from IBM Cloud Container Registry (icr.io/instana/agent). No code changes have been made.
* Bump leader-elector image to v0.5.13 and pull from IBM Cloud Container Registry (icr.io/instana/leader-elector). No code changes have been made.
### 1.2.29
* Add an additional port to the Instana Agent `Service` definition, for the OpenTelemetry registered IANA port 4317.
### 1.2.28
* Fix deployment when `cluster.name` is not specified. Should be allowed according to docs but previously broke the Pod
when starting up.
### 1.2.27
* Update leader elector image to `0.5.10` to tone down logging and make it configurable
### 1.2.26
* Add TLS support. An existing secret can be used of type `kubernetes.io/tls`. Or provide a certificate and a private key, which creates a new secret.
* Update leader elector image version to 0.5.9 to support PPCle
### 1.2.25
* Add `agent.pod.labels` to add custom labels to the Instana Agent pods
### 1.2.24
* Bump leader-elector image to v0.5.8 which includes a health-check endpoint. Update the `livenessProbe`
correspondingly.
### 1.2.23
* Bump leader-elector image to v0.5.7 to fix a potential Golang bug in the elector
### 1.2.22
* Fix templating scope when defining multiple backends
### 1.2.21
* Internal updates
### 1.2.20
* upgrade leader-elector image to v0.5.6 to enable usage on s390x and arm64
### 1.2.18 / 1.2.19
* Internal change on generated DaemonSet YAML from the Helm charts
### 1.2.17
* Update Pod Security Policies as the `readOnly: true` appears not to be working for the mount points and
actually causes the Agent deployment to fail when these policies are enforced in the cluster.
### 1.2.16
* Add configuration option for `INSTANA_MVN_REPOSITORY_URL` setting on the Agent container.
### 1.2.15
* Internal pipeline changes. No significant changes to the Helm charts
### v1.2.14
* Update Agent container mounts. Make some read-only as we don't need all mounts with read-write permissions.
Additionally add the mount for `/var/data` which is needed in certain environments for the Agent to function
properly.
### v1.2.13
* Update memory settings specifically for the Kubernetes sensor (Technical Preview)
### v1.2.11
* Simplify setup for using OpenTelemetry and the Prometheus `remote_write` endpoint using the `opentelemetry.enabled` and `prometheus.remoteWrite.enabled` settings, respectively.
### v1.2.9
* **Technical Preview:** Introduce a new mode of running to the Kubernetes sensor using a dedicated deployment.
See the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) section for more information.
### v1.2.7
* Fix: Make service opt-in, as it uses functionality (`topologyKeys`) that is available only in K8S 1.17+.
### v1.2.6
* Fix bug that might cause some OpenShift-specific resources to be created in other flavours of Kubernetes.
### v1.2.5
* Introduce the `instana-agent:instana-agent` Kubernetes service that allows you to talk to the Instana agent on the same node.
### v1.2.3
* Bug fix: Extend the built-in Pod Security Policy to cover the Docker socket mount for Tanzu Kubernetes Grid systems.
### v1.2.1
* Support OpenShift 4.x: just add --set openshift=true to the usual settings, and off you go :-)
* Restructure documentation for consistency and readability
* Deprecation: Helm 2 is no longer supported; the minimum Helm API version is now v2, which will make Helm 2 refuse to process the chart.
### v1.1.10
* Some linting of the whitespaces in the generated YAML
### v1.1.9
* Update the README to replace all references of `stable/instana-agent` with specifically setting the repo flag to `https://agents.instana.io/helm`.
* Add support for TKGI and PKS systems, providing a workaround for the [unexpected Docker socket location](https://github.com/cloudfoundry-incubator/kubo-release/issues/329).
### v1.1.7
* Store the cluster name in a new `cluster-name` entry of the `instana-agent` ConfigMap rather than directly as the value of the `INSTANA_KUBERNETES_CLUSTER_NAME`, so that you can edit the cluster name in the ConfigMap in deployments like VMware Tanzu Kubernetes Grid in which, when installing the Instana agent over the [Instana tile](https://www.instana.com/docs/setup_and_manage/host_agent/on/vmware_tanzu), you do not have directly control to the configuration of the cluster name.
If you edit the ConfigMap, you will need to delete the `instana-agent` pods for its new value to take effect.
### v1.1.6
* Allow to use user-specified memony measurement units in `agent.pod.requests.memory` and `agent.pod.limits.memory`.
If the value set is numerical, the Chart will assume it to be expressed in `Mi` for backwards compatibility.
* Exposed `agent.updateStrategy.type` and `agent.updateStrategy.rollingUpdate.maxUnavailable` settings.
### v1.1.5
Restore compatibility with Helm 2 that was broken in v1.1.4 by the usage of the `lookup` function, a function actually introduced only with Helm 3.1.
Coincidentally, this has been an _excellent_ opportunity to introduce `helm lint` to our validation pipeline and end-to-end tests with Helm 2 ;-)
### v1.1.4
* Bring-your-own secret for agent keys: using the new `agent.keysSecret` setting, you can specify the name of the secret that contains the agent key and, optionally, the download key; refer to [Bring your own Keys secret](#bring-your-own-keys-secret) for more details.
* Add support for affinities for the instana agent pod via the `agent.pod.affinity` setting.
* Put some love into the ArtifactHub.io metadata; likely to add some more improvements related to this over time.
### v1.1.3
* No new features, just ironing some wrinkles out of our release automation.
### v1.1.2
* Improvement: Seamless support for Instana static agent images: When using an `agent.image.name` starting with `containers.instana.io`, automatically create a secret called `containers-instana-io` containing the `.dockerconfigjson` for `containers.instana.io`, using `_` as username and `agent.downloadKey` or, if missing, `agent.key` as password. If you want to control the creation of the image pull secret, or disable it, you can use `agent.image.pullSecrets`, passing to it the YAML to use for the `imagePullSecrets` field of the Daemonset spec, including an empty array `[]` to mount no pull secrets, no matter what.
### v1.1.1
* Fix: Recreate the `instana-agent` pods when there is a change in one of the following configuration, which are mapped to the chart-managed ConfigMap:
* `agent.configuration_yaml`
* `agent.additional_backends`
The pod recreation is achieved by annotating the `instana-agent` Pod with a new `instana-configuration-hash` annotation that has, as value, the SHA-1 hash of the configurations used to populate the ConfigMap.
This way, when the configuration changes, the respective change in the `instana-configuration-hash` annotation will cause the agent pods to be recreated.
This technique has been described at [1] (or, at least, that is were we learned about it) and it is pretty cool :-)
### v1.1.0
* Improvement: The `instana-agent` Helm chart has a new home at `https://agents.instana.io/helm` and `https://github.com/instana/helm-charts/instana-agent`!
This release is functionally equivalent to `1.0.34`, but we bumped the major to denote the new location ;-)
## References
[1] ["Using Kubernetes Helm to push ConfigMap changes to your Deployments", by Sander Knape; Mar 7, 2019](https://sanderknape.com/2019/03/kubernetes-helm-configmaps-changes-deployments/)

5
charts/instana/instana-agent/1.2.74/app-readme.md Normal file
View File

@ -0,0 +1,5 @@
# Instana
Instana is an [APM solution(https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring tracing and root cause analysis. This solution is optimized for [Rancher](https://www.instana.com/rancher/).
This chart adds the Instana Agent to all schedulable nodes in your cluster via a `DaemonSet`.

BIN
charts/instana/instana-agent/1.2.74/kubernetes.deployment.enabled.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

20
charts/instana/instana-agent/1.2.74/kubernetes_deployment_mode_diagram.py Normal file
View File

@ -0,0 +1,20 @@
from diagrams import Cluster, Diagram
from diagrams.k8s.compute import Deploy, DaemonSet, Pod
from diagrams.k8s.podconfig import ConfigMap
with Diagram("kubernetes.deployment.enabled", show=True, direction="LR"):
ds = None
deploy = None
with Cluster("Namespace\ninstana-agent"):
with Cluster("Deployment\nkubernetes-sensor"):
deploy = Pod("2 Replicas\nKubernetes Sensor")
with Cluster("DaemonSet\ninstana-agent"):
ds = Pod('Per Node\nHost & APM')
cm = ConfigMap("instana-agent")
dcm = ConfigMap("instana-agent-deployment")
cm >> deploy
cm >> ds
dcm >> deploy

236
charts/instana/instana-agent/1.2.74/questions.yml Normal file
View File

@ -0,0 +1,236 @@
questions:
# Basic agent configuration
- variable: agent.key
label: agent.key
description: "Your Instana Agent key is the secret token which your agent uses to authenticate to Instana's servers"
type: string
required: true
group: "Agent Configuration"
- variable: agent.endpointHost
label: agent.endpointHost
description: "The hostname of the Instana server your agents will connect to. Defaults to ingress-red-saas.instana.io for US and ROW. If in Europe, please use ingress-blue-saas.instana.io"
type: string
required: true
default: "ingress-red-saas.instana.io"
group: "Agent Configuration"
- variable: zone.name
label: zone.name
description: "Custom zone that detected technologies will be assigned to"
type: string
required: true
group: "Agent Configuration"
# Advanced agent configuration
- variable: advancedAgentConfiguration
description: "Show advanced configuration for the Instana Agent"
label: Show advanced configuration
type: boolean
default: false
show_subquestion_if: true
group: "Advanced Agent Configuration"
subquestions:
- variable: agent.configuration_yaml
label: agent.configuration_yaml (Optional)
description: "Custom content for the agent configuration.yaml file in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.downloadKey
label: agent.downloadKey (Optional)
description: "Your Instana download key"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.endpointPort
label: agent.endpointPort
description: "The Agent backend port number (as a string) of the Instana server your agents will connect to"
type: string
required: true
default: "443"
group: "Advanced Agent Configuration"
- variable: agent.image.name
label: agent.image.name
description: "The name of the Instana Agent container image"
type: string
required: true
default: "instana/agent"
group: "Advanced Agent Configuration"
- variable: agent.image.tag
label: agent.image.tag
description: "The tag name of the Instana Agent container image"
type: string
required: true
default: "latest"
group: "Advanced Agent Configuration"
- variable: agent.image.pullPolicy
label: agent.image.pullPolicy
description: "Specifies when to pull the Instana Agent image container"
type: string
required: true
default: "Always"
group: "Advanced Agent Configuration"
- variable: agent.listenAddress
label: agent.listenAddress (Optional)
description: "The IP address the agent HTTP server will listen to, or '*' for all interfaces"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.mode
label: agent.mode (Optional)
description: "Agent mode. Possible options are: APM, INFRASTRUCTURE or AWS"
type: enum
options:
- "APM"
- "INFRASTRUCTURE"
- "AWS"
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.annotations
label: agent.pod.annotations (Optional)
description: "Additional annotations to be added to the agent pods in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.limits.cpu
label: agent.pod.limits.cpu
description: "CPU units allocation limits for the agent pods"
type: string
required: true
default: "1.5"
group: "Advanced Agent Configuration"
- variable: agent.pod.limits.memory
label: agent.pod.limits.memory
description: "Memory allocation limits in MiB for the agent pods"
type: int
required: true
default: 512
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyHost
label: agent.pod.proxyHost (Optional)
description: "Hostname/address of a proxy. Sets the INSTANA_AGENT_PROXY_HOST environment variable"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyPort
label: agent.pod.proxyPort (Optional)
description: "Port of a proxy. Sets the INSTANA_AGENT_PROXY_PORT environment variable"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyProtocol
label: agent.pod.proxyProtocol (Optional)
description: "Proxy protocol. Sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable. Supported proxy types are http, socks4, socks5"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyUser
label: agent.pod.proxyUser (Optional)
description: "Username of the proxy auth. Sets the INSTANA_AGENT_PROXY_USER environment variable"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyPassword
label: agent.pod.proxyPassword (Optional)
description: "Password of the proxy auth. Sets the INSTANA_AGENT_PROXY_PASSWORD environment variable"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.proxyUseDNS
label: agent.pod.proxyUseDNS. (Optional)
description: "Boolean if proxy also does DNS. Sets the INSTANA_AGENT_PROXY_USE_DNS environment variable"
type: enum
options:
- "true"
- "false"
required: false
group: "Advanced Agent Configuration"
- variable: agent.pod.requests.cpu
label: agent.pod.requests.cpu
description: "Requested CPU units allocation for the agent pods"
type: string
required: true
default: "0.5"
group: "Advanced Agent Configuration"
- variable: agent.pod.requests.memory
label: agent.pod.requests.memory
description: "Requested memory allocation in MiB for the agent pods"
type: int
required: true
default: 512
group: "Advanced Agent Configuration"
- variable: agent.pod.tolerations
label: agent.pod.tolerations (Optional)
description: "Tolerations to influence agent pod assignment in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
type: string
required: false
group: "Advanced Agent Configuration"
- variable: agent.redactKubernetesSecrets
label: agent.redactKubernetesSecrets (Optional)
description: "Enable additional secrets redaction for selected Kubernetes resources"
type: boolean
required: false
default: false
group: "Advanced Agent Configuration"
- variable: cluster.name
label: cluster.name (Optional)
description: "The name that will be assigned to this cluster in Instana. See the 'Installing the Chart' section in the 'Detailed Descriptions' tab for more details"
type: string
required: false
group: "Advanced Agent Configuration"
- variable: leaderElector.image.name
label: leaderElector.image.name
description: "The name of the leader elector container image"
type: string
required: true
default: "instana/leader-elector"
group: "Advanced Agent Configuration"
- variable: leaderElector.image.tag
label: leaderElector.image.tag
description: "The tag name of the leader elector container image"
type: string
required: true
default: "0.5.4"
group: "Advanced Agent Configuration"
- variable: leaderElector.port
label: leaderElector.port
description: "The port on which the leader elector sidecar is exposed"
type: int
required: true
default: 42655
group: "Advanced Agent Configuration"
- variable: podSecurityPolicy.enable
label: podSecurityPolicy.enable (Optional)
description: "Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to also be `true`"
type: boolean
show_if: "rbac.create=true"
required: false
default: false
group: "Pod Security Policy Configuration"
- variable: podSecurityPolicy.name
label: podSecurityPolicy.name (Optional)
description: "The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods. If not set and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created with a name generated using the fullname template"
type: string
show_if: "rbac.create=true&&podSecurityPolicy.enable=true"
required: false
group: "Pod Security Policy Configuration"
- variable: rbac.create
label: rbac.create
description: "Specifies whether RBAC resources should be created"
type: boolean
required: true
default: true
group: "RBAC Configuration"
- variable: serviceAccount.create
label: serviceAccount.create
description: "Specifies whether a ServiceAccount should be created"
type: boolean
required: true
default: true
show_subquestion_if: true
group: "RBAC Configuration"
subquestions:
- variable: serviceAccount.name
label: Name of the ServiceAccount (Optional)
description: "The name of the ServiceAccount to use. If not set and `serviceAccount.create` is true, a name is generated using the fullname template."
type: string
required: false
group: "RBAC Configuration"

71
charts/instana/instana-agent/1.2.74/templates/NOTES.txt Normal file
View File

@ -0,0 +1,71 @@
{{- if (and (not (or .Values.agent.key .Values.agent.keysSecret )) (and (not .Values.zone.name) (not .Values.cluster.name))) }}
##############################################################################
#### ERROR: You did not specify your secret agent key. ####
#### ERROR: You also did not specify a zone or name for this cluster. ####
##############################################################################
This agent deployment will be incomplete until you set your agent key and zone or name for this cluster:
helm upgrade {{ .Release.Name }} --reuse-values \
--repo https://agents.instana.io/helm \
--set agent.key=$(YOUR_SECRET_AGENT_KEY) \
--set zone.name=$(YOUR_ZONE_NAME) instana-agent
Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
helm upgrade {{ .Release.Name }} --reuse-values \
--repo https://agents.instana.io/helm \
--set agent.key=$(YOUR_SECRET_AGENT_KEY) \
--set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
- YOUR_CLUSTER_NAME should be the custom name of your cluster.
At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
{{- else if (and (not .Values.zone.name) (not .Values.cluster.name)) }}
##############################################################################
#### ERROR: You did not specify a zone or name for this cluster. ####
##############################################################################
This agent deployment will be incomplete until you set a zone for this cluster:
helm upgrade {{ .Release.Name }} --reuse-values \
--repo https://agents.instana.io/helm \
--set zone.name=$(YOUR_ZONE_NAME) instana-agent
Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
helm upgrade {{ .Release.Name }} --reuse-values \
--repo https://agents.instana.io/helm \
--set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
- YOUR_CLUSTER_NAME should be the custom name of your cluster.
At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
{{- else if not (or .Values.agent.key .Values.agent.keysSecret )}}
##############################################################################
#### ERROR: You did not specify your secret agent key. ####
##############################################################################
This agent deployment will be incomplete until you set your agent key:
helm upgrade {{ .Release.Name }} --reuse-values \
--repo https://agents.instana.io/helm \
--set agent.key=$(YOUR_SECRET_AGENT_KEY) instana-agent
- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
{{- else -}}
It may take a few moments for the agents to fully deploy. You can see what agents are running by listing resources in the {{ .Release.Namespace }} namespace:
kubectl get all -n {{ .Release.Namespace }}
You can get the logs for all of the agents with `kubectl logs`:
kubectl logs -l app.kubernetes.io/name={{ .Release.Name }} -n {{ .Release.Namespace }} -c instana-agent
{{- end }}

385
charts/instana/instana-agent/1.2.74/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,385 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "instana-agent.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "instana-agent.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "instana-agent.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
The name of the ServiceAccount used.
*/}}
{{- define "instana-agent.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "instana-agent.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
The name of the PodSecurityPolicy used.
*/}}
{{- define "instana-agent.podSecurityPolicyName" -}}
{{- if .Values.podSecurityPolicy.enable -}}
{{ default (include "instana-agent.fullname" .) .Values.podSecurityPolicy.name }}
{{- end -}}
{{- end -}}
{{/*
Prints out the name of the secret to use to retrieve the agent key
*/}}
{{- define "instana-agent.keysSecretName" -}}
{{- if .Values.agent.keysSecret -}}
{{ .Values.agent.keysSecret }}
{{- else -}}
{{ template "instana-agent.fullname" . }}
{{- end -}}
{{- end -}}
{{/*
Add Helm metadata to resource labels.
*/}}
{{- define "instana-agent.commonLabels" -}}
app.kubernetes.io/name: {{ include "instana-agent.name" . }}
app.kubernetes.io/version: {{ .Chart.Version }}
{{- if not .Values.templating }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "instana-agent.chart" . }}
{{- end -}}
{{- end -}}
{{/*
Add Helm metadata to resource labels.
*/}}
{{- define "k8s-sensor.commonLabels" -}}
{{/* Following label is used to determine whether to disable the Kubernetes host sensor */}}
app: k8sensor
app.kubernetes.io/name: {{ include "instana-agent.name" . }}-k8s-sensor
app.kubernetes.io/version: {{ .Chart.Version }}
{{- if not .Values.templating }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
helm.sh/chart: {{ include "instana-agent.chart" . }}
{{- end -}}
{{- end -}}
{{/*
Add Helm metadata to selector labels specifically for deployments/daemonsets/statefulsets.
*/}}
{{- define "instana-agent.selectorLabels" -}}
app.kubernetes.io/name: {{ include "instana-agent.name" . }}
{{- if not .Values.templating }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}
{{/*
Add Helm metadata to selector labels specifically for deployments/daemonsets/statefulsets.
*/}}
{{- define "k8s-sensor.selectorLabels" -}}
app: k8sensor
app.kubernetes.io/name: {{ include "instana-agent.name" . }}-k8s-sensor
{{- if not .Values.templating }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}
{{/*
Generates the dockerconfig for the credentials to pull from containers.instana.io
*/}}
{{- define "imagePullSecretContainersInstanaIo" }}
{{- $registry := "containers.instana.io" }}
{{- $username := "_" }}
{{- $password := default .Values.agent.key .Values.agent.downloadKey }}
{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" $registry (printf "%s:%s" $username $password | b64enc) | b64enc }}
{{- end }}
{{/*
Output limits or defaults
*/}}
{{- define "instana-agent.resources" -}}
{{- $memory := default "768Mi" .memory -}}
{{- $cpu := default 0.5 .cpu -}}
memory: "{{ dict "memory" $memory | include "ensureMemoryMeasurement" }}"
cpu: {{ $cpu }}
{{- end -}}
{{/*
Ensure a unit of memory measurement is added to the value
*/}}
{{- define "ensureMemoryMeasurement" }}
{{- $value := .memory }}
{{- if kindIs "string" $value }}
{{- print $value }}
{{- else }}
{{- print ($value | toString) "Mi" }}
{{- end }}
{{- end }}
{{/*
Composes a container image from a dict containing a "name" field (required), "tag" and "digest" (both optional, if both provided, "digest" has priority)
*/}}
{{- define "image" }}
{{- $name := .name }}
{{- $tag := .tag }}
{{- $digest := .digest }}
{{- if $digest }}
{{- printf "%s@sha256:%s" $name $digest }}
{{- else if $tag }}
{{- printf "%s:%s" $name $tag }}
{{- else }}
{{- print $name }}
{{- end }}
{{- end }}
{{- define "volumeMountsForConfigFileInConfigMap" }}
{{- $configMapName := (include "instana-agent.fullname" .) }}
{{- $configMapNameSpace := .Release.Namespace }}
{{- $configMap := tpl ( ( "{{ lookup \"v1\" \"ConfigMap\" \"map-namespace\" \"map-name\" | toYaml }}" | replace "map-namespace" $configMapNameSpace ) | replace "map-name" $configMapName ) . }}
{{- if $configMap }}
{{- $configMapObject := $configMap | fromYaml }}
{{- range $key, $val := $configMapObject.data }}
{{- if regexMatch "configuration-disable-kubernetes-sensor\\.yaml" $key }}
{{/* Nothing to do here, this is a special case we want to ignore */}}
{{- else if regexMatch "configuration-opentelemetry\\.yaml" $key }}
{{/* Nothing to do here, this is a special case we want to ignore */}}
{{- else if regexMatch "configuration-prometheus-remote-write\\.yaml" $key }}
{{/* Nothing to do here, this is a special case we want to ignore */}}
{{- else if regexMatch "configuration-.*\\.yaml" $key }}
- name: configuration
subPath: {{ $key }}
mountPath: /opt/instana/agent/etc/instana/{{ $key }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- define "instana-agent.commonEnv" -}}
- name: INSTANA_AGENT_LEADER_ELECTOR_PORT
value: {{ .Values.leaderElector.port | quote }}
{{- if .Values.zone.name }}
- name: INSTANA_ZONE
value: {{ .Values.zone.name | quote }}
{{- end }}
{{- if .Values.cluster.name }}
- name: INSTANA_KUBERNETES_CLUSTER_NAME
valueFrom:
configMapKeyRef:
name: {{ template "instana-agent.fullname" . }}
key: cluster_name
{{- end }}
- name: INSTANA_AGENT_ENDPOINT
value: {{ .Values.agent.endpointHost | quote }}
- name: INSTANA_AGENT_ENDPOINT_PORT
value: {{ .Values.agent.endpointPort | quote }}
- name: INSTANA_AGENT_KEY
valueFrom:
secretKeyRef:
name: {{ template "instana-agent.keysSecretName" . }}
key: key
- name: INSTANA_DOWNLOAD_KEY
valueFrom:
secretKeyRef:
name: {{ template "instana-agent.keysSecretName" . }}
key: downloadKey
optional: true
{{- if .Values.agent.instanaMvnRepoUrl }}
- name: INSTANA_MVN_REPOSITORY_URL
value: {{ .Values.agent.instanaMvnRepoUrl | quote }}
{{- end }}
{{- if .Values.agent.instanaMvnRepoFeaturesPath }}
- name: INSTANA_MVN_REPOSITORY_FEATURES_PATH
value: {{ .Values.agent.instanaMvnRepoFeaturesPath | quote }}
{{- end }}
{{- if .Values.agent.instanaMvnRepoSharedPath }}
- name: INSTANA_MVN_REPOSITORY_SHARED_PATH
value: {{ .Values.agent.instanaMvnRepoSharedPath | quote }}
{{- end }}
{{- if .Values.agent.proxyHost }}
- name: INSTANA_AGENT_PROXY_HOST
value: {{ .Values.agent.proxyHost | quote }}
{{- end }}
{{- if .Values.agent.proxyPort }}
- name: INSTANA_AGENT_PROXY_PORT
value: {{ .Values.agent.proxyPort | quote }}
{{- end }}
{{- if .Values.agent.proxyProtocol }}
- name: INSTANA_AGENT_PROXY_PROTOCOL
value: {{ .Values.agent.proxyProtocol | quote }}
{{- end }}
{{- if .Values.agent.proxyUser }}
- name: INSTANA_AGENT_PROXY_USER
value: {{ .Values.agent.proxyUser | quote }}
{{- end }}
{{- if .Values.agent.proxyPassword }}
- name: INSTANA_AGENT_PROXY_PASSWORD
value: {{ .Values.agent.proxyPassword | quote }}
{{- end }}
{{- if .Values.agent.proxyUseDNS }}
- name: INSTANA_AGENT_PROXY_USE_DNS
value: {{ .Values.agent.proxyUseDNS | quote }}
{{- end }}
{{- if .Values.agent.listenAddress }}
- name: INSTANA_AGENT_HTTP_LISTEN
value: {{ .Values.agent.listenAddress | quote }}
{{- end }}
{{- if .Values.agent.serviceMesh.enabled }}
- name: ENABLE_AGENT_SOCKET
value: {{ .Values.agent.serviceMesh.enabled | quote }}
{{- end }}
{{- if .Values.agent.redactKubernetesSecrets }}
- name: INSTANA_KUBERNETES_REDACT_SECRETS
value: {{ .Values.agent.redactKubernetesSecrets | quote }}
{{- end }}
- name: INSTANA_AGENT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- range $key, $value := .Values.agent.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end -}}
{{- define "instana-agent.commonVolumeMounts" -}}
{{- if .Values.agent.host.repository }}
- name: repo
mountPath: /opt/instana/agent/data/repo
{{- end }}
{{- if .Values.agent.additionalBackends -}}
{{- range $index,$backend := .Values.agent.additionalBackends }}
{{- $backendIndex :=add $index 2 }}
- name: additional-backend-{{$backendIndex}}
subPath: additional-backend-{{$backendIndex}}
mountPath: /opt/instana/agent/etc/instana/com.instana.agent.main.sender.Backend-{{$backendIndex}}.cfg
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "instana-agent.commonVolumes" -}}
- name: configuration
configMap:
name: {{ include "instana-agent.fullname" . }}
{{- if .Values.agent.host.repository }}
- name: repo
hostPath:
path: {{ .Values.agent.host.repository }}
{{- end }}
{{- if .Values.agent.additionalBackends }}
{{- range $index,$backend := .Values.agent.additionalBackends }}
{{ $backendIndex :=add $index 2 -}}
- name: additional-backend-{{$backendIndex}}
configMap:
name: {{ include "instana-agent.fullname" $ }}
{{- end }}
{{- end }}
{{- end -}}
{{- define "instana-agent.livenessProbe" -}}
httpGet:
host: 127.0.0.1 # localhost because Pod has hostNetwork=true
path: /status
port: 42699
initialDelaySeconds: 600 # startupProbe isnt available before K8s 1.16
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 3
{{- end -}}
{{- define "leader-elector.container" -}}
- name: leader-elector
image: {{ include "image" .Values.leaderElector.image | quote }}
env:
- name: INSTANA_AGENT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
command:
- "/busybox/sh"
- "-c"
- "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)"
resources:
requests:
cpu: 0.1
memory: "64Mi"
livenessProbe:
httpGet: # Leader elector /health endpoint expects version 0.5.8 minimum, otherwise always returns 200 OK
host: 127.0.0.1 # localhost because Pod has hostNetwork=true
path: /health
port: {{ .Values.leaderElector.port }}
initialDelaySeconds: 30
timeoutSeconds: 3
periodSeconds: 3
failureThreshold: 3
ports:
- containerPort: {{ .Values.leaderElector.port }}
{{- end -}}
{{- define "instana-agent.tls-volume" -}}
- name: {{ include "instana-agent.fullname" . }}-tls
secret:
secretName: {{ .Values.agent.tls.secretName | default (printf "%s-tls" (include "instana-agent.fullname" .)) }}
defaultMode: 0440
{{- end -}}
{{- define "instana-agent.tls-volumeMounts" -}}
- name: {{ include "instana-agent.fullname" . }}-tls
mountPath: /opt/instana/agent/etc/certs
readOnly: true
{{- end -}}
{{- define "k8sensor.commonEnv" -}}
{{- range $key, $value := .Values.agent.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- end -}}
{{/*NOTE: These are nested templates not functions, if I format this to make it readable then it won't work the way */}}
{{/*we need it to since all of the newlines and spaces will be included into the output. Helm is */}}
{{/*not fundamentally designed to do what we are doing here.*/}}
{{- define "instana-agent.opentelemetry.grpc.isEnabled" -}}{{ if hasKey .Values "opentelemetry" }}{{ if hasKey .Values.opentelemetry "grpc" }}{{ if hasKey .Values.opentelemetry.grpc "enabled" }}{{ .Values.opentelemetry.grpc.enabled }}{{ else }}{{ true }}{{ end }}{{ else }}{{ if hasKey .Values.opentelemetry "enabled" }}{{ .Values.opentelemetry.enabled }}{{ else }}{{ false }}{{ end }}{{ end }}{{ else }}{{ false }}{{ end }}{{- end -}}
{{- define "instana-agent.opentelemetry.http.isEnabled" -}}{{ if hasKey .Values "opentelemetry" }}{{ if hasKey .Values.opentelemetry "http" }}{{ if hasKey .Values.opentelemetry.http "enabled" }}{{ .Values.opentelemetry.http.enabled }}{{ else }}{{ true }}{{ end }}{{ else }}{{ false }}{{ end }}{{ else }}{{ false }}{{ end }}{{- end -}}
{{- define "kubeVersion" -}}
{{- if (regexMatch "\\d+\\.\\d+\\.\\d+-(?:eks|gke).+" .Capabilities.KubeVersion.Version) -}}
{{- regexFind "\\d+\\.\\d+\\.\\d+" .Capabilities.KubeVersion.Version -}}
{{- else -}}
{{- printf .Capabilities.KubeVersion.Version }}
{{- end -}}
{{- end -}}

63
charts/instana/instana-agent/1.2.74/templates/agent-configmap.yaml Normal file
View File

@ -0,0 +1,63 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "instana-agent.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
data:
{{- if .Values.cluster.name }}
cluster_name: {{ .Values.cluster.name | quote }}
{{- end }}
configuration.yaml: |
{{- if .Values.agent.configuration_yaml }}
{{ .Values.agent.configuration_yaml | nindent 4 }}
{{- end }}
{{ if or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) }}
configuration-opentelemetry.yaml: |
com.instana.plugin.opentelemetry: {{ toYaml .Values.opentelemetry | nindent 6 }}
{{ end }}
{{- if .Values.prometheus.remoteWrite.enabled }}
configuration-prometheus-remote-write.yaml: |
com.instana.plugin.prometheus:
remote_write:
enabled: true
{{- end }}
{{- if or .Values.kubernetes.deployment.enabled .Values.k8s_sensor.deployment.enabled }}
configuration-disable-kubernetes-sensor.yaml: |
com.instana.plugin.kubernetes:
enabled: false
{{- end }}
{{- if .Values.agent.additionalBackends }}
{{- $proxyHost := .Values.agent.proxyHost }}
{{- $proxyPort := .Values.agent.proxyPort }}
{{- $proxyUser := .Values.agent.proxyUser }}
{{- $proxyPassword := .Values.agent.proxyPassword }}
{{- $proxyUseDNS := .Values.agent.proxyUseDNS }}
{{- range $index,$backend := .Values.agent.additionalBackends }}
{{ $backendIndex :=add $index 2 -}}
additional-backend-{{$backendIndex}}: |
host={{ .endpointHost }}
port={{ default 443 .endpointPort }}
key={{ .key }}
protocol=HTTP/2
{{- if $proxyHost }}
proxy.type=HTTP
proxy.host={{ $proxyHost }}
proxy.port={{ $proxyPort }}
{{- if $proxyUser }}
proxy.user={{ $proxyUser }}
proxy.password={{ $proxyPassword }}
{{- end }}
{{- if $proxyUseDNS }}
proxyUseDNS=true
{{- end }}
{{- end }}
{{- end }}
{{- end }}

218
charts/instana/instana-agent/1.2.74/templates/agent-daemonset-with-zones.yaml Normal file
View File

@ -0,0 +1,218 @@
{{- if or .Values.agent.key .Values.agent.keysSecret }}
{{- if and .Values.cluster.name .Values.zones }}
{{ $opentelemetryIsEnabled := (or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) )}}
{{- range $.Values.zones }}
{{- $fullname := printf "%s-%s" (include "instana-agent.fullname" $) .name -}}
{{- $tolerations := .tolerations -}}
{{- $affinity := .affinity -}}
{{- $mode := .mode -}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ $fullname }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" $ | nindent 4 }}
io.instana/zone: {{.name}}
spec:
selector:
matchLabels:
{{- include "instana-agent.selectorLabels" $ | nindent 6 }}
io.instana/zone: {{.name}}
updateStrategy:
type: {{ $.Values.agent.updateStrategy.type }}
{{- if eq $.Values.agent.updateStrategy.type "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ $.Values.agent.updateStrategy.rollingUpdate.maxUnavailable }}
{{- end }}
minReadySeconds: {{ $.Values.agent.minReadySeconds }}
template:
metadata:
labels:
io.instana/zone: {{.name}}
{{- if $.Values.agent.pod.labels }}
{{- toYaml $.Values.agent.pod.labels | nindent 8 }}
{{- end }}
{{- include "instana-agent.commonLabels" $ | nindent 8 }}
instana/agent-mode: {{ $mode | default "APM" | quote }}
annotations:
{{- if $.Values.agent.pod.annotations }}
{{- toYaml $.Values.agent.pod.annotations | nindent 8 }}
{{- end }}
# To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
# Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
instana-configuration-hash: {{ $.Values.agent.configuration_yaml | cat ";" | cat ( join "," $.Values.agent.additionalBackends ) | sha1sum }}
spec:
serviceAccountName: {{ template "instana-agent.serviceAccountName" $ }}
{{- if $.Values.agent.pod.nodeSelector }}
nodeSelector:
{{- range $key, $value := $.Values.agent.pod.nodeSelector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
hostNetwork: true
hostPID: true
{{- if $.Values.agent.pod.priorityClassName }}
priorityClassName: {{ $.Values.agent.pod.priorityClassName | quote }}
{{- end }}
dnsPolicy: ClusterFirstWithHostNet
{{- if typeIs "[]interface {}" $.Values.agent.image.pullSecrets }}
imagePullSecrets:
{{- toYaml $.Values.agent.image.pullSecrets | nindent 8 }}
{{- else if $.Values.agent.image.name | hasPrefix "containers.instana.io" }}
imagePullSecrets:
- name: containers-instana-io
{{- end }}
containers:
- name: instana-agent
image: {{ include "image" $.Values.agent.image | quote}}
imagePullPolicy: {{ $.Values.agent.image.pullPolicy }}
env:
- name: INSTANA_ZONE
value: {{ .name | quote }}
{{- if $mode }}
- name: INSTANA_AGENT_MODE
value: {{ $mode | quote }}
{{- end }}
{{- include "instana-agent.commonEnv" $ | nindent 12 }}
securityContext:
privileged: true
volumeMounts:
- name: dev
mountPath: /dev
mountPropagation: HostToContainer
- name: run
mountPath: /run
mountPropagation: HostToContainer
- name: var-run
mountPath: /var/run
mountPropagation: HostToContainer
{{- if not (or $.Values.openshift ($.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
- name: var-run-kubo
mountPath: /var/vcap/sys/run/docker
mountPropagation: HostToContainer
- name: var-run-containerd
mountPath: /var/vcap/sys/run/containerd
mountPropagation: HostToContainer
- name: var-containerd-config
mountPath: /var/vcap/jobs/containerd/config
mountPropagation: HostToContainer
{{- end }}
- name: sys
mountPath: /sys
mountPropagation: HostToContainer
- name: var-log
mountPath: /var/log
mountPropagation: HostToContainer
- name: var-lib
mountPath: /var/lib
mountPropagation: HostToContainer
- name: var-data
mountPath: /var/data
mountPropagation: HostToContainer
- name: machine-id
mountPath: /etc/machine-id
- name: configuration
{{- if $.Values.agent.configuration.hotreloadEnabled }}
mountPath: /root/
{{- else }}
subPath: configuration.yaml
mountPath: /root/configuration.yaml
{{- end }}
{{- if $.Values.agent.tls }}
{{- if or $.Values.agent.tls.secretName (and $.Values.agent.tls.certificate $.Values.agent.tls.key) }}
{{- include "instana-agent.tls-volumeMounts" $ | nindent 12 }}
{{- end }}
{{- end }}
{{- include "instana-agent.commonVolumeMounts" $ | nindent 12 }}
{{- if $.Values.agent.configuration.autoMountConfigEntries }}
{{- include "volumeMountsForConfigFileInConfigMap" $ | nindent 12 }}
{{- end }}
{{- if or $.Values.kubernetes.deployment.enabled $.Values.k8s_sensor.deployment.enabled }}
- name: configuration
subPath: configuration-disable-kubernetes-sensor.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-disable-kubernetes-sensor.yaml
{{- end }}
{{- if $opentelemetryIsEnabled }}
- name: configuration
subPath: configuration-opentelemetry.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-opentelemetry.yaml
{{- end }}
{{- if $.Values.prometheus.remoteWrite.enabled }}
- name: configuration
subPath: configuration-prometheus-remote-write.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-prometheus-remote-write.yaml
{{- end }}
livenessProbe:
{{- include "instana-agent.livenessProbe" $ | nindent 12 }}
resources:
requests:
{{- include "instana-agent.resources" $.Values.agent.pod.requests | nindent 14 }}
limits:
{{- include "instana-agent.resources" $.Values.agent.pod.limits | nindent 14 }}
ports:
- containerPort: 42699
{{- if and (not $.Values.kubernetes.deployment.enabled) (not $.Values.k8s_sensor.deployment.enabled) }}
{{- include "leader-elector.container" $ | nindent 8 }}
{{- end }}
{{ if $tolerations -}}
tolerations:
{{- toYaml $tolerations | nindent 8 }}
{{- end }}
{{ if $affinity -}}
affinity:
{{- toYaml $affinity | nindent 8 }}
{{- end }}
volumes:
- name: dev
hostPath:
path: /dev
- name: run
hostPath:
path: /run
- name: var-run
hostPath:
path: /var/run
{{- if not (or $.Values.openshift ($.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
# Systems based on the kubo BOSH release (that is, VMware TKGI and older PKS) do not keep the Docker
# socket in /var/run/docker.sock , but rather in /var/vcap/sys/run/docker/docker.sock .
# The Agent images will check if there is a Docker socket here and, if so, adjust the symlinking before
# starting the Agent. See https://github.com/cloudfoundry-incubator/kubo-release/issues/329
- name: var-run-kubo
hostPath:
path: /var/vcap/sys/run/docker
- name: var-run-containerd
hostPath:
path: /var/vcap/sys/run/containerd
- name: var-containerd-config
hostPath:
path: /var/vcap/jobs/containerd/config
{{- end }}
- name: sys
hostPath:
path: /sys
- name: var-log
hostPath:
path: /var/log
- name: var-lib
hostPath:
path: /var/lib
- name: var-data
hostPath:
path: /var/data
- name: machine-id
hostPath:
path: /etc/machine-id
{{- if $.Values.agent.tls }}
{{- if or $.Values.agent.tls.secretName (and $.Values.agent.tls.certificate $.Values.agent.tls.key) }}
{{- include "instana-agent.tls-volume" . | nindent 8 }}
{{- end }}
{{- end }}
{{- include "instana-agent.commonVolumes" $ | nindent 8 }}
{{ printf "\n" }}
{{ end }}
{{- end }}
{{- end }}

209
charts/instana/instana-agent/1.2.74/templates/agent-daemonset.yaml Normal file
View File

@ -0,0 +1,209 @@
# TODO: Combine into single template with agent-daemonset-with-zones.yaml
{{- if or .Values.agent.key .Values.agent.keysSecret }}
{{- if and (or .Values.zone.name .Values.cluster.name) (not .Values.zones) }}
{{- $fullname := include "instana-agent.fullname" . -}}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ $fullname }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "instana-agent.selectorLabels" . | nindent 6 }}
updateStrategy:
type: {{ .Values.agent.updateStrategy.type }}
{{- if eq .Values.agent.updateStrategy.type "RollingUpdate" }}
rollingUpdate:
maxUnavailable: {{ .Values.agent.updateStrategy.rollingUpdate.maxUnavailable }}
{{- end }}
minReadySeconds: {{ $.Values.agent.minReadySeconds }}
template:
metadata:
labels:
{{- if .Values.agent.pod.labels }}
{{- toYaml .Values.agent.pod.labels | nindent 8 }}
{{- end }}
{{- include "instana-agent.commonLabels" . | nindent 8 }}
instana/agent-mode: {{ .Values.agent.mode | default "APM" | quote }}
annotations:
{{- if .Values.agent.pod.annotations }}
{{- toYaml .Values.agent.pod.annotations | nindent 8 }}
{{- end }}
# To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
# Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
instana-configuration-hash: {{ .Values.agent.configuration_yaml | cat ";" | cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
spec:
serviceAccountName: {{ template "instana-agent.serviceAccountName" . }}
{{- if .Values.agent.pod.nodeSelector }}
nodeSelector:
{{- range $key, $value := .Values.agent.pod.nodeSelector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
hostNetwork: true
hostPID: true
{{- if .Values.agent.pod.priorityClassName }}
priorityClassName: {{ .Values.agent.pod.priorityClassName | quote }}
{{- end }}
dnsPolicy: ClusterFirstWithHostNet
{{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
{{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
imagePullSecrets:
- name: containers-instana-io
{{- end }}
containers:
- name: instana-agent
image: {{ include "image" .Values.agent.image | quote}}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
env:
{{- if .Values.agent.mode }}
- name: INSTANA_AGENT_MODE
value: {{ .Values.agent.mode | quote }}
{{- end }}
{{- include "instana-agent.commonEnv" . | nindent 12 }}
securityContext:
privileged: true
volumeMounts:
- name: dev
mountPath: /dev
mountPropagation: HostToContainer
- name: run
mountPath: /run
mountPropagation: HostToContainer
- name: var-run
mountPath: /var/run
mountPropagation: HostToContainer
{{- if not (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
- name: var-run-kubo
mountPath: /var/vcap/sys/run/docker
mountPropagation: HostToContainer
- name: var-run-containerd
mountPath: /var/vcap/sys/run/containerd
mountPropagation: HostToContainer
- name: var-containerd-config
mountPath: /var/vcap/jobs/containerd/config
mountPropagation: HostToContainer
{{- end }}
- name: sys
mountPath: /sys
mountPropagation: HostToContainer
- name: var-log
mountPath: /var/log
mountPropagation: HostToContainer
- name: var-lib
mountPath: /var/lib
mountPropagation: HostToContainer
- name: var-data
mountPath: /var/data
mountPropagation: HostToContainer
- name: machine-id
mountPath: /etc/machine-id
- name: configuration
{{- if $.Values.agent.configuration.hotreloadEnabled }}
mountPath: /root/
{{- else }}
subPath: configuration.yaml
mountPath: /root/configuration.yaml
{{- end }}
{{- if .Values.agent.tls }}
{{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
{{- include "instana-agent.tls-volumeMounts" . | nindent 12 }}
{{- end }}
{{- end }}
{{- include "instana-agent.commonVolumeMounts" . | nindent 12 }}
{{- if .Values.agent.configuration.autoMountConfigEntries }}
{{- include "volumeMountsForConfigFileInConfigMap" . | nindent 12 }}
{{- end }}
{{- if or .Values.kubernetes.deployment.enabled .Values.k8s_sensor.deployment.enabled }}
- name: configuration # TODO: These shouldn't have the same name
subPath: configuration-disable-kubernetes-sensor.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-disable-kubernetes-sensor.yaml
{{- end }}
{{- if or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) }}
- name: configuration
subPath: configuration-opentelemetry.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-opentelemetry.yaml
{{- end }}
{{- if .Values.prometheus.remoteWrite.enabled }}
- name: configuration
subPath: configuration-prometheus-remote-write.yaml
mountPath: /opt/instana/agent/etc/instana/configuration-prometheus-remote-write.yaml
{{- end }}
livenessProbe:
{{- include "instana-agent.livenessProbe" . | nindent 12 }}
resources:
requests:
{{- include "instana-agent.resources" .Values.agent.pod.requests | nindent 14 }}
limits:
{{- include "instana-agent.resources" .Values.agent.pod.limits | nindent 14 }}
ports:
- containerPort: 42699
{{- if and (not .Values.kubernetes.deployment.enabled) (not .Values.k8s_sensor.deployment.enabled) }}
{{- include "leader-elector.container" . | nindent 8 }}
{{- end }}
{{- if .Values.agent.pod.tolerations }}
tolerations:
{{- toYaml .Values.agent.pod.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.agent.pod.affinity }}
affinity:
{{- toYaml .Values.agent.pod.affinity | nindent 8 }}
{{- end }}
volumes:
- name: dev
hostPath:
path: /dev
- name: run
hostPath:
path: /run
- name: var-run
hostPath:
path: /var/run
{{- if not (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
# Systems based on the kubo BOSH release (that is, VMware TKGI and older PKS) do not keep the Docker
# socket in /var/run/docker.sock , but rather in /var/vcap/sys/run/docker/docker.sock .
# The Agent images will check if there is a Docker socket here and, if so, adjust the symlinking before
# starting the Agent. See https://github.com/cloudfoundry-incubator/kubo-release/issues/329
- name: var-run-kubo
hostPath:
path: /var/vcap/sys/run/docker
type: DirectoryOrCreate
- name: var-run-containerd
hostPath:
path: /var/vcap/sys/run/containerd
type: DirectoryOrCreate
- name: var-containerd-config
hostPath:
path: /var/vcap/jobs/containerd/config
type: DirectoryOrCreate
{{- end }}
- name: sys
hostPath:
path: /sys
- name: var-log
hostPath:
path: /var/log
- name: var-lib
hostPath:
path: /var/lib
- name: var-data
hostPath:
path: /var/data
type: DirectoryOrCreate
- name: machine-id
hostPath:
path: /etc/machine-id
{{- if .Values.agent.tls }}
{{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
{{- include "instana-agent.tls-volume" . | nindent 8 }}
{{- end }}
{{- end }}
{{- include "instana-agent.commonVolumes" . | nindent 8 }}
{{- end }}
{{- end }}

88
charts/instana/instana-agent/1.2.74/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,88 @@
{{- if or .Values.rbac.create (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "instana-agent.fullname" . }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
rules:
- nonResourceURLs:
- "/version"
- "/healthz"
- "/metrics"
- "/stats/summary"
- "/metrics/cadvisor"
verbs: ["get"]
{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
apiGroups: []
resources: []
{{- end }}
- apiGroups: [""]
resources:
- "nodes"
- "nodes/stats"
- "nodes/metrics"
- "pods"
{{- if and $.Values.kubernetes.deployment.enabled (not $.Values.k8s_sensor.deployment.enabled) }}
- "namespaces"
- "events"
- "services"
- "endpoints"
- "replicationcontrollers"
- "componentstatuses"
- "resourcequotas"
- "persistentvolumes"
- "persistentvolumeclaims"
{{- end }}
verbs: ["get", "list", "watch"]
{{- if and $.Values.kubernetes.deployment.enabled (not $.Values.k8s_sensor.deployment.enabled) }}
- apiGroups: ["batch"]
resources:
- "jobs"
- "cronjobs"
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources:
- "deployments"
- "replicasets"
- "ingresses"
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- "deployments"
- "replicasets"
- "daemonsets"
- "statefulsets"
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- "endpoints"
verbs: ["create", "update", "patch"]
- apiGroups: ["networking.k8s.io"]
resources:
- "ingresses"
verbs: ["get", "list", "watch"]
{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
- apiGroups: ["apps.openshift.io"]
resources:
- "deploymentconfigs"
verbs: ["get", "list", "watch"]
{{- end -}}
{{- end }}
{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
- apiGroups: ["security.openshift.io"]
resourceNames: ["privileged"]
resources: ["securitycontextconstraints"]
verbs: ["use"]
{{- end }}
{{- if .Values.podSecurityPolicy.enable}}
{{- if semverCompare "< 1.25.x" (include "kubeVersion" .) }}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ template "instana-agent.podSecurityPolicyName" . }}
{{- end }}
{{- end }}
{{- end }}

17
charts/instana/instana-agent/1.2.74/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if or .Values.rbac.create (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "instana-agent.fullname" . }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "instana-agent.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ template "instana-agent.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

39
charts/instana/instana-agent/1.2.74/templates/headless-service.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.service.create -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "instana-agent.fullname" . }}-headless
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
clusterIP: None
selector:
{{- include "instana-agent.selectorLabels" . | nindent 4 }}
ports:
# Prometheus remote_write, Trace Web SDK and other APIs
- name: agent-apis
protocol: TCP
port: 42699
targetPort: 42699
{{ if eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .) }}
# OpenTelemetry original default port
- name: opentelemetry
protocol: TCP
port: 55680
targetPort: 55680
# OpenTelemetry as registered and reserved by IANA
- name: opentelemetry-iana
protocol: TCP
port: 4317
targetPort: 4317
{{- end -}}
{{ if eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .) }}
# OpenTelemetry HTTP port
- name: opentelemetry-http
protocol: TCP
port: 4318
targetPort: 4318
{{- end -}}
{{- end -}}

12
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-configmap.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.k8s_sensor.deployment.enabled -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: k8sensor
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
data:
backend: {{ printf "%s:%v" .Values.agent.endpointHost .Values.agent.endpointPort }}
{{- end }}

131
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-deployment.yaml Normal file
View File

@ -0,0 +1,131 @@
{{- if .Values.k8s_sensor.deployment.enabled -}}
{{- if or .Values.agent.key .Values.agent.keysSecret -}}
{{- if or .Values.zone.name .Values.cluster.name -}}
{{- $user_name_password := "" -}}
{{ if .Values.agent.proxyUser }}
{{- $user_name_password = print .Values.agent.proxyUser ":" .Values.agent.proxyPassword "@" -}}
{{ end}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: k8sensor
namespace: {{ .Release.Namespace }}
labels:
app: k8sensor
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
replicas: {{ default "1" .Values.k8s_sensor.deployment.replicas }}
selector:
matchLabels:
{{- include "k8s-sensor.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- if .Values.agent.pod.labels }}
{{- toYaml .Values.agent.pod.labels | nindent 8 }}
{{- end }}
{{- include "k8s-sensor.commonLabels" . | nindent 8 }}
instana/agent-mode: KUBERNETES
annotations:
{{- if .Values.agent.pod.annotations }}
{{- toYaml .Values.agent.pod.annotations | nindent 8 }}
{{- end }}
# To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
# Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
spec:
serviceAccountName: k8sensor
{{- if .Values.k8s_sensor.deployment.pod.nodeSelector }}
nodeSelector:
{{- range $key, $value := .Values.k8s_sensor.deployment.pod.nodeSelector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.k8s_sensor.deployment.pod.priorityClassName }}
priorityClassName: {{ .Values.k8s_sensor.deployment.pod.priorityClassName | quote }}
{{- end }}
{{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
{{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
imagePullSecrets:
- name: containers-instana-io
{{- end }}
containers:
- name: instana-agent
image: {{ include "image" .Values.k8s_sensor.image | quote }}
imagePullPolicy: {{ .Values.k8s_sensor.image.pullPolicy }}
env:
- name: AGENT_KEY
valueFrom:
secretKeyRef:
name: {{ template "instana-agent.keysSecretName" . }}
key: key
- name: BACKEND
valueFrom:
configMapKeyRef:
name: k8sensor
key: backend
- name: BACKEND_URL
value: "https://$(BACKEND)"
- name: AGENT_ZONE
value: {{ empty .Values.cluster.name | ternary .Values.zone.name .Values.cluster.name}}
- name: POD_UID
valueFrom:
fieldRef:
fieldPath: metadata.uid
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if not (empty .Values.agent.proxyHost) }}
- name: HTTPS_PROXY
value: "http://{{ $user_name_password }}{{ .Values.agent.proxyHost }}:{{ .Values.agent.proxyPort }}"
- name: NO_PROXY
value: "kubernetes.default.svc"
{{- end }}
{{- if .Values.agent.redactKubernetesSecrets }}
- name: INSTANA_KUBERNETES_REDACT_SECRETS
value: {{ .Values.agent.redactKubernetesSecrets | quote }}
{{- end }}
{{- if .Values.agent.configuration_yaml }}
- name: CONFIG_PATH
value: /root
{{- end }}
{{- include "k8sensor.commonEnv" . | nindent 12 }}
volumeMounts:
- name: configuration
subPath: configuration.yaml
mountPath: /root/configuration.yaml
resources:
requests:
{{- include "instana-agent.resources" .Values.k8s_sensor.deployment.pod.requests | nindent 14 }}
limits:
{{- include "instana-agent.resources" .Values.k8s_sensor.deployment.pod.limits | nindent 14 }}
ports:
- containerPort: 42699
volumes:
- name: configuration
configMap:
name: {{ include "instana-agent.fullname" . }}
{{- if .Values.k8s_sensor.deployment.pod.tolerations }}
tolerations:
{{- toYaml .Values.k8s_sensor.deployment.pod.tolerations | nindent 8 }}
{{- end }}
affinity:
{{- toYaml .Values.k8s_sensor.deployment.pod.affinity | nindent 8 }}
minReadySeconds: {{ $.Values.k8s_sensor.deployment.minReadySeconds }}
{{- end -}}
{{- end -}}
{{- end -}}

13
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-pod-disruption-budget.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.k8s_sensor.podDisruptionBudget.enabled -}}
{{- if (gt (int .Values.k8s_sensor.deployment.replicas) 1) }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: k8sensor
spec:
selector:
matchLabels:
{{- include "k8s-sensor.selectorLabels" . | nindent 6 }}
minAvailable: {{ sub (int .Values.k8s_sensor.deployment.replicas) 1 }}
{{- end -}}
{{- end -}}

27
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.k8s_sensor.deployment.enabled .Values.podSecurityPolicy.enable -}}
---
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: k8sensor
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- projected
- hostPath
runAsUser:
rule: "RunAsAny"
seLinux:
rule: "RunAsAny"
supplementalGroups:
rule: "RunAsAny"
fsGroup:
rule: "RunAsAny"
{{- end }}

124
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-role.yaml Normal file
View File

@ -0,0 +1,124 @@
{{- if .Values.k8s_sensor.deployment.enabled -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8sensor
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
rules:
-
nonResourceURLs:
- /version
- /healthz
verbs:
- get
-
apiGroups:
- extensions
resources:
- deployments
- replicasets
- ingresses
verbs:
- get
- list
- watch
-
apiGroups:
- ""
resources:
- configmaps
- events
- services
- endpoints
- namespaces
- nodes
- pods
- replicationcontrollers
- resourcequotas
- persistentvolumes
- persistentvolumeclaims
verbs:
- get
- list
- watch
-
apiGroups:
- apps
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
-
apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
-
apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
-
apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- watch
-
apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
-
apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
- list
- watch
-
apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{ if .Values.podSecurityPolicy.enable }}
-
apiGroups:
- policy
resourceNames:
- k8sensor
resources:
- podsecuritypolicies
verbs:
- use
{{ end }}
{{- end }}

17
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-rolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.k8s_sensor.deployment.enabled -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8sensor
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
roleRef:
kind: ClusterRole
name: k8sensor
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: k8sensor
namespace: {{ .Release.Namespace }}
{{- end }}

10
charts/instana/instana-agent/1.2.74/templates/k8s-sensor-serviceaccount.yaml Normal file
View File

@ -0,0 +1,10 @@
{{- if .Values.k8s_sensor.deployment.enabled -}}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: k8sensor
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
{{- end }}

19
charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-configmap.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.kubernetes.deployment.enabled (not .Values.k8s_sensor.deployment.enabled) -}}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: kubernetes-sensor
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
data:
# TODO We should get rid of this and imply the ring-fence iff the mode is "KUBERNETES"
configuration.yaml: |
com.instana.plugin.kubernetes:
enabled: true
com.instana.kubernetes:
leader:
isRingFenced: true
{{- end }}

119
charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if and .Values.kubernetes.deployment.enabled (not .Values.k8s_sensor.deployment.enabled) -}}
{{- if or .Values.agent.key .Values.agent.keysSecret -}}
{{- if or .Values.zone.name .Values.cluster.name -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: kubernetes-sensor
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
replicas: {{ default "1" .Values.kubernetes.deployment.replicas }}
selector:
matchLabels:
{{- include "instana-agent.selectorLabels" . | nindent 6 }}
minReadySeconds: {{ $.Values.kubernetes.deployment.minReadySeconds }}
template:
metadata:
labels:
{{- if .Values.agent.pod.labels }}
{{- toYaml .Values.agent.pod.labels | nindent 8 }}
{{- end }}
{{- include "instana-agent.commonLabels" . | nindent 8 }}
instana/agent-mode: KUBERNETES
annotations:
{{- if .Values.agent.pod.annotations }}
{{- toYaml .Values.agent.pod.annotations | nindent 8 }}
{{- end }}
# To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
# Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
spec:
serviceAccountName: {{ template "instana-agent.serviceAccountName" . }}
{{- if .Values.kubernetes.deployment.pod.nodeSelector }}
nodeSelector:
{{- range $key, $value := .Values.kubernetes.deployment.pod.nodeSelector }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.kubernetes.deployment.pod.priorityClassName }}
priorityClassName: {{ .Values.kubernetes.deployment.pod.priorityClassName | quote }}
{{- end }}
{{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
imagePullSecrets:
{{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
{{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
imagePullSecrets:
- name: containers-instana-io
{{- end }}
containers:
- name: instana-agent
image: {{ include "image" .Values.agent.image | quote }}
imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
securityContext:
privileged: true
env:
- name: INSTANA_AGENT_MODE
value: KUBERNETES
{{- include "instana-agent.commonEnv" . | nindent 12 }}
volumeMounts:
{{- include "instana-agent.commonVolumeMounts" . | nindent 12 }}
- name: kubernetes-sensor-configuration
subPath: configuration.yaml
mountPath: /root/configuration.yaml
{{- if .Values.agent.tls }}
{{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
{{- include "instana-agent.tls-volumeMounts" . | nindent 12 }}
{{- end }}
{{- end }}
resources:
requests:
{{- include "instana-agent.resources" .Values.kubernetes.deployment.pod.requests | nindent 14 }}
limits:
{{- include "instana-agent.resources" .Values.kubernetes.deployment.pod.limits | nindent 14 }}
ports:
- containerPort: 42699
- name: leader-elector
image: {{ include "image" .Values.leaderElector.image | quote }}
env:
- name: INSTANA_AGENT_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
command:
- "/busybox/sh"
- "-c"
- "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)"
resources:
requests:
cpu: 0.1
memory: "64Mi"
ports:
- containerPort: {{ .Values.leaderElector.port }}
{{- if .Values.kubernetes.deployment.pod.tolerations }}
tolerations:
{{- toYaml .Values.kubernetes.deployment.pod.tolerations | nindent 8 }}
{{- end }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchExpressions:
- key: instana/agent-mode
operator: In
values: [ KUBERNETES ]
volumes:
{{- include "instana-agent.commonVolumes" . | nindent 8 }}
- name: kubernetes-sensor-configuration
configMap:
name: kubernetes-sensor
{{- if .Values.agent.tls }}
{{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
{{- include "instana-agent.tls-volume" . | nindent 8 }}
{{- end }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}

9
charts/instana/instana-agent/1.2.74/templates/namespace.yaml Normal file
View File

@ -0,0 +1,9 @@
{{- if .Values.templating }}
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
{{- end }}

65
charts/instana/instana-agent/1.2.74/templates/podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,65 @@
{{- if .Values.rbac.create }}
{{- if (and .Values.podSecurityPolicy.enable (not .Values.podSecurityPolicy.name)) }}
{{- if semverCompare "< 1.25.x" (include "kubeVersion" .) }}
---
kind: PodSecurityPolicy
apiVersion: policy/v1beta1
metadata:
name: {{ template "instana-agent.podSecurityPolicyName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
privileged: true
allowPrivilegeEscalation: true
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- secret
- projected
- hostPath
allowedHostPaths:
- pathPrefix: "/dev"
readOnly: false
- pathPrefix: "/run"
readOnly: false
- pathPrefix: "/var/run"
readOnly: false
- pathPrefix: "/var/vcap/sys/run/docker"
readOnly: false
- pathPrefix: "/var/vcap/sys/run/containerd"
readOnly: false
- pathPrefix: "/var/vcap/jobs/containerd/config"
readOnly: false
- pathPrefix: "/sys"
readOnly: false
- pathPrefix: "/var/log"
readOnly: false
- pathPrefix: "/var/lib"
readOnly: false
- pathPrefix: "/var/data"
readOnly: false
- pathPrefix: "/etc/machine-id"
readOnly: false
{{- if .Values.agent.host.repository }}
- pathPrefix: {{ .Values.agent.host.repository }}
readOnly: false
{{- end }}
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostPID: true
runAsUser:
rule: "RunAsAny"
seLinux:
rule: "RunAsAny"
supplementalGroups:
rule: "RunAsAny"
fsGroup:
rule: "RunAsAny"
{{- end }}
{{- end }}
{{- end }}

55
charts/instana/instana-agent/1.2.74/templates/secrets.yaml Normal file
View File

@ -0,0 +1,55 @@
{{- if not (typeIs "[]interface {}" .Values.agent.image.pullSecrets) }}
{{- if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
---
apiVersion: v1
kind: Secret
metadata:
name: containers-instana-io
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "imagePullSecretContainersInstanaIo" . }}
{{- end -}}
{{- end -}}
{{- if not .Values.agent.keysSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "instana-agent.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.templating }}
key: {{ .Values.agent.key }}
downloadKey: {{ default "''" .Values.agent.downloadKey }}
{{- else }}
{{- if .Values.agent.key }}
key: {{ .Values.agent.key | b64enc | quote }}
{{- end }}
{{- if .Values.agent.downloadKey }}
downloadKey: {{ .Values.agent.downloadKey | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.agent.tls }}
{{- if and (not .Values.agent.tls.secretName) (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ template "instana-agent.fullname" . }}-tls
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.agent.tls.certificate }}
tls.key: {{ .Values.agent.tls.key }}
{{- end }}
{{- end }}

45
charts/instana/instana-agent/1.2.74/templates/service.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if or .Values.service.create (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) .Values.prometheus.remoteWrite.enabled -}}
---
apiVersion: v1
kind: Service
metadata:
name: {{ template "instana-agent.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
spec:
selector:
{{- include "instana-agent.selectorLabels" . | nindent 4 }}
ports:
# Prometheus remote_write, Trace Web SDK and other APIs
- name: agent-apis
protocol: TCP
port: 42699
targetPort: 42699
{{ if eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .) }}
# OpenTelemetry original default port
- name: opentelemetry
protocol: TCP
port: 55680
targetPort: 55680
# OpenTelemetry as registered and reserved by IANA
- name: opentelemetry-iana
protocol: TCP
port: 4317
targetPort: 4317
{{- end -}}
{{ if eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .) }}
# OpenTelemetry HTTP port
- name: opentelemetry-http
protocol: TCP
port: 4318
targetPort: 4318
{{- end -}}
{{- if semverCompare "< 1.22.x" (include "kubeVersion" .) }}
# since we run agents as DaemonSets we assume every node has this Service available:
topologyKeys:
- "kubernetes.io/hostname"
{{- else }}
internalTrafficPolicy: Local
{{- end -}}
{{- end -}}

16
charts/instana/instana-agent/1.2.74/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "instana-agent.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "instana-agent.commonLabels" . | nindent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{- if .Values.serviceAccount.annotations }}
{{- toYaml .Values.serviceAccount.annotations | nindent 4}}
{{- end }}
{{- end }}
{{- end }}

322
charts/instana/instana-agent/1.2.74/values.yaml Normal file
View File

@ -0,0 +1,322 @@
# name is the value which will be used as the base resource name for various resources associated with the agent.
# name: instana-agent
agent:
# agent.mode is used to set agent mode and it can be APM, INFRASTRUCTURE or AWS
# mode: APM
# agent.key is the secret token which your agent uses to authenticate to Instana's servers.
key: null
# agent.downloadKey is key, sometimes known as "sales key", that allows you to download,
# software from Instana.
# downloadKey: null
# Rather than specifying the agent key and optionally the download key, you can "bring your
# own secret" creating it in the namespace in which you install the `instana-agent` and
# specify its name in the `keysSecret` field. The secret you create must contains
# a field called `key` and optionally one called `downloadKey`, which contain, respectively,
# the values you'd otherwise set in `.agent.key` and `agent.downloadKey`.
# keysSecret: null
# agent.listenAddress is the IP address the agent HTTP server will listen to.
# listenAddress: "*"
# agent.endpointHost is the hostname of the Instana server your agents will connect to.
endpointHost: ingress-red-saas.instana.io
# agent.endpointPort is the port number (as a String) of the Instana server your agents will connect to.
endpointPort: 443
# These are additional backends the Instana agent will report to besides
# the one configured via the `agent.endpointHost`, `agent.endpointPort` and `agent.key` setting
additionalBackends: []
# - endpointHost: ingress.instana.io
# endpointPort: 443
# key: <agent_key>
# TLS for end-to-end encryption between Instana agent and clients accessing the agent.
# The Instana agent does not yet allow enforcing TLS encryption.
# TLS is only enabled on a connection when requested by the client.
tls:
# In order to enable TLS, a secret of type kubernetes.io/tls must be specified.
# secretName is the name of the secret that has the relevant files.
# secretName: null
# Otherwise, the certificate and the private key must be provided as base64 encoded.
# certificate: null
# key: null
image:
# agent.image.name is the name of the container image of the Instana agent.
name: icr.io/instana/agent
# agent.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
#digest:
# agent.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
tag: latest
# agent.image.pullPolicy specifies when to pull the image container.
pullPolicy: Always
# agent.image.pullSecrets allows you to override the default pull secret that is created when agent.image.name starts with "containers.instana.io"
# Setting agent.image.pullSecrets prevents the creation of the default "containers-instana-io" secret.
# pullSecrets:
# - name: my_awesome_secret_instead
# If you want no imagePullSecrets to be specified in the agent pod, you can just pass an empty array to agent.image.pullSecrets
# pullSecrets: []
# The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
minReadySeconds: 0
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
pod:
# agent.pod.annotations are additional annotations to be added to the agent pods.
annotations: {}
# agent.pod.labels are additional labels to be added to the agent pods.
labels: {}
# agent.pod.tolerations are tolerations to influence agent pod assignment.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# agent.pod.affinity are affinities to influence agent pod assignment.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
affinity: {}
# agent.pod.priorityClassName is the name of an existing PriorityClass that should be set on the agent pods
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: null
# agent.pod.requests and agent.pod.limits adjusts the resource assignments for the DaemonSet agent
# regardless of the kubernetes.deployment.enabled setting
requests:
# agent.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
memory: 768Mi
# agent.pod.requests.cpu are the requested CPU units allocation for the agent pods.
cpu: 0.5
limits:
# agent.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
memory: 768Mi
# agent.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
cpu: 1.5
# agent.proxyHost sets the INSTANA_AGENT_PROXY_HOST environment variable.
# proxyHost: null
# agent.proxyPort sets the INSTANA_AGENT_PROXY_PORT environment variable.
# proxyPort: 80
# agent.proxyProtocol sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable.
# proxyProtocol: HTTP
# agent.proxyUser sets the INSTANA_AGENT_PROXY_USER environment variable.
# proxyUser: null
# agent.proxyPassword sets the INSTANA_AGENT_PROXY_PASSWORD environment variable.
# proxyPassword: null
# agent.proxyUseDNS sets the INSTANA_AGENT_PROXY_USE_DNS environment variable.
# proxyUseDNS: false
# use this to set additional environment variables for the instana agent
# for example:
# env:
# INSTANA_AGENT_TAGS: dev
env: {}
configuration:
# When setting this to true, the Helm chart will automatically look up the entries
# of the default instana-agent ConfigMap, and mount as agent configuration files
# under /opt/instana/agent/etc/instana all entries with keys that match the
# 'configuration-*.yaml' scheme
#
# IMPORTANT: Needs Helm 3.1+ as it is built on the `lookup` function
# IMPORTANT: Editing the ConfigMap adding keys requires a `helm upgrade` to take effect
autoMountConfigEntries: false
# When setting this to true, the updates of the default instana-agent ConfigMap
# will be reflected in the pod without requiring a pod restart
hotreloadEnabled: false
configuration_yaml: |
# Manual a-priori configuration. Configuration will be only used when the sensor
# is actually installed by the agent.
# The commented out example values represent example configuration and are not
# necessarily defaults. Defaults are usually 'absent' or mentioned separately.
# Changes are hot reloaded unless otherwise mentioned.
# It is possible to create files called 'configuration-abc.yaml' which are
# merged with this file in file system order. So 'configuration-cde.yaml' comes
# after 'configuration-abc.yaml'. Only nested structures are merged, values are
# overwritten by subsequent configurations.
# Secrets
# To filter sensitive data from collection by the agent, all sensors respect
# the following secrets configuration. If a key collected by a sensor matches
# an entry from the list, the value is redacted.
#com.instana.secrets:
# matcher: 'contains-ignore-case' # 'contains-ignore-case', 'contains', 'regex'
# list:
# - 'key'
# - 'password'
# - 'secret'
# Host
#com.instana.plugin.host:
# tags:
# - 'dev'
# - 'app1'
# Hardware & Zone
#com.instana.plugin.generic.hardware:
# enabled: true # disabled by default
# availability-zone: 'zone'
# agent.redactKubernetesSecrets sets the INSTANA_KUBERNETES_REDACT_SECRETS environment variable.
# redactKubernetesSecrets: null
# agent.host.repository sets a host path to be mounted as the agent maven repository (for debugging or development purposes)
host:
repository: null
# agent.serviceMesh.enabled sets the ENABLE_AGENT_SOCKET environment variable.
serviceMesh:
enabled: true
cluster:
# cluster.name represents the name that will be assigned to this cluster in Instana
name: null
leaderElector:
image:
# leaderElector.image.name is the name of the container image of the leader elector.
name: icr.io/instana/leader-elector
# leaderElector.image.digest is the digest (a.k.a. Image ID) of the leader elector container image; if specified, it has priority over leaderElector.image.digest, which will be ignored.
#digest:
# leaderElector.image.tag is the tag name of the agent container image; if leaderElector.image.digest is specified, this property is ignored.
tag: 0.5.19
port: 42655
# openshift specifies whether the cluster role should include openshift permissions and other tweaks to the YAML.
# The chart will try to auto-detect if the cluster is OpenShift, so you will likely not even need to set this explicitly.
# openshift: true
rbac:
# Specifies whether RBAC resources should be created
create: true
service:
# Specifies whether to create the instana-agent service to expose within the cluster the Prometheus remote-write, OpenTelemetry GRCP endpoint and other APIs
# Note: Requires Kubernetes 1.17+, as it uses topologyKeys
create: true
opentelemetry:
# enabled: false # legacy setting, will only enable grpc, defaults to false
grpc:
enabled: true # takes precedence over legacy settings above, defaults to true if "grpc:" is present
http:
enabled: true # allows to enable http endpoints, defaults to true if "http:" is present
prometheus:
remoteWrite:
enabled: false # If true, it will also apply `service.create=true`
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and `create` is true, a name is generated using the fullname template
# name: instana-agent
# Annotations to add to the service account
annotations: {}
podSecurityPolicy:
# Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods.
# Requires `rbac.create` to be `true` as well and K8s version below v1.25.
enable: false
# The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods.
# If not set and `enable` is true, a PodSecurityPolicy will be created with a name generated using the fullname template.
name: null
zone:
# zone.name is the custom zone that detected technologies will be assigned to
name: null
k8s_sensor:
image:
# k8s_sensor.image.name is the name of the container image of the Instana agent.
name: icr.io/instana/k8sensor
# k8s_sensor.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
#digest:
# k8s_sensor.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
tag: latest
# k8s_sensor.image.pullPolicy specifies when to pull the image container.
pullPolicy: Always
deployment:
# Specifies whether or not to enable the Deployment and turn off the Kubernetes sensor in the DaemonSet
enabled: true
# Use three replicas to ensure the HA by the default.
replicas: 3
# k8s_sensor.deployment.pod adjusts the resource assignments for the agent independently of the DaemonSet agent when k8s_sensor.deployment.enabled=true
pod:
requests:
# k8s_sensor.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
memory: 128Mi
# k8s_sensor.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
cpu: 120m
limits:
# k8s_sensor.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
memory: 2048Mi
# k8s_sensor.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
cpu: 500m
affinity:
podAntiAffinity:
# Soft anti-affinity policy: try not to schedule multiple kubernetes-sensor pods on the same node.
# If the policy is set to "requiredDuringSchedulingIgnoredDuringExecution", if the cluster has
# fewer nodes than the amount of desired replicas, `helm install/upgrade --wait` will not return.
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: instana/agent-mode
operator: In
values: [ KUBERNETES ]
topologyKey: "kubernetes.io/hostname"
# The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
minReadySeconds: 0
podDisruptionBudget:
# Specifies whether or not to setup a pod disruption budget for the k8sensor deployment
enabled: false
kubernetes:
# Configures use of a Deployment for the Kubernetes sensor rather than as a potential member of the DaemonSet. Is only accepted if k8s_sensor.deployment.enabled=false
deployment:
# Specifies whether or not to enable the Deployment and turn off the Kubernetes sensor in the DaemonSet
enabled: false
# Use a single replica, the impact will generally be low and we need to address a host of other concerns where clusters are large.
replicas: 1
# The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
minReadySeconds: 0
# kubernetes.deployment.pod adjusts the resource assignments for the agent independently of the DaemonSet agent when kubernetes.deployment.enabled=true
pod:
requests:
# kubernetes.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
memory: 1024Mi
# kubernetes.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
cpu: 720m
limits:
# kubernetes.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
memory: 3072Mi
# kubernetes.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
cpu: 4
# zones:
# # Configure use of zones to use tolerations as the basis to associate a specific daemonset per tainted node pool
# - name: pool-01
# tolerations:
# - key: "pool"
# operator: "Equal"
# value: "pool-01"
# effect: "NoExecute"
# - name: pool-02
# tolerations:
# - key: "pool"
# operator: "Equal"
# value: "pool-02"
# effect: "NoExecute"

22
charts/percona/psmdb-operator/1.17.1/.helmignore Normal file
View File

@ -0,0 +1,22 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

20
charts/percona/psmdb-operator/1.17.1/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Percona Operator for MongoDB
catalog.cattle.io/kube-version: '>=1.21-0'
catalog.cattle.io/release-name: psmdb-operator
apiVersion: v2
appVersion: 1.17.0
description: A Helm chart for deploying the Percona Operator for MongoDB
home: https://docs.percona.com/percona-operator-for-mongodb/
icon: file://assets/icons/psmdb-operator.png
kubeVersion: '>=1.21-0'
maintainers:
- email: tomislav.plavcic@percona.com
name: tplavcic
- email: natalia.marukovich@percona.com
name: nmarukovich
- email: sergey.pronin@percona.com
name: spron-in
name: psmdb-operator
version: 1.17.1

13
charts/percona/psmdb-operator/1.17.1/LICENSE.txt Normal file
View File

@ -0,0 +1,13 @@
Copyright 2019 Paul Czarkowski <username.taken@gmail.com>
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

69
charts/percona/psmdb-operator/1.17.1/README.md Normal file
View File

@ -0,0 +1,69 @@
# Percona Operator for MongoDB
Percona Operator for MongoDB allows users to deploy and manage Percona Server for MongoDB Clusters on Kubernetes.
Useful links:
- [Operator Github repository](https://github.com/percona/percona-server-mongodb-operator)
- [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html)
## Pre-requisites
* Kubernetes 1.27+
* Helm v3
# Installation
This chart will deploy the Operator Pod for the further Percona Server for MongoDB creation in Kubernetes.
## Installing the chart
To install the chart with the `psmdb` release name using a dedicated namespace (recommended):
```sh
helm repo add percona https://percona.github.io/percona-helm-charts/
helm install my-operator percona/psmdb-operator --version 1.17.1 --namespace my-namespace
```
The chart can be customized using the following configurable parameters:
| Parameter | Description | Default |
| ---------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------- |
| `image.repository` | PSMDB Operator Container image name | `percona/percona-server-mongodb-operator` |
| `image.tag` | PSMDB Operator Container image tag | `1.17.0` |
| `image.pullPolicy` | PSMDB Operator Container pull policy | `Always` |
| `image.pullSecrets` | PSMDB Operator Pod pull secret | `[]` |
| `replicaCount` | PSMDB Operator Pod quantity | `1` |
| `tolerations` | List of node taints to tolerate | `[]` |
| `annotations` | PSMDB Operator Deployment annotations | `{}` |
| `podAnnotations` | PSMDB Operator Pod annotations | `{}` |
| `labels` | PSMDB Operator Deployment labels | `{}` |
| `podLabels` | PSMDB Operator Pod labels | `{}` |
| `resources` | Resource requests and limits | `{}` |
| `nodeSelector` | Labels for Pod assignment | `{}` |
| `podAnnotations` | Annotations for pod | `{}` |
| `podSecurityContext` | Pod Security Context | `{}` |
| `watchNamespace` | Set when a different from default namespace is needed to watch (comma separated if multiple needed) | `""` |
| `createNamespace` | Set if you want to create watched namespaces with helm | `false` |
| `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` |
| `securityContext` | Container Security Context | `{}` |
| `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` |
| `serviceAccount.annotations` | PSMDB Operator ServiceAccount annotations | `{}` |
| `logStructured` | Force PSMDB operator to print JSON-wrapped log messages | `false` |
| `logLevel` | PSMDB Operator logging level | `INFO` |
| `disableTelemetry` | Disable sending PSMDB Operator telemetry data to Percona | `false` |
Specify parameters using `--set key=value[,key=value]` argument to `helm install`
Alternatively a YAML file that specifies the values for the parameters can be provided like this:
```sh
helm install psmdb-operator -f values.yaml percona/psmdb-operator
```
## Deploy the database
To deploy Percona Server for MongoDB run the following command:
```sh
helm install my-db percona/psmdb-db
```
See more about Percona Server for MongoDB deployment in its chart [here](https://github.com/percona/percona-helm-charts/tree/main/charts/psmdb-db) or in the [Helm chart installation guide](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/helm.html).

19190
charts/percona/psmdb-operator/1.17.1/crds/crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

15
charts/percona/psmdb-operator/1.17.1/templates/NOTES.txt Normal file
View File

@ -0,0 +1,15 @@
1. Percona Operator for MongoDB is deployed.
See if the operator Pod is running:
kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }}
Check the operator logs if the Pod is not starting:
export POD=$(kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }} --output name)
kubectl logs $POD --namespace={{ .Release.Namespace }}
2. Deploy the database cluster from psmdb-db chart:
helm install my-db percona/psmdb-db --namespace={{ .Release.Namespace }}
Read more in our documentation: https://docs.percona.com/percona-operator-for-mongodb/

45
charts/percona/psmdb-operator/1.17.1/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,45 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "psmdb-operator.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "psmdb-operator.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "psmdb-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "psmdb-operator.labels" -}}
app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
helm.sh/chart: {{ include "psmdb-operator.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}

108
charts/percona/psmdb-operator/1.17.1/templates/deployment.yaml Normal file
View File

@ -0,0 +1,108 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "psmdb-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "psmdb-operator.labels" . | nindent 4 }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ include "psmdb-operator.fullname" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- containerPort: 8080
protocol: TCP
name: metrics
- containerPort: 8081
protocol: TCP
name: health
command:
- percona-server-mongodb-operator
{{- if .Values.securityContext.readOnlyRootFilesystem }}
volumeMounts:
- name: tmpdir
mountPath: /tmp
{{- end }}
env:
- name: LOG_STRUCTURED
value: "{{ .Values.logStructured }}"
- name: LOG_LEVEL
value: "{{ .Values.logLevel }}"
- name: WATCH_NAMESPACE
{{- if .Values.watchAllNamespaces }}
value: ""
{{- else }}
value: "{{ default .Release.Namespace .Values.watchNamespace }}"
{{- end }}
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: OPERATOR_NAME
value: {{ default "percona-server-mongodb-operator" .Values.operatorName }}
- name: RESYNC_PERIOD
value: "{{ .Values.env.resyncPeriod }}"
- name: DISABLE_TELEMETRY
value: "{{ .Values.disableTelemetry }}"
livenessProbe:
httpGet:
path: /healthz
port: health
readinessProbe:
httpGet:
path: /healthz
port: health
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.securityContext.readOnlyRootFilesystem }}
volumes:
- name: tmpdir
emptyDir: {}
{{- end }}

11
charts/percona/psmdb-operator/1.17.1/templates/namespace.yaml Normal file
View File

@ -0,0 +1,11 @@
{{ if and .Values.watchNamespace .Values.createNamespace }}
{{ range ( split "," .Values.watchNamespace ) }}
apiVersion: v1
kind: Namespace
metadata:
name: {{ trim . }}
annotations:
helm.sh/resource-policy: keep
---
{{ end }}
{{ end }}

41
charts/percona/psmdb-operator/1.17.1/templates/role-binding.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "psmdb-operator.fullname" . }}
namespace: {{ .Release.Namespace }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
---
{{- end }}
{{- if .Values.rbac.create }}
{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
kind: ClusterRoleBinding
{{- else }}
kind: RoleBinding
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-account-{{ include "psmdb-operator.fullname" . }}
{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "psmdb-operator.labels" . | indent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "psmdb-operator.fullname" . }}
{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
namespace: {{ .Release.Namespace }}
{{- end }}
roleRef:
{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
kind: ClusterRole
{{- else }}
kind: Role
{{- end }}
name: {{ include "psmdb-operator.fullname" . }}
apiGroup: rbac.authorization.k8s.io
{{- end }}

166
charts/percona/psmdb-operator/1.17.1/templates/role.yaml Normal file
View File

@ -0,0 +1,166 @@
{{- if .Values.rbac.create }}
{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
kind: ClusterRole
{{- else }}
kind: Role
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "psmdb-operator.fullname" . }}
{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
{{ include "psmdb-operator.labels" . | indent 4 }}
rules:
- apiGroups:
- psmdb.percona.com
resources:
- perconaservermongodbs
- perconaservermongodbs/status
- perconaservermongodbs/finalizers
- perconaservermongodbbackups
- perconaservermongodbbackups/status
- perconaservermongodbbackups/finalizers
- perconaservermongodbrestores
- perconaservermongodbrestores/status
- perconaservermongodbrestores/finalizers
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
- pods
- pods/exec
- services
- persistentvolumeclaims
- secrets
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- events.k8s.io
- ""
resources:
- events
verbs:
- get
- list
- watch
- create
- patch
- apiGroups:
- certmanager.k8s.io
- cert-manager.io
resources:
- issuers
- certificates
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- deletecollection
- apiGroups:
- net.gke.io
- multicluster.x-k8s.io
resources:
- serviceexports
- serviceimports
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- deletecollection
{{- end }}

99
charts/percona/psmdb-operator/1.17.1/values.yaml Normal file
View File

@ -0,0 +1,99 @@
# Default values for psmdb-operator.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
image:
repository: percona/percona-server-mongodb-operator
tag: 1.17.0
pullPolicy: IfNotPresent
# disableTelemetry: according to
# https://docs.percona.com/percona-operator-for-mongodb/telemetry.html
# this is how you can disable telemetry collection
# default is false which means telemetry will be collected
disableTelemetry: false
# set if you want to specify a namespace to watch
# defaults to `.Release.namespace` if left blank
# multiple namespaces can be specified and separated by comma
# watchNamespace:
# set if you want that watched namespaces are created by helm
# createNamespace: false
# set if operator should be deployed in cluster wide mode. defaults to false
watchAllNamespaces: false
# rbac: settings for deployer RBAC creation
rbac:
# rbac.create: if false RBAC resources should be in place
create: true
# serviceAccount: settings for Service Accounts used by the deployer
serviceAccount:
# serviceAccount.create: Whether to create the Service Accounts or not
create: true
# annotations to add to the service account
annotations: {}
# annotations to add to the operator deployment
annotations: {}
# labels to add to the operator deployment
labels: {}
# annotations to add to the operator pod
podAnnotations: {}
# prometheus.io/scrape: "true"
# prometheus.io/port: "8080"
# labels to the operator pod
podLabels: {}
podSecurityContext: {}
# runAsNonRoot: true
# runAsUser: 2
# runAsGroup: 2
# fsGroup: 2
# fsGroupChangePolicy: "OnRootMismatch"
securityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# seccompProfile:
# type: RuntimeDefault
# set if you want to use a different operator name
# defaults to `percona-server-mongodb-operator`
# operatorName:
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
env:
resyncPeriod: 5s
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
logStructured: false
logLevel: "INFO"

28
charts/redpanda/redpanda/5.9.9/.helmignore Normal file
View File

@ -0,0 +1,28 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
README.md.gotmpl
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
*.go
testdata/
ci/

Some files were not shown because too many files have changed in this diff Show More