diff --git a/assets/external-secrets/external-secrets-0.10.5.tgz b/assets/external-secrets/external-secrets-0.10.5.tgz
new file mode 100644
index 000000000..dc011eed6
Binary files /dev/null and b/assets/external-secrets/external-secrets-0.10.5.tgz differ
diff --git a/assets/instana/instana-agent-1.2.74.tgz b/assets/instana/instana-agent-1.2.74.tgz
new file mode 100644
index 000000000..ba712c27e
Binary files /dev/null and b/assets/instana/instana-agent-1.2.74.tgz differ
diff --git a/assets/percona/psmdb-operator-1.17.1.tgz b/assets/percona/psmdb-operator-1.17.1.tgz
new file mode 100644
index 000000000..6d7c36a92
Binary files /dev/null and b/assets/percona/psmdb-operator-1.17.1.tgz differ
diff --git a/assets/redpanda/redpanda-5.9.9.tgz b/assets/redpanda/redpanda-5.9.9.tgz
new file mode 100644
index 000000000..ba61492b1
Binary files /dev/null and b/assets/redpanda/redpanda-5.9.9.tgz differ
diff --git a/charts/external-secrets/external-secrets/0.10.5/Chart.lock b/charts/external-secrets/external-secrets/0.10.5/Chart.lock
new file mode 100644
index 000000000..f9abae8c1
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: bitwarden-sdk-server
+ repository: oci://ghcr.io/external-secrets/charts
+ version: v0.3.1
+digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
+generated: "2024-09-20T12:57:07.63511+02:00"
diff --git a/charts/external-secrets/external-secrets/0.10.5/Chart.yaml b/charts/external-secrets/external-secrets/0.10.5/Chart.yaml
new file mode 100644
index 000000000..d991c5b70
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/Chart.yaml
@@ -0,0 +1,25 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: External Secrets Operator
+ catalog.cattle.io/kube-version: '>= 1.19.0-0'
+ catalog.cattle.io/release-name: external-secrets
+apiVersion: v2
+appVersion: v0.10.5
+dependencies:
+- condition: bitwarden-sdk-server.enabled
+ name: bitwarden-sdk-server
+ repository: oci://ghcr.io/external-secrets/charts
+ version: v0.3.1
+description: External secret management for Kubernetes
+home: https://github.com/external-secrets/external-secrets
+icon: file://assets/icons/external-secrets.png
+keywords:
+- kubernetes-external-secrets
+- secrets
+kubeVersion: '>= 1.19.0-0'
+maintainers:
+- email: kellinmcavoy@gmail.com
+ name: mcavoyk
+name: external-secrets
+type: application
+version: 0.10.5
diff --git a/charts/external-secrets/external-secrets/0.10.5/README.md b/charts/external-secrets/external-secrets/0.10.5/README.md
new file mode 100644
index 000000000..5d25e7ea7
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/README.md
@@ -0,0 +1,225 @@
+# External Secrets
+
+
+
+[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
+
+ 
+
+External secret management for Kubernetes
+
+## TL;DR
+```bash
+helm repo add external-secrets https://charts.external-secrets.io
+helm install external-secrets external-secrets/external-secrets
+```
+
+## Installing the Chart
+To install the chart with the release name `external-secrets`:
+```bash
+helm install external-secrets external-secrets/external-secrets
+```
+
+### Custom Resources
+By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
+
+## Uninstalling the Chart
+To uninstall the `external-secrets` deployment:
+```bash
+helm uninstall external-secrets
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` | |
+| bitwarden-sdk-server.enabled | bool | `false` | |
+| certController.affinity | object | `{}` | |
+| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
+| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| certController.extraArgs | object | `{}` | |
+| certController.extraEnv | list | `[]` | |
+| certController.extraVolumeMounts | list | `[]` | |
+| certController.extraVolumes | list | `[]` | |
+| certController.fullnameOverride | string | `""` | |
+| certController.hostNetwork | bool | `false` | Run the certController on the host network |
+| certController.image.flavour | string | `""` | |
+| certController.image.pullPolicy | string | `"IfNotPresent"` | |
+| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
+| certController.image.tag | string | `""` | |
+| certController.imagePullSecrets | list | `[]` | |
+| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| certController.metrics.listen.port | int | `8080` | |
+| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
+| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| certController.nameOverride | string | `""` | |
+| certController.nodeSelector | object | `{}` | |
+| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
+| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| certController.podLabels | object | `{}` | |
+| certController.podSecurityContext.enabled | bool | `true` | |
+| certController.priorityClassName | string | `""` | Pod priority class name. |
+| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| certController.readinessProbe.address | string | `""` | Address for readiness probe |
+| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| certController.replicaCount | int | `1` | |
+| certController.requeueInterval | string | `"5m"` | |
+| certController.resources | object | `{}` | |
+| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
+| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| certController.securityContext.enabled | bool | `true` | |
+| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
+| certController.securityContext.runAsNonRoot | bool | `true` | |
+| certController.securityContext.runAsUser | int | `1000` | |
+| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| certController.tolerations | list | `[]` | |
+| certController.topologySpreadConstraints | list | `[]` | |
+| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
+| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
+| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
+| crds.annotations | object | `{}` | |
+| crds.conversion.enabled | bool | `true` | |
+| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
+| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
+| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
+| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
+| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
+| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
+| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
+| extraArgs | object | `{}` | |
+| extraContainers | list | `[]` | |
+| extraEnv | list | `[]` | |
+| extraObjects | list | `[]` | |
+| extraVolumeMounts | list | `[]` | |
+| extraVolumes | list | `[]` | |
+| fullnameOverride | string | `""` | |
+| global.affinity | object | `{}` | |
+| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
+| global.nodeSelector | object | `{}` | |
+| global.tolerations | list | `[]` | |
+| global.topologySpreadConstraints | list | `[]` | |
+| hostNetwork | bool | `false` | Run the controller on the host network |
+| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
+| image.pullPolicy | string | `"IfNotPresent"` | |
+| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
+| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| imagePullSecrets | list | `[]` | |
+| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
+| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| metrics.listen.port | int | `8080` | |
+| metrics.service.annotations | object | `{}` | Additional service annotations |
+| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| metrics.service.port | int | `8080` | Metrics service port to scrape |
+| nameOverride | string | `""` | |
+| namespaceOverride | string | `""` | |
+| nodeSelector | object | `{}` | |
+| podAnnotations | object | `{}` | Annotations to add to Pod |
+| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| podLabels | object | `{}` | |
+| podSecurityContext.enabled | bool | `true` | |
+| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
+| priorityClassName | string | `""` | Pod priority class name. |
+| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
+| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
+| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
+| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
+| replicaCount | int | `1` | |
+| resources | object | `{}` | |
+| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
+| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
+| securityContext.allowPrivilegeEscalation | bool | `false` | |
+| securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| securityContext.enabled | bool | `true` | |
+| securityContext.readOnlyRootFilesystem | bool | `true` | |
+| securityContext.runAsNonRoot | bool | `true` | |
+| securityContext.runAsUser | int | `1000` | |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
+| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
+| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
+| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
+| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
+| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| tolerations | list | `[]` | |
+| topologySpreadConstraints | list | `[]` | |
+| webhook.affinity | object | `{}` | |
+| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
+| webhook.certDir | string | `"/tmp/certs"` | |
+| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
+| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
+| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
+| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
+| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
+| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
+| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
+| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
+| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| webhook.extraArgs | object | `{}` | |
+| webhook.extraEnv | list | `[]` | |
+| webhook.extraVolumeMounts | list | `[]` | |
+| webhook.extraVolumes | list | `[]` | |
+| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
+| webhook.fullnameOverride | string | `""` | |
+| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
+| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
+| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
+| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
+| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| webhook.imagePullSecrets | list | `[]` | |
+| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
+| webhook.metrics.listen.port | int | `8080` | |
+| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
+| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| webhook.nameOverride | string | `""` | |
+| webhook.nodeSelector | object | `{}` | |
+| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
+| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| webhook.podLabels | object | `{}` | |
+| webhook.podSecurityContext.enabled | bool | `true` | |
+| webhook.port | int | `10250` | The port the webhook will listen to |
+| webhook.priorityClassName | string | `""` | Pod priority class name. |
+| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
+| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| webhook.replicaCount | int | `1` | |
+| webhook.resources | object | `{}` | |
+| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
+| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
+| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
+| webhook.securityContext.enabled | bool | `true` | |
+| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
+| webhook.securityContext.runAsNonRoot | bool | `true` | |
+| webhook.securityContext.runAsUser | int | `1000` | |
+| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
+| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.tolerations | list | `[]` | |
+| webhook.topologySpreadConstraints | list | `[]` | |
diff --git a/charts/external-secrets/external-secrets/0.10.5/app-readme.md b/charts/external-secrets/external-secrets/0.10.5/app-readme.md
new file mode 100644
index 000000000..2a28bc399
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/app-readme.md
@@ -0,0 +1,7 @@
+**External Secrets Operator** is a Kubernetes operator that integrates external secret management systems like [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), [HashiCorp Vault](https://www.vaultproject.io/), [Google Secrets Manager](https://cloud.google.com/secret-manager), [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) and many more.
+The operator reads information from external APIs and automatically injects the values into a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
+
+### What is the goal of External Secrets Operator?
+
+The goal of External Secrets Operator is to synchronize secrets from external APIs into Kubernetes. ESO is a collection of custom API resources - `ExternalSecret`, `SecretStore` and `ClusterSecretStore` that provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.
+
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/.helmignore b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/Chart.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/Chart.yaml
new file mode 100644
index 000000000..64d6f3853
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+appVersion: v0.3.1
+description: A Helm chart for Kubernetes
+name: bitwarden-sdk-server
+type: application
+version: v0.3.1
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/NOTES.txt b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/NOTES.txt
new file mode 100644
index 000000000..46b671c6a
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+ {{- range .paths }}
+ http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+ {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden-sdk-server.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+ NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+ You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden-sdk-server.fullname" . }}'
+ export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden-sdk-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+ echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden-sdk-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/_helpers.tpl b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/_helpers.tpl
new file mode 100644
index 000000000..a5e0da3cc
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "bitwarden-sdk-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "bitwarden-sdk-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "bitwarden-sdk-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "bitwarden-sdk-server.labels" -}}
+helm.sh/chart: {{ include "bitwarden-sdk-server.chart" . }}
+{{ include "bitwarden-sdk-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "bitwarden-sdk-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "bitwarden-sdk-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "bitwarden-sdk-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "bitwarden-sdk-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/deployment.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/deployment.yaml
new file mode 100644
index 000000000..06e28820a
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/deployment.yaml
@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "bitwarden-sdk-server.fullname" . }}
+ labels:
+ {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}
+ {{- if not .Values.image.tls.enabled }}
+ args:
+ - --insecure
+ {{- end }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if .Values.image.tls.enabled }}
+ volumeMounts:
+ {{- toYaml .Values.image.tls.volumeMounts | nindent 10 }}
+ {{- end}}
+ ports:
+ - name: http
+ containerPort: {{ .Values.service.port }}
+ protocol: TCP
+ livenessProbe:
+ httpGet:
+ path: /live
+ port: http
+ {{- if .Values.image.tls.enabled }}
+ scheme: HTTPS
+ {{- end }}
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: http
+ {{- if .Values.image.tls.enabled }}
+ scheme: HTTPS
+ {{- end }}
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.image.tls.enabled }}
+ volumes:
+ {{- toYaml .Values.image.tls.volumes | nindent 8 }}
+ {{- end}}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/service.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/service.yaml
new file mode 100644
index 000000000..88e2d668b
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "bitwarden-sdk-server.fullname" . }}
+ labels:
+ {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
+spec:
+ type: {{ .Values.service.type }}
+ ports:
+ - port: {{ .Values.service.port }}
+ targetPort: http
+ name: http
+ selector:
+ {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 4 }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/serviceaccount.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/serviceaccount.yaml
new file mode 100644
index 000000000..fef7bad65
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
+ labels:
+ {{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap
new file mode 100644
index 000000000..2fbcdb118
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/__snapshot__/deployment_test.yaml.snap
@@ -0,0 +1,60 @@
+deployment should match snapshot:
+ 1: |
+ apiVersion: apps/v1
+ kind: Deployment
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: bitwarden-sdk-server
+ app.kubernetes.io/version: 1.16.0
+ helm.sh/chart: bitwarden-sdk-server-0.1.0
+ name: bitwarden-sdk-server
+ spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: bitwarden-sdk-server
+ template:
+ metadata:
+ labels:
+ app.kubernetes.io/instance: RELEASE-NAME
+ app.kubernetes.io/name: bitwarden-sdk-server
+ spec:
+ containers:
+ - image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.8.0
+ imagePullPolicy: IfNotPresent
+ livenessProbe:
+ httpGet:
+ path: /live
+ port: http
+ scheme: HTTPS
+ name: bitwarden-sdk-server
+ ports:
+ - containerPort: 9998
+ name: http
+ protocol: TCP
+ readinessProbe:
+ httpGet:
+ path: /ready
+ port: http
+ scheme: HTTPS
+ resources: {}
+ securityContext: {}
+ volumeMounts:
+ - mountPath: /certs
+ name: bitwarden-tls-certs
+ securityContext: {}
+ serviceAccountName: bitwarden-sdk-server
+ volumes:
+ - name: bitwarden-tls-certs
+ secret:
+ items:
+ - key: tls.crt
+ path: cert.pem
+ - key: tls.key
+ path: key.pem
+ - key: ca.crt
+ path: ca.pem
+ secretName: bitwarden-tls-certs
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/deployment_test.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/deployment_test.yaml
new file mode 100644
index 000000000..bb4e2f4f5
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/tests/deployment_test.yaml
@@ -0,0 +1,9 @@
+suite: test deployment
+templates:
+ - deployment.yaml
+tests:
+ - it: deployment should match snapshot
+ set:
+ image.tag: v0.8.0
+ asserts:
+ - matchSnapshot: {}
diff --git a/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/values.yaml b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/values.yaml
new file mode 100644
index 000000000..f0424afba
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/charts/bitwarden-sdk-server/values.yaml
@@ -0,0 +1,98 @@
+# Default values for bitwarden-sdk-server.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+ repository: ghcr.io/external-secrets/bitwarden-sdk-server
+ pullPolicy: IfNotPresent
+ # Overrides the image tag whose default is the chart appVersion.
+ tag: ""
+ tls:
+ enabled: true
+ volumeMounts:
+ - mountPath: "/certs"
+ name: "bitwarden-tls-certs"
+ volumes:
+ - name: "bitwarden-tls-certs"
+ secret:
+ secretName: "bitwarden-tls-certs"
+ items:
+ - key: "tls.crt"
+ path: "cert.pem"
+ - key: "tls.key"
+ path: "key.pem"
+ - key: "ca.crt"
+ path: "ca.pem"
+
+imagePullSecrets: []
+nameOverride: "bitwarden-sdk-server"
+fullnameOverride: "bitwarden-sdk-server"
+
+serviceAccount:
+ # Specifies whether a service account should be created
+ create: true
+ # Annotations to add to the service account
+ annotations: {}
+ # The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template
+ name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+ # fsGroup: 2000
+
+securityContext: {}
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+service:
+ type: ClusterIP
+ port: 9998
+
+ingress:
+ enabled: false
+ className: ""
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: chart-example.local
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
diff --git a/charts/external-secrets/external-secrets/0.10.5/questions.yaml b/charts/external-secrets/external-secrets/0.10.5/questions.yaml
new file mode 100644
index 000000000..31008999d
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/questions.yaml
@@ -0,0 +1,8 @@
+questions:
+- variable: installCRDs
+ default: false
+ required: true
+ description: "If true, Install and upgrade CRDs through helm chart"
+ type: boolean
+ label: Install CRDs
+
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/NOTES.txt b/charts/external-secrets/external-secrets/0.10.5/templates/NOTES.txt
new file mode 100644
index 000000000..ffa0fc7e1
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/NOTES.txt
@@ -0,0 +1,7 @@
+external-secrets has been deployed successfully in namespace {{ template "external-secrets.namespace" . }}!
+
+In order to begin using ExternalSecrets, you will need to set up a SecretStore
+or ClusterSecretStore resource (for example, by creating a 'vault' SecretStore).
+
+More information on the different types of SecretStores and how to configure them
+can be found in our Github: {{ .Chart.Home }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/_helpers.tpl b/charts/external-secrets/external-secrets/0.10.5/templates/_helpers.tpl
new file mode 100644
index 000000000..d5eea0759
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/_helpers.tpl
@@ -0,0 +1,198 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "external-secrets.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "external-secrets.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define namespace of chart, useful for multi-namespace deployments
+*/}}
+{{- define "external-secrets.namespace" -}}
+{{- if .Values.namespaceOverride }}
+{{- .Values.namespaceOverride }}
+{{- else }}
+{{- .Release.Namespace }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "external-secrets.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "external-secrets.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-webhook.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-webhook.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-webhook-metrics.labels" -}}
+{{ include "external-secrets-webhook.selectorLabels" . }}
+app.kubernetes.io/metrics: "webhook"
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-cert-controller.labels" -}}
+helm.sh/chart: {{ include "external-secrets.chart" . }}
+{{ include "external-secrets-cert-controller.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{- define "external-secrets-cert-controller-metrics.labels" -}}
+{{ include "external-secrets-cert-controller.selectorLabels" . }}
+app.kubernetes.io/metrics: "cert-controller"
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "external-secrets.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{- define "external-secrets-webhook.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-webhook
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{- define "external-secrets-cert-controller.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "external-secrets.name" . }}-cert-controller
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "external-secrets.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create }}
+{{- default "external-secrets-webhook" .Values.webhook.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.webhook.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "external-secrets-cert-controller.serviceAccountName" -}}
+{{- if .Values.certController.serviceAccount.create }}
+{{- default "external-secrets-cert-controller" .Values.certController.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.certController.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Determine the image to use, including if using a flavour.
+*/}}
+{{- define "external-secrets.image" -}}
+{{- if .image.flavour -}}
+{{ printf "%s:%s-%s" .image.repository (.image.tag | default .chartAppVersion) .image.flavour }}
+{{- else }}
+{{ printf "%s:%s" .image.repository (.image.tag | default .chartAppVersion) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders a complete tree, even values that contains template.
+*/}}
+{{- define "external-secrets.render" -}}
+ {{- if typeIs "string" .value }}
+ {{- tpl .value .context }}
+ {{ else }}
+ {{- tpl (.value | toYaml) .context }}
+ {{- end }}
+{{- end -}}
+
+{{/*
+Return true if the OpenShift is the detected platform
+Usage:
+{{- include "external-secrets.isOpenShift" . -}}
+*/}}
+{{- define "external-secrets.isOpenShift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render the securityContext based on the provided securityContext
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" .Values.securityContext "context" $) -}}
+*/}}
+{{- define "external-secrets.renderSecurityContext" -}}
+{{- $adaptedContext := .securityContext -}}
+{{- if .context.Values.global.compatibility -}}
+ {{- if .context.Values.global.compatibility.openshift -}}
+ {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "external-secrets.isOpenShift" .context)) -}}
+ {{/* Remove OpenShift managed fields */}}
+ {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+ {{- if not .securityContext.seLinuxOptions -}}
+ {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+ {{- end -}}
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-deployment.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-deployment.yaml
new file mode 100644
index 000000000..a843f045a
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-deployment.yaml
@@ -0,0 +1,124 @@
+{{- if and .Values.certController.create (not .Values.webhook.certManager.enabled) }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+ {{- with .Values.certController.deploymentAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.certController.replicaCount }}
+ revisionHistoryLimit: {{ .Values.certController.revisionHistoryLimit }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.certController.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 8 }}
+ {{- with .Values.certController.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.certController.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+ automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
+ {{- with .Values.certController.podSecurityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ hostNetwork: {{ .Values.certController.hostNetwork }}
+ containers:
+ - name: cert-controller
+ {{- with .Values.certController.securityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.certController.image) | trim }}
+ imagePullPolicy: {{ .Values.certController.image.pullPolicy }}
+ args:
+ - certcontroller
+ - --crd-requeue-interval={{ .Values.certController.requeueInterval }}
+ - --service-name={{ include "external-secrets.fullname" . }}-webhook
+ - --service-namespace={{ template "external-secrets.namespace" . }}
+ - --secret-name={{ include "external-secrets.fullname" . }}-webhook
+ - --secret-namespace={{ template "external-secrets.namespace" . }}
+ - --metrics-addr=:{{ .Values.certController.metrics.listen.port }}
+ - --healthz-addr={{ .Values.certController.readinessProbe.address }}:{{ .Values.certController.readinessProbe.port }}
+ - --loglevel={{ .Values.certController.log.level }}
+ - --zap-time-encoding={{ .Values.certController.log.timeEncoding }}
+ {{- if not .Values.crds.createClusterSecretStore }}
+ - --crd-names=externalsecrets.external-secrets.io
+ - --crd-names=secretstores.external-secrets.io
+ {{- end }}
+ {{- if .Values.installCRDs }}
+ - --enable-partial-cache=true
+ {{- end }}
+ {{- range $key, $value := .Values.certController.extraArgs }}
+ {{- if $value }}
+ - --{{ $key }}={{ $value }}
+ {{- else }}
+ - --{{ $key }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - containerPort: {{ .Values.certController.metrics.listen.port }}
+ protocol: TCP
+ name: metrics
+ readinessProbe:
+ httpGet:
+ port: {{ .Values.certController.readinessProbe.port }}
+ path: /readyz
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ {{- with .Values.certController.extraEnv }}
+ env:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.certController.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- if .Values.certController.extraVolumeMounts }}
+ volumeMounts:
+ {{- toYaml .Values.certController.extraVolumeMounts | nindent 12 }}
+ {{- end }}
+ {{- if .Values.certController.extraVolumes }}
+ volumes:
+ {{- toYaml .Values.certController.extraVolumes | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certController.nodeSelector | default .Values.global.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certController.affinity | default .Values.global.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certController.tolerations | default .Values.global.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.certController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.certController.priorityClassName }}
+ priorityClassName: {{ .Values.certController.priorityClassName }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-poddisruptionbudget.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-poddisruptionbudget.yaml
new file mode 100644
index 000000000..e61cb8ebc
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-poddisruptionbudget.yaml
@@ -0,0 +1,19 @@
+{{- if and .Values.certController.create .Values.certController.podDisruptionBudget.enabled (not .Values.webhook.certManager.enabled) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller-pdb
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+spec:
+ {{- if .Values.certController.podDisruptionBudget.minAvailable }}
+ minAvailable: {{ .Values.certController.podDisruptionBudget.minAvailable }}
+ {{- end }}
+ {{- if .Values.certController.podDisruptionBudget.maxUnavailable }}
+ maxUnavailable: {{ .Values.certController.podDisruptionBudget.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-rbac.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-rbac.yaml
new file mode 100644
index 000000000..84a0c110b
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-rbac.yaml
@@ -0,0 +1,86 @@
+{{- if and .Values.certController.create .Values.certController.rbac.create (not .Values.webhook.certManager.enabled) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - "apiextensions.k8s.io"
+ resources:
+ - "customresourcedefinitions"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - "update"
+ - "patch"
+ - apiGroups:
+ - "admissionregistration.k8s.io"
+ resources:
+ - "validatingwebhookconfigurations"
+ verbs:
+ - "list"
+ - "watch"
+ - "get"
+ - apiGroups:
+ - "admissionregistration.k8s.io"
+ resources:
+ - "validatingwebhookconfigurations"
+ resourceNames:
+ - "secretstore-validate"
+ - "externalsecret-validate"
+ verbs:
+ - "update"
+ - "patch"
+ - apiGroups:
+ - ""
+ resources:
+ - "endpoints"
+ verbs:
+ - "list"
+ - "get"
+ - "watch"
+ - apiGroups:
+ - ""
+ resources:
+ - "events"
+ verbs:
+ - "create"
+ - "patch"
+ - apiGroups:
+ - ""
+ resources:
+ - "secrets"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - "update"
+ - "patch"
+ - apiGroups:
+ - "coordination.k8s.io"
+ resources:
+ - "leases"
+ verbs:
+ - "get"
+ - "create"
+ - "update"
+ - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "external-secrets.fullname" . }}-cert-controller
+subjects:
+ - name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ kind: ServiceAccount
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-service.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-service.yaml
new file mode 100644
index 000000000..12cb4f4da
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-service.yaml
@@ -0,0 +1,28 @@
+{{- if and .Values.certController.create .Values.certController.metrics.service.enabled (not .Values.webhook.certManager.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ {{- with .Values.metrics.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.certController.metrics.service.port }}
+ protocol: TCP
+ targetPort: metrics
+ name: metrics
+ selector:
+ {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-serviceaccount.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-serviceaccount.yaml
new file mode 100644
index 000000000..6a36f9d71
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/cert-controller-serviceaccount.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.certController.create .Values.certController.serviceAccount.create (not .Values.webhook.certManager.enabled) -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+ {{- with .Values.certController.serviceAccount.extraLabels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.certController.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/acraccesstoken.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/acraccesstoken.yaml
new file mode 100644
index 000000000..3ad09232d
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/acraccesstoken.yaml
@@ -0,0 +1,204 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: acraccesstokens.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: ACRAccessToken
+ listKind: ACRAccessTokenList
+ plural: acraccesstokens
+ shortNames:
+ - acraccesstoken
+ singular: acraccesstoken
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ACRAccessToken returns a Azure Container Registry token
+ that can be used for pushing/pulling images.
+ Note: by default it will return an ACR Refresh Token with full access
+ (depending on the identity).
+ This can be scoped down to the repository level using .spec.scope.
+ In case scope is defined it will return an ACR Access Token.
+
+ See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: |-
+ ACRAccessTokenSpec defines how to generate the access token
+ e.g. how to authenticate and which registry to use.
+ see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
+ properties:
+ auth:
+ properties:
+ managedIdentity:
+ description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
+ properties:
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ type: object
+ servicePrincipal:
+ description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
+ properties:
+ secretRef:
+ description: |-
+ Configuration used to authenticate with Azure using static
+ credentials stored in a Kind=Secret.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ workloadIdentity:
+ description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
+ properties:
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ environmentType:
+ default: PublicCloud
+ description: |-
+ EnvironmentType specifies the Azure cloud environment endpoints to use for
+ connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+ The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+ PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ enum:
+ - PublicCloud
+ - USGovernmentCloud
+ - ChinaCloud
+ - GermanCloud
+ type: string
+ registry:
+ description: |-
+ the domain name of the ACR registry
+ e.g. foobarexample.azurecr.io
+ type: string
+ scope:
+ description: |-
+ Define the scope for the access token, e.g. pull/push access for a repository.
+ if not provided it will return a refresh token that has full scope.
+ Note: you need to pin it down to the repository level, there is no wildcard available.
+
+ examples:
+ repository:my-repository:pull,push
+ repository:my-repository:pull
+
+ see docs for details: https://docs.docker.com/registry/spec/auth/scope/
+ type: string
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ required:
+ - auth
+ - registry
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/clusterexternalsecret.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/clusterexternalsecret.yaml
new file mode 100644
index 000000000..c0be1fe03
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/clusterexternalsecret.yaml
@@ -0,0 +1,666 @@
+{{- if and (.Values.installCRDs) (.Values.crds.createClusterExternalSecret) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: clusterexternalsecrets.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: ClusterExternalSecret
+ listKind: ClusterExternalSecretList
+ plural: clusterexternalsecrets
+ shortNames:
+ - ces
+ singular: clusterexternalsecret
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
+ name: Store
+ type: string
+ - jsonPath: .spec.refreshTime
+ name: Refresh Interval
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
+ properties:
+ externalSecretMetadata:
+ description: The metadata of the external secrets to be created
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ externalSecretName:
+ description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
+ type: string
+ externalSecretSpec:
+ description: The spec for the ExternalSecrets to be created
+ properties:
+ data:
+ description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+ items:
+ description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
+ properties:
+ remoteRef:
+ description: |-
+ RemoteRef points to the remote secret and defines
+ which secret (version/property/..) to fetch.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ metadataPolicy:
+ default: None
+ description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+ enum:
+ - None
+ - Fetch
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ secretKey:
+ description: |-
+ SecretKey defines the key in which the controller stores
+ the value. This is the key in the Kind=Secret
+ type: string
+ sourceRef:
+ description: |-
+ SourceRef allows you to override the source
+ from which the value will pulled from.
+ maxProperties: 1
+ properties:
+ generatorRef:
+ description: |-
+ GeneratorRef points to a generator custom resource.
+
+ Deprecated: The generatorRef is not implemented in .data[].
+ this will be removed with v1.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ storeRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - remoteRef
+ - secretKey
+ type: object
+ type: array
+ dataFrom:
+ description: |-
+ DataFrom is used to fetch all properties from a specific Provider data
+ If multiple entries are specified, the Secret keys are merged in the specified order
+ items:
+ properties:
+ extract:
+ description: |-
+ Used to extract multiple key/value pairs from one secret
+ Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ metadataPolicy:
+ default: None
+ description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+ enum:
+ - None
+ - Fetch
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ find:
+ description: |-
+ Used to find secrets based on tags or regular expressions
+ Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ name:
+ description: Finds secrets based on the name.
+ properties:
+ regexp:
+ description: Finds secrets base
+ type: string
+ type: object
+ path:
+ description: A root path to start the find operations.
+ type: string
+ tags:
+ additionalProperties:
+ type: string
+ description: Find secrets based on tags.
+ type: object
+ type: object
+ rewrite:
+ description: |-
+ Used to rewrite secret Keys after getting them from the secret Provider
+ Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+ items:
+ properties:
+ regexp:
+ description: |-
+ Used to rewrite with regular expressions.
+ The resulting key will be the output of a regexp.ReplaceAll operation.
+ properties:
+ source:
+ description: Used to define the regular expression of a re.Compiler.
+ type: string
+ target:
+ description: Used to define the target pattern of a ReplaceAll operation.
+ type: string
+ required:
+ - source
+ - target
+ type: object
+ transform:
+ description: |-
+ Used to apply string transformation on the secrets.
+ The resulting key will be the output of the template applied by the operation.
+ properties:
+ template:
+ description: |-
+ Used to define the template to apply on the secret name.
+ `.value ` will specify the secret name in the template.
+ type: string
+ required:
+ - template
+ type: object
+ type: object
+ type: array
+ sourceRef:
+ description: |-
+ SourceRef points to a store or generator
+ which contains secret values ready to use.
+ Use this in combination with Extract or Find pull values out of
+ a specific SecretStore.
+ When sourceRef points to a generator Extract or Find is not supported.
+ The generator returns a static map of values
+ maxProperties: 1
+ properties:
+ generatorRef:
+ description: GeneratorRef points to a generator custom resource.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ storeRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ type: array
+ refreshInterval:
+ default: 1h
+ description: |-
+ RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+ May be set to zero to fetch and create it once. Defaults to 1h.
+ type: string
+ secretStoreRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ target:
+ default:
+ creationPolicy: Owner
+ deletionPolicy: Retain
+ description: |-
+ ExternalSecretTarget defines the Kubernetes Secret to be created
+ There can be only one target per ExternalSecret.
+ properties:
+ creationPolicy:
+ default: Owner
+ description: |-
+ CreationPolicy defines rules on how to create the resulting Secret
+ Defaults to 'Owner'
+ enum:
+ - Owner
+ - Orphan
+ - Merge
+ - None
+ type: string
+ deletionPolicy:
+ default: Retain
+ description: |-
+ DeletionPolicy defines rules on how to delete the resulting Secret
+ Defaults to 'Retain'
+ enum:
+ - Delete
+ - Merge
+ - Retain
+ type: string
+ immutable:
+ description: Immutable defines if the final secret will be immutable
+ type: boolean
+ name:
+ description: |-
+ Name defines the name of the Secret resource to be managed
+ This field is immutable
+ Defaults to the .metadata.name of the ExternalSecret resource
+ type: string
+ template:
+ description: Template defines a blueprint for the created Secret resource.
+ properties:
+ data:
+ additionalProperties:
+ type: string
+ type: object
+ engineVersion:
+ default: v2
+ description: |-
+ EngineVersion specifies the template engine version
+ that should be used to compile/execute the
+ template specified in .data and .templateFrom[].
+ enum:
+ - v1
+ - v2
+ type: string
+ mergePolicy:
+ default: Replace
+ enum:
+ - Replace
+ - Merge
+ type: string
+ metadata:
+ description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ templateFrom:
+ items:
+ properties:
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ literal:
+ type: string
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ target:
+ default: Data
+ enum:
+ - Data
+ - Annotations
+ - Labels
+ type: string
+ type: object
+ type: array
+ type:
+ type: string
+ type: object
+ type: object
+ type: object
+ namespaceSelector:
+ description: |-
+ The labels to select by to find the Namespaces to create the ExternalSecrets in.
+ Deprecated: Use NamespaceSelectors instead.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaceSelectors:
+ description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
+ items:
+ description: |-
+ A label selector is a label query over a set of resources. The result of matchLabels and
+ matchExpressions are ANDed. An empty label selector matches all objects. A null
+ label selector matches no objects.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ namespaces:
+ description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
+ items:
+ type: string
+ type: array
+ refreshTime:
+ description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
+ type: string
+ required:
+ - externalSecretSpec
+ type: object
+ status:
+ description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
+ properties:
+ conditions:
+ items:
+ properties:
+ message:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ externalSecretName:
+ description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
+ type: string
+ failedNamespaces:
+ description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
+ items:
+ description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
+ properties:
+ namespace:
+ description: Namespace is the namespace that failed when trying to apply an ExternalSecret
+ type: string
+ reason:
+ description: Reason is why the ExternalSecret failed to apply to the namespace
+ type: string
+ required:
+ - namespace
+ type: object
+ type: array
+ provisionedNamespaces:
+ description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
+ items:
+ type: string
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/clustersecretstore.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/clustersecretstore.yaml
new file mode 100644
index 000000000..de54e5587
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/clustersecretstore.yaml
@@ -0,0 +1,4643 @@
+{{- if and (.Values.installCRDs) (.Values.crds.createClusterSecretStore) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: clustersecretstores.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: ClusterSecretStore
+ listKind: ClusterSecretStoreList
+ plural: clustersecretstores
+ shortNames:
+ - css
+ singular: clustersecretstore
+ scope: Cluster
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: |-
+ Kubernetes authenticates with Akeyless by passing the ServiceAccount
+ token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Akeyless. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Akeyless. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: |-
+ Reference to a Secret that contains the details
+ to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+ if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ auth:
+ description: |-
+ Auth defines the information necessary to authenticate against AWS
+ if not set aws sdk will infer credentials from your environment
+ see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: |-
+ AWSAuthSecretRef holds secret references for AWS credentials
+ both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the SecretManager provider will assume
+ type: string
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: |-
+ Auth type defines how to authenticate to the keyvault service.
+ Valid values are:
+ - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+ - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ properties:
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ serviceAccount:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with the Oracle Vault.
+ If empty, instance principal is used. Optionally, the authenticating principal type
+ and/or user data may be supplied for the use of workload identity and user principal.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: |-
+ Compartment is the vault compartment OCID.
+ Required for PushSecret
+ type: string
+ encryptionKey:
+ description: |-
+ EncryptionKey is the OCID of the encryption key within the vault.
+ Required for PushSecret
+ type: string
+ principalType:
+ description: |-
+ The type of principal to use for authentication. If left blank, the Auth struct will
+ determine the principal type. This optional field must be specified if using
+ workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ passworddepot:
+ description: Configures a store to sync secrets with a Password Depot instance.
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Password Depot instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ database:
+ description: Database to use as source
+ type: string
+ host:
+ description: URL configures the Password Depot instance URL.
+ type: string
+ required:
+ - auth
+ - database
+ - host
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with Vault using the App Role auth mechanism,
+ with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in Vault, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ cert:
+ description: |-
+ Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+ Cert authentication method
+ properties:
+ clientCert:
+ description: |-
+ ClientCert is a certificate to authenticate using the Cert Vault
+ authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing client private key to
+ authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ jwt:
+ description: |-
+ Jwt authenticates with Vault by passing role and JWT token using the
+ JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: |-
+ Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Optional audiences field that will be used to request a temporary Kubernetes service
+ account token for the service account referenced by `serviceAccountRef`.
+ Defaults to a single audience `vault` it not specified.
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: |-
+ Optional expiration time in seconds that will be used to request a temporary
+ Kubernetes service account token for the service account referenced by
+ `serviceAccountRef`.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: |-
+ Path where the JWT authentication backend is mounted
+ in Vault, e.g: "jwt"
+ type: string
+ role:
+ description: |-
+ Role is a JWT role to authenticate using the JWT/OIDC Vault
+ authentication method
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Vault by passing the ServiceAccount
+ token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: |-
+ Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+ "kubernetes"
+ type: string
+ role:
+ description: |-
+ A required field containing the Vault Role to assume. A Role binds a
+ Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Vault. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Vault. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: |-
+ Ldap authenticates with Vault by passing username/password pair using
+ the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: |-
+ Path where the LDAP authentication backend is mounted
+ in Vault, e.g: "ldap"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the LDAP
+ user used to authenticate with Vault using the LDAP authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a LDAP user name used to authenticate using the LDAP Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate Vault server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: |-
+ ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+ leader instead of simply retrying within a loop. This can increase performance if
+ the option is enabled serverside.
+ https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: |-
+ Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the Vault KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from Vault is optional and will be appended
+ if not present in specified path.
+ type: string
+ readYourWrites:
+ description: |-
+ ReadYourWrites ensures isolated read-after-write semantics by
+ providing discovered cluster replication states in each request.
+ More information about eventual consistency in Vault can be found here
+ https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: |-
+ Version is the Vault KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate webhook server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: |-
+ Secrets to fill in templates
+ These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.capabilities
+ name: Capabilities
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ conditions:
+ description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ items:
+ description: |-
+ ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
+ for a ClusterSecretStore instance.
+ properties:
+ namespaceRegexes:
+ description: Choose namespaces by using regex matching
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: Choose namespace using a labelSelector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Choose namespaces by name
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: |-
+ Kubernetes authenticates with Akeyless by passing the ServiceAccount
+ token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Akeyless. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Akeyless. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: |-
+ Reference to a Secret that contains the details
+ to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+ if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ additionalRoles:
+ description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
+ items:
+ type: string
+ type: array
+ auth:
+ description: |-
+ Auth defines the information necessary to authenticate against AWS
+ if not set aws sdk will infer credentials from your environment
+ see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: |-
+ AWSAuthSecretRef holds secret references for AWS credentials
+ both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ prefix:
+ description: Prefix adds a prefix to all retrieved values.
+ type: string
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the provider will assume
+ type: string
+ secretsManager:
+ description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
+ properties:
+ forceDeleteWithoutRecovery:
+ description: |-
+ Specifies whether to delete the secret without any recovery window. You
+ can't use both this parameter and RecoveryWindowInDays in the same call.
+ If you don't use either, then by default Secrets Manager uses a 30 day
+ recovery window.
+ see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
+ type: boolean
+ recoveryWindowInDays:
+ description: |-
+ The number of days from 7 to 30 that Secrets Manager waits before
+ permanently deleting the secret. You can't use both this parameter and
+ ForceDeleteWithoutRecovery in the same call. If you don't use either,
+ then by default Secrets Manager uses a 30 day recovery window.
+ see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
+ format: int64
+ type: integer
+ type: object
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ sessionTags:
+ description: AWS STS assume role session tags
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ transitiveTagKeys:
+ description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
+ items:
+ type: string
+ type: array
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ properties:
+ clientCertificate:
+ description: The Azure ClientCertificate of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientId:
+ description: The Azure clientId of the service principle or managed identity used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ tenantId:
+ description: The Azure tenantId of the managed identity used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: |-
+ Auth type defines how to authenticate to the keyvault service.
+ Valid values are:
+ - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+ - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ environmentType:
+ default: PublicCloud
+ description: |-
+ EnvironmentType specifies the Azure cloud environment endpoints to use for
+ connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+ The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+ PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ enum:
+ - PublicCloud
+ - USGovernmentCloud
+ - ChinaCloud
+ - GermanCloud
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ beyondtrust:
+ description: Beyondtrust configures this store to sync secrets using Password Safe provider.
+ properties:
+ auth:
+ description: Auth configures how the operator authenticates with Beyondtrust.
+ properties:
+ certificate:
+ description: Content of the certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ certificateKey:
+ description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientId:
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecret
+ type: object
+ server:
+ description: Auth configures how API server works.
+ properties:
+ apiUrl:
+ type: string
+ clientTimeOutSeconds:
+ description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
+ type: integer
+ retrievalType:
+ description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
+ type: string
+ separator:
+ description: A character that separates the folder names.
+ type: string
+ verifyCA:
+ type: boolean
+ required:
+ - apiUrl
+ - verifyCA
+ type: object
+ required:
+ - auth
+ - server
+ type: object
+ bitwardensecretsmanager:
+ description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
+ properties:
+ apiURL:
+ type: string
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with a bitwarden machine account instance.
+ Make sure that the token being used has permissions on the given secret.
+ properties:
+ secretRef:
+ description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
+ properties:
+ credentials:
+ description: AccessToken used for the bitwarden instance.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - credentials
+ type: object
+ required:
+ - secretRef
+ type: object
+ bitwardenServerSDKURL:
+ type: string
+ caBundle:
+ description: |-
+ Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
+ can be performed.
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ identityURL:
+ type: string
+ organizationID:
+ description: OrganizationID determines which organization this secret store manages.
+ type: string
+ projectID:
+ description: ProjectID determines which project this secret store manages.
+ type: string
+ required:
+ - auth
+ - organizationID
+ - projectID
+ type: object
+ chef:
+ description: Chef configures this store to sync secrets with chef server
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against chef Server
+ properties:
+ secretRef:
+ description: ChefAuthSecretRef holds secret references for chef server login credentials.
+ properties:
+ privateKeySecretRef:
+ description: SecretKey is the Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - privateKeySecretRef
+ type: object
+ required:
+ - secretRef
+ type: object
+ serverUrl:
+ description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
+ type: string
+ username:
+ description: UserName should be the user ID on the chef server
+ type: string
+ required:
+ - auth
+ - serverUrl
+ - username
+ type: object
+ conjur:
+ description: Conjur configures this store to sync secrets using conjur provider
+ properties:
+ auth:
+ properties:
+ apikey:
+ properties:
+ account:
+ type: string
+ apiKeyRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ userRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - account
+ - apiKeyRef
+ - userRef
+ type: object
+ jwt:
+ properties:
+ account:
+ type: string
+ hostId:
+ description: |-
+ Optional HostID for JWT authentication. This may be used depending
+ on how the Conjur JWT authenticator policy is configured.
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Conjur using the JWT authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional ServiceAccountRef specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ serviceID:
+ description: The conjur authn jwt webservice id
+ type: string
+ required:
+ - account
+ - serviceID
+ type: object
+ type: object
+ caBundle:
+ type: string
+ caProvider:
+ description: |-
+ Used to provide custom certificate authority (CA) certificates
+ for a secret store. The CAProvider points to a Secret or ConfigMap resource
+ that contains a PEM-encoded certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ type: string
+ required:
+ - auth
+ - url
+ type: object
+ delinea:
+ description: |-
+ Delinea DevOps Secrets Vault
+ https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: |-
+ TLD is based on the server location that was chosen during provisioning.
+ If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: |-
+ URLTemplate
+ If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
+ device42:
+ description: Device42 configures this store to sync secrets using the Device42 provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Device42 instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ host:
+ description: URL configures the Device42 instance URL.
+ type: string
+ required:
+ - auth
+ - host
+ type: object
+ doppler:
+ description: Doppler configures this store to sync secrets using the Doppler provider
+ properties:
+ auth:
+ description: Auth configures how the Operator authenticates with the Doppler API
+ properties:
+ secretRef:
+ properties:
+ dopplerToken:
+ description: |-
+ The DopplerToken is used for authentication.
+ See https://docs.doppler.com/reference/api#authentication for auth token types.
+ The Key attribute defaults to dopplerToken if not specified.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - dopplerToken
+ type: object
+ required:
+ - secretRef
+ type: object
+ config:
+ description: Doppler config (required if not using a Service Token)
+ type: string
+ format:
+ description: Format enables the downloading of secrets as a file (string)
+ enum:
+ - json
+ - dotnet-json
+ - env
+ - yaml
+ - docker
+ type: string
+ nameTransformer:
+ description: Environment variable compatible name transforms that change secret names to a different format
+ enum:
+ - upper-camel
+ - camel
+ - lower-snake
+ - tf-var
+ - dotnet-env
+ - lower-kebab
+ type: string
+ project:
+ description: Doppler project (required if not using a Service Token)
+ type: string
+ required:
+ - auth
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ fortanix:
+ description: Fortanix configures this store to sync secrets using the Fortanix provider
+ properties:
+ apiKey:
+ description: APIKey is the API token to access SDKMS Applications.
+ properties:
+ secretRef:
+ description: SecretRef is a reference to a secret containing the SDKMS API Key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ apiUrl:
+ description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
+ type: string
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ location:
+ description: Location optionally defines a location for a secret
+ type: string
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ environment:
+ description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
+ type: string
+ groupIDs:
+ description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
+ items:
+ type: string
+ type: array
+ inheritFromGroups:
+ description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
+ type: boolean
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ containerAuth:
+ description: IBM Container-based auth with IAM Trusted Profile.
+ properties:
+ iamEndpoint:
+ type: string
+ profile:
+ description: the IBM Trusted Profile
+ type: string
+ tokenLocation:
+ description: Location the token is mounted on the pod
+ type: string
+ required:
+ - profile
+ type: object
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ infisical:
+ description: Infisical configures this store to sync secrets using the Infisical provider
+ properties:
+ auth:
+ description: Auth configures how the Operator authenticates with the Infisical API
+ properties:
+ universalAuthCredentials:
+ properties:
+ clientId:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecret
+ type: object
+ type: object
+ hostAPI:
+ default: https://app.infisical.com/api
+ type: string
+ secretsScope:
+ properties:
+ environmentSlug:
+ type: string
+ projectSlug:
+ type: string
+ recursive:
+ default: false
+ type: boolean
+ secretsPath:
+ default: /
+ type: string
+ required:
+ - environmentSlug
+ - projectSlug
+ type: object
+ required:
+ - auth
+ - secretsScope
+ type: object
+ keepersecurity:
+ description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
+ properties:
+ authRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ folderID:
+ type: string
+ required:
+ - authRef
+ - folderID
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ authRef:
+ description: A reference to a secret that contains the auth information.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ type: object
+ onboardbase:
+ description: Onboardbase configures this store to sync secrets using the Onboardbase provider
+ properties:
+ apiHost:
+ default: https://public.onboardbase.com/api/v1/
+ description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
+ type: string
+ auth:
+ description: Auth configures how the Operator authenticates with the Onboardbase API
+ properties:
+ apiKeyRef:
+ description: |-
+ OnboardbaseAPIKey is the APIKey generated by an admin account.
+ It is used to recognize and authorize access to a project and environment within onboardbase
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ passcodeRef:
+ description: OnboardbasePasscode is the passcode attached to the API Key
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - apiKeyRef
+ - passcodeRef
+ type: object
+ environment:
+ default: development
+ description: Environment is the name of an environmnent within a project to pull the secrets from
+ type: string
+ project:
+ default: development
+ description: Project is an onboardbase project that the secrets should be pulled from
+ type: string
+ required:
+ - apiHost
+ - auth
+ - environment
+ - project
+ type: object
+ onepassword:
+ description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against OnePassword Connect Server
+ properties:
+ secretRef:
+ description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
+ properties:
+ connectTokenSecretRef:
+ description: The ConnectToken is used for authentication to a 1Password Connect Server.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - connectTokenSecretRef
+ type: object
+ required:
+ - secretRef
+ type: object
+ connectHost:
+ description: ConnectHost defines the OnePassword Connect Server to connect to
+ type: string
+ vaults:
+ additionalProperties:
+ type: integer
+ description: Vaults defines which OnePassword vaults to search in which order
+ type: object
+ required:
+ - auth
+ - connectHost
+ - vaults
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with the Oracle Vault.
+ If empty, use the instance principal, otherwise the user credentials specified in Auth.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: |-
+ Compartment is the vault compartment OCID.
+ Required for PushSecret
+ type: string
+ encryptionKey:
+ description: |-
+ EncryptionKey is the OCID of the encryption key within the vault.
+ Required for PushSecret
+ type: string
+ principalType:
+ description: |-
+ The type of principal to use for authentication. If left blank, the Auth struct will
+ determine the principal type. This optional field must be specified if using
+ workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ passbolt:
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against Passbolt Server
+ properties:
+ passwordSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privateKeySecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - passwordSecretRef
+ - privateKeySecretRef
+ type: object
+ host:
+ description: Host defines the Passbolt Server to connect to
+ type: string
+ required:
+ - auth
+ - host
+ type: object
+ passworddepot:
+ description: Configures a store to sync secrets with a Password Depot instance.
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Password Depot instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ database:
+ description: Database to use as source
+ type: string
+ host:
+ description: URL configures the Password Depot instance URL.
+ type: string
+ required:
+ - auth
+ - database
+ - host
+ type: object
+ previder:
+ description: Previder configures this store to sync secrets using the Previder provider
+ properties:
+ auth:
+ description: PreviderAuth contains a secretRef for credentials.
+ properties:
+ secretRef:
+ description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
+ properties:
+ accessToken:
+ description: The AccessToken is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessToken
+ type: object
+ type: object
+ baseUri:
+ type: string
+ required:
+ - auth
+ type: object
+ pulumi:
+ description: Pulumi configures this store to sync secrets using the Pulumi provider
+ properties:
+ accessToken:
+ description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
+ properties:
+ secretRef:
+ description: SecretRef is a reference to a secret containing the Pulumi API token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ apiUrl:
+ default: https://api.pulumi.com/api/esc
+ description: APIURL is the URL of the Pulumi API.
+ type: string
+ environment:
+ description: |-
+ Environment are YAML documents composed of static key-value pairs, programmatic expressions,
+ dynamically retrieved values from supported providers including all major clouds,
+ and other Pulumi ESC environments.
+ To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
+ type: string
+ organization:
+ description: |-
+ Organization are a space to collaborate on shared projects and stacks.
+ To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
+ type: string
+ project:
+ description: Project is the name of the Pulumi ESC project the environment belongs to.
+ type: string
+ required:
+ - accessToken
+ - environment
+ - organization
+ - project
+ type: object
+ scaleway:
+ description: Scaleway
+ properties:
+ accessKey:
+ description: AccessKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ apiUrl:
+ description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
+ type: string
+ projectId:
+ description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
+ type: string
+ region:
+ description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
+ type: string
+ secretKey:
+ description: SecretKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - accessKey
+ - projectId
+ - region
+ - secretKey
+ type: object
+ secretserver:
+ description: |-
+ SecretServer configures this store to sync secrets using SecretServer provider
+ https://docs.delinea.com/online-help/secret-server/start.htm
+ properties:
+ password:
+ description: Password is the secret server account password.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ serverURL:
+ description: |-
+ ServerURL
+ URL to your secret server installation
+ type: string
+ username:
+ description: Username is the secret server account username.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - password
+ - serverURL
+ - username
+ type: object
+ senhasegura:
+ description: Senhasegura configures this store to sync secrets using senhasegura provider
+ properties:
+ auth:
+ description: Auth defines parameters to authenticate in senhasegura
+ properties:
+ clientId:
+ type: string
+ clientSecretSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecretSecretRef
+ type: object
+ ignoreSslCertificate:
+ default: false
+ description: IgnoreSslCertificate defines if SSL certificate must be ignored
+ type: boolean
+ module:
+ description: Module defines which senhasegura module should be used to get secrets
+ type: string
+ url:
+ description: URL of senhasegura
+ type: string
+ required:
+ - auth
+ - module
+ - url
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with Vault using the App Role auth mechanism,
+ with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in Vault, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in Vault.
+ type: string
+ roleRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role ID used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role id.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - secretRef
+ type: object
+ cert:
+ description: |-
+ Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+ Cert authentication method
+ properties:
+ clientCert:
+ description: |-
+ ClientCert is a certificate to authenticate using the Cert Vault
+ authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing client private key to
+ authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ iam:
+ description: |-
+ Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
+ AWS IAM authentication method
+ properties:
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ jwt:
+ description: Specify a service account with IRSA enabled
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ path:
+ description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
+ type: string
+ region:
+ description: AWS region
+ type: string
+ role:
+ description: This is the AWS role to be assumed before talking to vault
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ vaultAwsIamServerID:
+ description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
+ type: string
+ vaultRole:
+ description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
+ type: string
+ required:
+ - vaultRole
+ type: object
+ jwt:
+ description: |-
+ Jwt authenticates with Vault by passing role and JWT token using the
+ JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: |-
+ Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Optional audiences field that will be used to request a temporary Kubernetes service
+ account token for the service account referenced by `serviceAccountRef`.
+ Defaults to a single audience `vault` it not specified.
+ Deprecated: use serviceAccountRef.Audiences instead
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: |-
+ Optional expiration time in seconds that will be used to request a temporary
+ Kubernetes service account token for the service account referenced by
+ `serviceAccountRef`.
+ Deprecated: this will be removed in the future.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: |-
+ Path where the JWT authentication backend is mounted
+ in Vault, e.g: "jwt"
+ type: string
+ role:
+ description: |-
+ Role is a JWT role to authenticate using the JWT/OIDC Vault
+ authentication method
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Vault by passing the ServiceAccount
+ token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: |-
+ Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+ "kubernetes"
+ type: string
+ role:
+ description: |-
+ A required field containing the Vault Role to assume. A Role binds a
+ Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Vault. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Vault. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: |-
+ Ldap authenticates with Vault by passing username/password pair using
+ the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: |-
+ Path where the LDAP authentication backend is mounted
+ in Vault, e.g: "ldap"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the LDAP
+ user used to authenticate with Vault using the LDAP authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a LDAP user name used to authenticate using the LDAP Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
+ Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ This will default to Vault.Namespace field if set, or empty otherwise
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ userPass:
+ description: UserPass authenticates with Vault by passing username/password pair
+ properties:
+ path:
+ default: user
+ description: |-
+ Path where the UserPassword authentication backend is mounted
+ in Vault, e.g: "user"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the
+ user used to authenticate with Vault using the UserPass authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a user name used to authenticate using the UserPass Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate Vault server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: |-
+ ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+ leader instead of simply retrying within a loop. This can increase performance if
+ the option is enabled serverside.
+ https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers to be added in Vault request
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the Vault KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from Vault is optional and will be appended
+ if not present in specified path.
+ type: string
+ readYourWrites:
+ description: |-
+ ReadYourWrites ensures isolated read-after-write semantics by
+ providing discovered cluster replication states in each request.
+ More information about eventual consistency in Vault can be found here
+ https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ tls:
+ description: |-
+ The configuration used for client side related TLS communication, when the Vault server
+ requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
+ This parameter is ignored for plain HTTP protocol connection.
+ It's worth noting this configuration is different from the "TLS certificates auth method",
+ which is available under the `auth.cert` section.
+ properties:
+ certSecretRef:
+ description: |-
+ CertSecretRef is a certificate added to the transport layer
+ when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.crt'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ keySecretRef:
+ description: |-
+ KeySecretRef to a key in a Secret resource containing client private key
+ added to the transport layer when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.key'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ version:
+ default: v2
+ description: |-
+ Version is the Vault KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate webhook server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: |-
+ Secrets to fill in templates
+ These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexcertificatemanager:
+ description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ refreshInterval:
+ description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
+ type: integer
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ capabilities:
+ description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/ecrauthorizationtoken.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/ecrauthorizationtoken.yaml
new file mode 100644
index 000000000..f01805922
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/ecrauthorizationtoken.yaml
@@ -0,0 +1,178 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: ecrauthorizationtokens.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: ECRAuthorizationToken
+ listKind: ECRAuthorizationTokenList
+ plural: ecrauthorizationtokens
+ shortNames:
+ - ecrauthorizationtoken
+ singular: ecrauthorizationtoken
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
+ authorization token.
+ The authorization token is valid for 12 hours.
+ The authorizationToken returned is a base64 encoded string that can be decoded
+ and used in a docker login command to authenticate to a registry.
+ For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ auth:
+ description: Auth defines how to authenticate with AWS
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: |-
+ AWSAuthSecretRef holds secret references for AWS credentials
+ both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: Region specifies the region to operate in.
+ type: string
+ role:
+ description: |-
+ You can assume a role before making calls to the
+ desired AWS service.
+ type: string
+ required:
+ - region
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/externalsecret.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/externalsecret.yaml
new file mode 100644
index 000000000..c2dabe680
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/externalsecret.yaml
@@ -0,0 +1,820 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: externalsecrets.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: ExternalSecret
+ listKind: ExternalSecretList
+ plural: externalsecrets
+ shortNames:
+ - es
+ singular: externalsecret
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.secretStoreRef.name
+ name: Store
+ type: string
+ - jsonPath: .spec.refreshInterval
+ name: Refresh Interval
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: ExternalSecret is the Schema for the external-secrets API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ExternalSecretSpec defines the desired state of ExternalSecret.
+ properties:
+ data:
+ description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+ items:
+ description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
+ properties:
+ remoteRef:
+ description: ExternalSecretDataRemoteRef defines Provider data location.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ secretKey:
+ type: string
+ required:
+ - remoteRef
+ - secretKey
+ type: object
+ type: array
+ dataFrom:
+ description: |-
+ DataFrom is used to fetch all properties from a specific Provider data
+ If multiple entries are specified, the Secret keys are merged in the specified order
+ items:
+ description: ExternalSecretDataRemoteRef defines Provider data location.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ refreshInterval:
+ default: 1h
+ description: |-
+ RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+ May be set to zero to fetch and create it once. Defaults to 1h.
+ type: string
+ secretStoreRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ target:
+ description: |-
+ ExternalSecretTarget defines the Kubernetes Secret to be created
+ There can be only one target per ExternalSecret.
+ properties:
+ creationPolicy:
+ default: Owner
+ description: |-
+ CreationPolicy defines rules on how to create the resulting Secret
+ Defaults to 'Owner'
+ enum:
+ - Owner
+ - Merge
+ - None
+ type: string
+ immutable:
+ description: Immutable defines if the final secret will be immutable
+ type: boolean
+ name:
+ description: |-
+ Name defines the name of the Secret resource to be managed
+ This field is immutable
+ Defaults to the .metadata.name of the ExternalSecret resource
+ type: string
+ template:
+ description: Template defines a blueprint for the created Secret resource.
+ properties:
+ data:
+ additionalProperties:
+ type: string
+ type: object
+ engineVersion:
+ default: v1
+ description: |-
+ EngineVersion specifies the template engine version
+ that should be used to compile/execute the
+ template specified in .data and .templateFrom[].
+ enum:
+ - v1
+ - v2
+ type: string
+ metadata:
+ description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ templateFrom:
+ items:
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ type: object
+ type: array
+ type:
+ type: string
+ type: object
+ type: object
+ required:
+ - secretStoreRef
+ - target
+ type: object
+ status:
+ properties:
+ binding:
+ description: Binding represents a servicebinding.io Provisioned Service reference to the secret
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ refreshTime:
+ description: |-
+ refreshTime is the time and date the external secret was fetched and
+ the target secret updated
+ format: date-time
+ nullable: true
+ type: string
+ syncedResourceVersion:
+ description: SyncedResourceVersion keeps track of the last synced version
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .spec.secretStoreRef.name
+ name: Store
+ type: string
+ - jsonPath: .spec.refreshInterval
+ name: Refresh Interval
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: ExternalSecret is the Schema for the external-secrets API.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: ExternalSecretSpec defines the desired state of ExternalSecret.
+ properties:
+ data:
+ description: Data defines the connection between the Kubernetes Secret keys and the Provider data
+ items:
+ description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.) and the Provider data.
+ properties:
+ remoteRef:
+ description: |-
+ RemoteRef points to the remote secret and defines
+ which secret (version/property/..) to fetch.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ metadataPolicy:
+ default: None
+ description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+ enum:
+ - None
+ - Fetch
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ secretKey:
+ description: |-
+ SecretKey defines the key in which the controller stores
+ the value. This is the key in the Kind=Secret
+ type: string
+ sourceRef:
+ description: |-
+ SourceRef allows you to override the source
+ from which the value will pulled from.
+ maxProperties: 1
+ properties:
+ generatorRef:
+ description: |-
+ GeneratorRef points to a generator custom resource.
+
+ Deprecated: The generatorRef is not implemented in .data[].
+ this will be removed with v1.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ storeRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ required:
+ - remoteRef
+ - secretKey
+ type: object
+ type: array
+ dataFrom:
+ description: |-
+ DataFrom is used to fetch all properties from a specific Provider data
+ If multiple entries are specified, the Secret keys are merged in the specified order
+ items:
+ properties:
+ extract:
+ description: |-
+ Used to extract multiple key/value pairs from one secret
+ Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ key:
+ description: Key is the key used in the Provider, mandatory
+ type: string
+ metadataPolicy:
+ default: None
+ description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
+ enum:
+ - None
+ - Fetch
+ type: string
+ property:
+ description: Used to select a specific property of the Provider value (if a map), if supported
+ type: string
+ version:
+ description: Used to select a specific version of the Provider value, if supported
+ type: string
+ required:
+ - key
+ type: object
+ find:
+ description: |-
+ Used to find secrets based on tags or regular expressions
+ Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
+ properties:
+ conversionStrategy:
+ default: Default
+ description: Used to define a conversion Strategy
+ enum:
+ - Default
+ - Unicode
+ type: string
+ decodingStrategy:
+ default: None
+ description: Used to define a decoding Strategy
+ enum:
+ - Auto
+ - Base64
+ - Base64URL
+ - None
+ type: string
+ name:
+ description: Finds secrets based on the name.
+ properties:
+ regexp:
+ description: Finds secrets base
+ type: string
+ type: object
+ path:
+ description: A root path to start the find operations.
+ type: string
+ tags:
+ additionalProperties:
+ type: string
+ description: Find secrets based on tags.
+ type: object
+ type: object
+ rewrite:
+ description: |-
+ Used to rewrite secret Keys after getting them from the secret Provider
+ Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
+ items:
+ properties:
+ regexp:
+ description: |-
+ Used to rewrite with regular expressions.
+ The resulting key will be the output of a regexp.ReplaceAll operation.
+ properties:
+ source:
+ description: Used to define the regular expression of a re.Compiler.
+ type: string
+ target:
+ description: Used to define the target pattern of a ReplaceAll operation.
+ type: string
+ required:
+ - source
+ - target
+ type: object
+ transform:
+ description: |-
+ Used to apply string transformation on the secrets.
+ The resulting key will be the output of the template applied by the operation.
+ properties:
+ template:
+ description: |-
+ Used to define the template to apply on the secret name.
+ `.value ` will specify the secret name in the template.
+ type: string
+ required:
+ - template
+ type: object
+ type: object
+ type: array
+ sourceRef:
+ description: |-
+ SourceRef points to a store or generator
+ which contains secret values ready to use.
+ Use this in combination with Extract or Find pull values out of
+ a specific SecretStore.
+ When sourceRef points to a generator Extract or Find is not supported.
+ The generator returns a static map of values
+ maxProperties: 1
+ properties:
+ generatorRef:
+ description: GeneratorRef points to a generator custom resource.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ storeRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ type: object
+ type: array
+ refreshInterval:
+ default: 1h
+ description: |-
+ RefreshInterval is the amount of time before the values are read again from the SecretStore provider
+ Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
+ May be set to zero to fetch and create it once. Defaults to 1h.
+ type: string
+ secretStoreRef:
+ description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
+ properties:
+ kind:
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ name:
+ description: Name of the SecretStore resource
+ type: string
+ required:
+ - name
+ type: object
+ target:
+ default:
+ creationPolicy: Owner
+ deletionPolicy: Retain
+ description: |-
+ ExternalSecretTarget defines the Kubernetes Secret to be created
+ There can be only one target per ExternalSecret.
+ properties:
+ creationPolicy:
+ default: Owner
+ description: |-
+ CreationPolicy defines rules on how to create the resulting Secret
+ Defaults to 'Owner'
+ enum:
+ - Owner
+ - Orphan
+ - Merge
+ - None
+ type: string
+ deletionPolicy:
+ default: Retain
+ description: |-
+ DeletionPolicy defines rules on how to delete the resulting Secret
+ Defaults to 'Retain'
+ enum:
+ - Delete
+ - Merge
+ - Retain
+ type: string
+ immutable:
+ description: Immutable defines if the final secret will be immutable
+ type: boolean
+ name:
+ description: |-
+ Name defines the name of the Secret resource to be managed
+ This field is immutable
+ Defaults to the .metadata.name of the ExternalSecret resource
+ type: string
+ template:
+ description: Template defines a blueprint for the created Secret resource.
+ properties:
+ data:
+ additionalProperties:
+ type: string
+ type: object
+ engineVersion:
+ default: v2
+ description: |-
+ EngineVersion specifies the template engine version
+ that should be used to compile/execute the
+ template specified in .data and .templateFrom[].
+ enum:
+ - v1
+ - v2
+ type: string
+ mergePolicy:
+ default: Replace
+ enum:
+ - Replace
+ - Merge
+ type: string
+ metadata:
+ description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ templateFrom:
+ items:
+ properties:
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ literal:
+ type: string
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ target:
+ default: Data
+ enum:
+ - Data
+ - Annotations
+ - Labels
+ type: string
+ type: object
+ type: array
+ type:
+ type: string
+ type: object
+ type: object
+ type: object
+ status:
+ properties:
+ binding:
+ description: Binding represents a servicebinding.io Provisioned Service reference to the secret
+ properties:
+ name:
+ default: ""
+ description: |-
+ Name of the referent.
+ This field is effectively required, but due to backwards compatibility is
+ allowed to be empty. Instances of this type with an empty value here are
+ almost certainly wrong.
+ More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ refreshTime:
+ description: |-
+ refreshTime is the time and date the external secret was fetched and
+ the target secret updated
+ format: date-time
+ nullable: true
+ type: string
+ syncedResourceVersion:
+ description: SyncedResourceVersion keeps track of the last synced version
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/fake.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/fake.yaml
new file mode 100644
index 000000000..6aa031763
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/fake.yaml
@@ -0,0 +1,87 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: fakes.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: Fake
+ listKind: FakeList
+ plural: fakes
+ shortNames:
+ - fake
+ singular: fake
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Fake generator is used for testing. It lets you define
+ a static set of credentials that is always returned.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: FakeSpec contains the static data.
+ properties:
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters VDS based on this property
+ type: string
+ data:
+ additionalProperties:
+ type: string
+ description: |-
+ Data defines the static data returned
+ by this generator.
+ type: object
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/gcraccesstoken.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/gcraccesstoken.yaml
new file mode 100644
index 000000000..2da8a843f
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/gcraccesstoken.yaml
@@ -0,0 +1,139 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: gcraccesstokens.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: GCRAccessToken
+ listKind: GCRAccessTokenList
+ plural: gcraccesstokens
+ shortNames:
+ - gcraccesstoken
+ singular: gcraccesstoken
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ GCRAccessToken generates an GCP access token
+ that can be used to authenticate with GCR.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ auth:
+ description: Auth defines the means for authenticating with GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID defines which project to use to authenticate with
+ type: string
+ required:
+ - auth
+ - projectID
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/githubaccesstoken.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/githubaccesstoken.yaml
new file mode 100644
index 000000000..a94a89f41
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/githubaccesstoken.yaml
@@ -0,0 +1,113 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: githubaccesstokens.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: GithubAccessToken
+ listKind: GithubAccessTokenList
+ plural: githubaccesstokens
+ shortNames:
+ - githubaccesstoken
+ singular: githubaccesstoken
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: GithubAccessToken generates ghs_ accessToken
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ appID:
+ type: string
+ auth:
+ description: Auth configures how ESO authenticates with a Github instance.
+ properties:
+ privateKey:
+ properties:
+ secretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - secretRef
+ type: object
+ required:
+ - privateKey
+ type: object
+ installID:
+ type: string
+ url:
+ description: URL configures the Github instance URL. Defaults to https://github.com/.
+ type: string
+ required:
+ - appID
+ - auth
+ - installID
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/password.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/password.yaml
new file mode 100644
index 000000000..ce250e8c5
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/password.yaml
@@ -0,0 +1,109 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: passwords.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: Password
+ listKind: PasswordList
+ plural: passwords
+ shortNames:
+ - password
+ singular: password
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Password generates a random password based on the
+ configuration parameters in spec.
+ You can specify the length, characterset and other attributes.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: PasswordSpec controls the behavior of the password generator.
+ properties:
+ allowRepeat:
+ default: false
+ description: set AllowRepeat to true to allow repeating characters.
+ type: boolean
+ digits:
+ description: |-
+ Digits specifies the number of digits in the generated
+ password. If omitted it defaults to 25% of the length of the password
+ type: integer
+ length:
+ default: 24
+ description: |-
+ Length of the password to be generated.
+ Defaults to 24
+ type: integer
+ noUpper:
+ default: false
+ description: Set NoUpper to disable uppercase characters
+ type: boolean
+ symbolCharacters:
+ description: |-
+ SymbolCharacters specifies the special characters that should be used
+ in the generated password.
+ type: string
+ symbols:
+ description: |-
+ Symbols specifies the number of symbol characters in the generated
+ password. If omitted it defaults to 25% of the length of the password
+ type: integer
+ required:
+ - allowRepeat
+ - length
+ - noUpper
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/pushsecret.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/pushsecret.yaml
new file mode 100644
index 000000000..1d32c1043
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/pushsecret.yaml
@@ -0,0 +1,405 @@
+{{- if and (.Values.installCRDs) (.Values.crds.createPushSecret) }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: pushsecrets.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: PushSecret
+ listKind: PushSecretList
+ plural: pushsecrets
+ singular: pushsecret
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: PushSecretSpec configures the behavior of the PushSecret.
+ properties:
+ data:
+ description: Secret Data that should be pushed to providers
+ items:
+ properties:
+ conversionStrategy:
+ default: None
+ description: Used to define a conversion Strategy for the secret keys
+ enum:
+ - None
+ - ReverseUnicode
+ type: string
+ match:
+ description: Match a given Secret Key to be pushed to the provider.
+ properties:
+ remoteRef:
+ description: Remote Refs to push to providers.
+ properties:
+ property:
+ description: Name of the property in the resulting secret
+ type: string
+ remoteKey:
+ description: Name of the resulting provider secret.
+ type: string
+ required:
+ - remoteKey
+ type: object
+ secretKey:
+ description: Secret Key to be pushed
+ type: string
+ required:
+ - remoteRef
+ type: object
+ metadata:
+ description: |-
+ Metadata is metadata attached to the secret.
+ The structure of metadata is provider specific, please look it up in the provider documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - match
+ type: object
+ type: array
+ deletionPolicy:
+ default: None
+ description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
+ enum:
+ - Delete
+ - None
+ type: string
+ refreshInterval:
+ description: The Interval to which External Secrets will try to push a secret definition
+ type: string
+ secretStoreRefs:
+ items:
+ properties:
+ kind:
+ default: SecretStore
+ description: |-
+ Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
+ Defaults to `SecretStore`
+ type: string
+ labelSelector:
+ description: Optionally, sync to secret stores with label selector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ description: Optionally, sync to the SecretStore of the given name
+ type: string
+ type: object
+ type: array
+ selector:
+ description: The Secret Selector (k8s source) for the Push Secret
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ generatorRef:
+ description: Point to a generator to create a Secret.
+ properties:
+ apiVersion:
+ default: generators.external-secrets.io/v1alpha1
+ description: Specify the apiVersion of the generator resource
+ type: string
+ kind:
+ description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
+ type: string
+ name:
+ description: Specify the name of the generator resource
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ secret:
+ description: Select a Secret to Push.
+ properties:
+ name:
+ description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ template:
+ description: Template defines a blueprint for the created Secret resource.
+ properties:
+ data:
+ additionalProperties:
+ type: string
+ type: object
+ engineVersion:
+ default: v2
+ description: |-
+ EngineVersion specifies the template engine version
+ that should be used to compile/execute the
+ template specified in .data and .templateFrom[].
+ enum:
+ - v1
+ - v2
+ type: string
+ mergePolicy:
+ default: Replace
+ enum:
+ - Replace
+ - Merge
+ type: string
+ metadata:
+ description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ templateFrom:
+ items:
+ properties:
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ literal:
+ type: string
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ templateAs:
+ default: Values
+ enum:
+ - Values
+ - KeysAndValues
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ name:
+ type: string
+ required:
+ - items
+ - name
+ type: object
+ target:
+ default: Data
+ enum:
+ - Data
+ - Annotations
+ - Labels
+ type: string
+ type: object
+ type: array
+ type:
+ type: string
+ type: object
+ updatePolicy:
+ default: Replace
+ description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
+ enum:
+ - Replace
+ - IfNotExists
+ type: string
+ required:
+ - secretStoreRefs
+ - selector
+ type: object
+ status:
+ description: PushSecretStatus indicates the history of the status of PushSecret.
+ properties:
+ conditions:
+ items:
+ description: PushSecretStatusCondition indicates the status of the PushSecret.
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ description: PushSecretConditionType indicates the condition of the PushSecret.
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ refreshTime:
+ description: |-
+ refreshTime is the time and date the external secret was fetched and
+ the target secret updated
+ format: date-time
+ nullable: true
+ type: string
+ syncedPushSecrets:
+ additionalProperties:
+ additionalProperties:
+ properties:
+ conversionStrategy:
+ default: None
+ description: Used to define a conversion Strategy for the secret keys
+ enum:
+ - None
+ - ReverseUnicode
+ type: string
+ match:
+ description: Match a given Secret Key to be pushed to the provider.
+ properties:
+ remoteRef:
+ description: Remote Refs to push to providers.
+ properties:
+ property:
+ description: Name of the property in the resulting secret
+ type: string
+ remoteKey:
+ description: Name of the resulting provider secret.
+ type: string
+ required:
+ - remoteKey
+ type: object
+ secretKey:
+ description: Secret Key to be pushed
+ type: string
+ required:
+ - remoteRef
+ type: object
+ metadata:
+ description: |-
+ Metadata is metadata attached to the secret.
+ The structure of metadata is provider specific, please look it up in the provider documentation.
+ x-kubernetes-preserve-unknown-fields: true
+ required:
+ - match
+ type: object
+ type: object
+ description: |-
+ Synced PushSecrets, including secrets that already exist in provider.
+ Matches secret stores to PushSecretData that was stored to that secret store.
+ type: object
+ syncedResourceVersion:
+ description: SyncedResourceVersion keeps track of the last synced version.
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/secretstore.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/secretstore.yaml
new file mode 100644
index 000000000..2cc9e4988
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/secretstore.yaml
@@ -0,0 +1,4643 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: secretstores.external-secrets.io
+spec:
+ group: external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ kind: SecretStore
+ listKind: SecretStoreList
+ plural: secretstores
+ shortNames:
+ - ss
+ singular: secretstore
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ deprecated: true
+ name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: |-
+ Kubernetes authenticates with Akeyless by passing the ServiceAccount
+ token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Akeyless. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Akeyless. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: |-
+ Reference to a Secret that contains the details
+ to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+ if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ auth:
+ description: |-
+ Auth defines the information necessary to authenticate against AWS
+ if not set aws sdk will infer credentials from your environment
+ see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: |-
+ AWSAuthSecretRef holds secret references for AWS credentials
+ both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the SecretManager provider will assume
+ type: string
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
+ properties:
+ clientId:
+ description: The Azure clientId of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: |-
+ Auth type defines how to authenticate to the keyvault service.
+ Valid values are:
+ - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+ - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ properties:
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ serviceAccount:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ required:
+ - auth
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with the Oracle Vault.
+ If empty, instance principal is used. Optionally, the authenticating principal type
+ and/or user data may be supplied for the use of workload identity and user principal.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: |-
+ Compartment is the vault compartment OCID.
+ Required for PushSecret
+ type: string
+ encryptionKey:
+ description: |-
+ EncryptionKey is the OCID of the encryption key within the vault.
+ Required for PushSecret
+ type: string
+ principalType:
+ description: |-
+ The type of principal to use for authentication. If left blank, the Auth struct will
+ determine the principal type. This optional field must be specified if using
+ workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ passworddepot:
+ description: Configures a store to sync secrets with a Password Depot instance.
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Password Depot instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ database:
+ description: Database to use as source
+ type: string
+ host:
+ description: URL configures the Password Depot instance URL.
+ type: string
+ required:
+ - auth
+ - database
+ - host
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with Vault using the App Role auth mechanism,
+ with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in Vault, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in Vault.
+ type: string
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - roleId
+ - secretRef
+ type: object
+ cert:
+ description: |-
+ Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+ Cert authentication method
+ properties:
+ clientCert:
+ description: |-
+ ClientCert is a certificate to authenticate using the Cert Vault
+ authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing client private key to
+ authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ jwt:
+ description: |-
+ Jwt authenticates with Vault by passing role and JWT token using the
+ JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: |-
+ Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Optional audiences field that will be used to request a temporary Kubernetes service
+ account token for the service account referenced by `serviceAccountRef`.
+ Defaults to a single audience `vault` it not specified.
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: |-
+ Optional expiration time in seconds that will be used to request a temporary
+ Kubernetes service account token for the service account referenced by
+ `serviceAccountRef`.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: |-
+ Path where the JWT authentication backend is mounted
+ in Vault, e.g: "jwt"
+ type: string
+ role:
+ description: |-
+ Role is a JWT role to authenticate using the JWT/OIDC Vault
+ authentication method
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Vault by passing the ServiceAccount
+ token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: |-
+ Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+ "kubernetes"
+ type: string
+ role:
+ description: |-
+ A required field containing the Vault Role to assume. A Role binds a
+ Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Vault. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Vault. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: |-
+ Ldap authenticates with Vault by passing username/password pair using
+ the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: |-
+ Path where the LDAP authentication backend is mounted
+ in Vault, e.g: "ldap"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the LDAP
+ user used to authenticate with Vault using the LDAP authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a LDAP user name used to authenticate using the LDAP Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate Vault server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: |-
+ ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+ leader instead of simply retrying within a loop. This can increase performance if
+ the option is enabled serverside.
+ https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ namespace:
+ description: |-
+ Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the Vault KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from Vault is optional and will be appended
+ if not present in specified path.
+ type: string
+ readYourWrites:
+ description: |-
+ ReadYourWrites ensures isolated read-after-write semantics by
+ providing discovered cluster replication states in each request.
+ More information about eventual consistency in Vault can be found here
+ https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ version:
+ default: v2
+ description: |-
+ Version is the Vault KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate webhook server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: |-
+ Secrets to fill in templates
+ These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .metadata.creationTimestamp
+ name: AGE
+ type: date
+ - jsonPath: .status.conditions[?(@.type=="Ready")].reason
+ name: Status
+ type: string
+ - jsonPath: .status.capabilities
+ name: Capabilities
+ type: string
+ - jsonPath: .status.conditions[?(@.type=="Ready")].status
+ name: Ready
+ type: string
+ name: v1beta1
+ schema:
+ openAPIV3Schema:
+ description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: SecretStoreSpec defines the desired state of SecretStore.
+ properties:
+ conditions:
+ description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
+ items:
+ description: |-
+ ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
+ for a ClusterSecretStore instance.
+ properties:
+ namespaceRegexes:
+ description: Choose namespaces by using regex matching
+ items:
+ type: string
+ type: array
+ namespaceSelector:
+ description: Choose namespace using a labelSelector
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ description: Choose namespaces by name
+ items:
+ type: string
+ type: array
+ type: object
+ type: array
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters ES based on this property
+ type: string
+ provider:
+ description: Used to configure the provider. Only one provider may be set
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ akeyless:
+ description: Akeyless configures this store to sync secrets using Akeyless Vault provider
+ properties:
+ akeylessGWApiURL:
+ description: Akeyless GW API Url from which the secrets to be fetched from.
+ type: string
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Akeyless.
+ properties:
+ kubernetesAuth:
+ description: |-
+ Kubernetes authenticates with Akeyless by passing the ServiceAccount
+ token stored in the named Secret resource.
+ properties:
+ accessID:
+ description: the Akeyless Kubernetes auth-method access-id
+ type: string
+ k8sConfName:
+ description: Kubernetes-auth configuration name in Akeyless-Gateway
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Akeyless. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Akeyless. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - accessID
+ - k8sConfName
+ type: object
+ secretRef:
+ description: |-
+ Reference to a Secret that contains the details
+ to authenticate with Akeyless.
+ properties:
+ accessID:
+ description: The SecretAccessID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessType:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessTypeParam:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
+ if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ required:
+ - akeylessGWApiURL
+ - authSecretRef
+ type: object
+ alibaba:
+ description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
+ properties:
+ auth:
+ description: AlibabaAuth contains a secretRef for credentials.
+ properties:
+ rrsa:
+ description: Authenticate against Alibaba using RRSA.
+ properties:
+ oidcProviderArn:
+ type: string
+ oidcTokenFilePath:
+ type: string
+ roleArn:
+ type: string
+ sessionName:
+ type: string
+ required:
+ - oidcProviderArn
+ - oidcTokenFilePath
+ - roleArn
+ - sessionName
+ type: object
+ secretRef:
+ description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ accessKeySecretSecretRef:
+ description: The AccessKeySecret is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessKeyIDSecretRef
+ - accessKeySecretSecretRef
+ type: object
+ type: object
+ regionID:
+ description: Alibaba Region to be used for the provider
+ type: string
+ required:
+ - auth
+ - regionID
+ type: object
+ aws:
+ description: AWS configures this store to sync secrets using AWS Secret Manager provider
+ properties:
+ additionalRoles:
+ description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
+ items:
+ type: string
+ type: array
+ auth:
+ description: |-
+ Auth defines the information necessary to authenticate against AWS
+ if not set aws sdk will infer credentials from your environment
+ see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
+ properties:
+ jwt:
+ description: Authenticate against AWS using service account tokens.
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ secretRef:
+ description: |-
+ AWSAuthSecretRef holds secret references for AWS credentials
+ both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ prefix:
+ description: Prefix adds a prefix to all retrieved values.
+ type: string
+ region:
+ description: AWS Region to be used for the provider
+ type: string
+ role:
+ description: Role is a Role ARN which the provider will assume
+ type: string
+ secretsManager:
+ description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
+ properties:
+ forceDeleteWithoutRecovery:
+ description: |-
+ Specifies whether to delete the secret without any recovery window. You
+ can't use both this parameter and RecoveryWindowInDays in the same call.
+ If you don't use either, then by default Secrets Manager uses a 30 day
+ recovery window.
+ see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
+ type: boolean
+ recoveryWindowInDays:
+ description: |-
+ The number of days from 7 to 30 that Secrets Manager waits before
+ permanently deleting the secret. You can't use both this parameter and
+ ForceDeleteWithoutRecovery in the same call. If you don't use either,
+ then by default Secrets Manager uses a 30 day recovery window.
+ see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
+ format: int64
+ type: integer
+ type: object
+ service:
+ description: Service defines which service should be used to fetch the secrets
+ enum:
+ - SecretsManager
+ - ParameterStore
+ type: string
+ sessionTags:
+ description: AWS STS assume role session tags
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: object
+ type: array
+ transitiveTagKeys:
+ description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
+ items:
+ type: string
+ type: array
+ required:
+ - region
+ - service
+ type: object
+ azurekv:
+ description: AzureKV configures this store to sync secrets using Azure Key Vault provider
+ properties:
+ authSecretRef:
+ description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ properties:
+ clientCertificate:
+ description: The Azure ClientCertificate of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientId:
+ description: The Azure clientId of the service principle or managed identity used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: The Azure ClientSecret of the service principle used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ tenantId:
+ description: The Azure tenantId of the managed identity used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ authType:
+ default: ServicePrincipal
+ description: |-
+ Auth type defines how to authenticate to the keyvault service.
+ Valid values are:
+ - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
+ - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
+ enum:
+ - ServicePrincipal
+ - ManagedIdentity
+ - WorkloadIdentity
+ type: string
+ environmentType:
+ default: PublicCloud
+ description: |-
+ EnvironmentType specifies the Azure cloud environment endpoints to use for
+ connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
+ The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
+ PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
+ enum:
+ - PublicCloud
+ - USGovernmentCloud
+ - ChinaCloud
+ - GermanCloud
+ type: string
+ identityId:
+ description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ tenantId:
+ description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
+ type: string
+ vaultUrl:
+ description: Vault Url from which the secrets to be fetched from.
+ type: string
+ required:
+ - vaultUrl
+ type: object
+ beyondtrust:
+ description: Beyondtrust configures this store to sync secrets using Password Safe provider.
+ properties:
+ auth:
+ description: Auth configures how the operator authenticates with Beyondtrust.
+ properties:
+ certificate:
+ description: Content of the certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ certificateKey:
+ description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientId:
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecret
+ type: object
+ server:
+ description: Auth configures how API server works.
+ properties:
+ apiUrl:
+ type: string
+ clientTimeOutSeconds:
+ description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
+ type: integer
+ retrievalType:
+ description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
+ type: string
+ separator:
+ description: A character that separates the folder names.
+ type: string
+ verifyCA:
+ type: boolean
+ required:
+ - apiUrl
+ - verifyCA
+ type: object
+ required:
+ - auth
+ - server
+ type: object
+ bitwardensecretsmanager:
+ description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
+ properties:
+ apiURL:
+ type: string
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with a bitwarden machine account instance.
+ Make sure that the token being used has permissions on the given secret.
+ properties:
+ secretRef:
+ description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
+ properties:
+ credentials:
+ description: AccessToken used for the bitwarden instance.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - credentials
+ type: object
+ required:
+ - secretRef
+ type: object
+ bitwardenServerSDKURL:
+ type: string
+ caBundle:
+ description: |-
+ Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
+ can be performed.
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ identityURL:
+ type: string
+ organizationID:
+ description: OrganizationID determines which organization this secret store manages.
+ type: string
+ projectID:
+ description: ProjectID determines which project this secret store manages.
+ type: string
+ required:
+ - auth
+ - organizationID
+ - projectID
+ type: object
+ chef:
+ description: Chef configures this store to sync secrets with chef server
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against chef Server
+ properties:
+ secretRef:
+ description: ChefAuthSecretRef holds secret references for chef server login credentials.
+ properties:
+ privateKeySecretRef:
+ description: SecretKey is the Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - privateKeySecretRef
+ type: object
+ required:
+ - secretRef
+ type: object
+ serverUrl:
+ description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
+ type: string
+ username:
+ description: UserName should be the user ID on the chef server
+ type: string
+ required:
+ - auth
+ - serverUrl
+ - username
+ type: object
+ conjur:
+ description: Conjur configures this store to sync secrets using conjur provider
+ properties:
+ auth:
+ properties:
+ apikey:
+ properties:
+ account:
+ type: string
+ apiKeyRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ userRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - account
+ - apiKeyRef
+ - userRef
+ type: object
+ jwt:
+ properties:
+ account:
+ type: string
+ hostId:
+ description: |-
+ Optional HostID for JWT authentication. This may be used depending
+ on how the Conjur JWT authenticator policy is configured.
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Conjur using the JWT authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional ServiceAccountRef specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ serviceID:
+ description: The conjur authn jwt webservice id
+ type: string
+ required:
+ - account
+ - serviceID
+ type: object
+ type: object
+ caBundle:
+ type: string
+ caProvider:
+ description: |-
+ Used to provide custom certificate authority (CA) certificates
+ for a secret store. The CAProvider points to a Secret or ConfigMap resource
+ that contains a PEM-encoded certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ type: string
+ required:
+ - auth
+ - url
+ type: object
+ delinea:
+ description: |-
+ Delinea DevOps Secrets Vault
+ https://docs.delinea.com/online-help/products/devops-secrets-vault/current
+ properties:
+ clientId:
+ description: ClientID is the non-secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ clientSecret:
+ description: ClientSecret is the secret part of the credential.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ tenant:
+ description: Tenant is the chosen hostname / site name.
+ type: string
+ tld:
+ description: |-
+ TLD is based on the server location that was chosen during provisioning.
+ If unset, defaults to "com".
+ type: string
+ urlTemplate:
+ description: |-
+ URLTemplate
+ If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
+ type: string
+ required:
+ - clientId
+ - clientSecret
+ - tenant
+ type: object
+ device42:
+ description: Device42 configures this store to sync secrets using the Device42 provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Device42 instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ host:
+ description: URL configures the Device42 instance URL.
+ type: string
+ required:
+ - auth
+ - host
+ type: object
+ doppler:
+ description: Doppler configures this store to sync secrets using the Doppler provider
+ properties:
+ auth:
+ description: Auth configures how the Operator authenticates with the Doppler API
+ properties:
+ secretRef:
+ properties:
+ dopplerToken:
+ description: |-
+ The DopplerToken is used for authentication.
+ See https://docs.doppler.com/reference/api#authentication for auth token types.
+ The Key attribute defaults to dopplerToken if not specified.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - dopplerToken
+ type: object
+ required:
+ - secretRef
+ type: object
+ config:
+ description: Doppler config (required if not using a Service Token)
+ type: string
+ format:
+ description: Format enables the downloading of secrets as a file (string)
+ enum:
+ - json
+ - dotnet-json
+ - env
+ - yaml
+ - docker
+ type: string
+ nameTransformer:
+ description: Environment variable compatible name transforms that change secret names to a different format
+ enum:
+ - upper-camel
+ - camel
+ - lower-snake
+ - tf-var
+ - dotnet-env
+ - lower-kebab
+ type: string
+ project:
+ description: Doppler project (required if not using a Service Token)
+ type: string
+ required:
+ - auth
+ type: object
+ fake:
+ description: Fake configures a store with static key/value pairs
+ properties:
+ data:
+ items:
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ valueMap:
+ additionalProperties:
+ type: string
+ description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
+ type: object
+ version:
+ type: string
+ required:
+ - key
+ type: object
+ type: array
+ required:
+ - data
+ type: object
+ fortanix:
+ description: Fortanix configures this store to sync secrets using the Fortanix provider
+ properties:
+ apiKey:
+ description: APIKey is the API token to access SDKMS Applications.
+ properties:
+ secretRef:
+ description: SecretRef is a reference to a secret containing the SDKMS API Key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ apiUrl:
+ description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
+ type: string
+ type: object
+ gcpsm:
+ description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against GCP
+ properties:
+ secretRef:
+ properties:
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ workloadIdentity:
+ properties:
+ clusterLocation:
+ type: string
+ clusterName:
+ type: string
+ clusterProjectID:
+ type: string
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - clusterLocation
+ - clusterName
+ - serviceAccountRef
+ type: object
+ type: object
+ location:
+ description: Location optionally defines a location for a secret
+ type: string
+ projectID:
+ description: ProjectID project where secret is located
+ type: string
+ type: object
+ gitlab:
+ description: GitLab configures this store to sync secrets using GitLab Variables provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a GitLab instance.
+ properties:
+ SecretRef:
+ properties:
+ accessToken:
+ description: AccessToken is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - SecretRef
+ type: object
+ environment:
+ description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
+ type: string
+ groupIDs:
+ description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
+ items:
+ type: string
+ type: array
+ inheritFromGroups:
+ description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
+ type: boolean
+ projectID:
+ description: ProjectID specifies a project where secrets are located.
+ type: string
+ url:
+ description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
+ type: string
+ required:
+ - auth
+ type: object
+ ibm:
+ description: IBM configures this store to sync secrets using IBM Cloud provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the IBM secrets manager.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ containerAuth:
+ description: IBM Container-based auth with IAM Trusted Profile.
+ properties:
+ iamEndpoint:
+ type: string
+ profile:
+ description: the IBM Trusted Profile
+ type: string
+ tokenLocation:
+ description: Location the token is mounted on the pod
+ type: string
+ required:
+ - profile
+ type: object
+ secretRef:
+ properties:
+ secretApiKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ serviceUrl:
+ description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
+ type: string
+ required:
+ - auth
+ type: object
+ infisical:
+ description: Infisical configures this store to sync secrets using the Infisical provider
+ properties:
+ auth:
+ description: Auth configures how the Operator authenticates with the Infisical API
+ properties:
+ universalAuthCredentials:
+ properties:
+ clientId:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientSecret:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecret
+ type: object
+ type: object
+ hostAPI:
+ default: https://app.infisical.com/api
+ type: string
+ secretsScope:
+ properties:
+ environmentSlug:
+ type: string
+ projectSlug:
+ type: string
+ recursive:
+ default: false
+ type: boolean
+ secretsPath:
+ default: /
+ type: string
+ required:
+ - environmentSlug
+ - projectSlug
+ type: object
+ required:
+ - auth
+ - secretsScope
+ type: object
+ keepersecurity:
+ description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
+ properties:
+ authRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ folderID:
+ type: string
+ required:
+ - authRef
+ - folderID
+ type: object
+ kubernetes:
+ description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Kubernetes instance.
+ maxProperties: 1
+ minProperties: 1
+ properties:
+ cert:
+ description: has both clientCert and clientKey as secretKeySelector
+ properties:
+ clientCert:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ clientKey:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ serviceAccount:
+ description: points to a service account that should be used for authentication
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ token:
+ description: use static token to authenticate with
+ properties:
+ bearerToken:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ type: object
+ authRef:
+ description: A reference to a secret that contains the auth information.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ remoteNamespace:
+ default: default
+ description: Remote namespace to fetch the secrets from
+ type: string
+ server:
+ description: configures the Kubernetes server Address.
+ properties:
+ caBundle:
+ description: CABundle is a base64-encoded CA certificate
+ format: byte
+ type: string
+ caProvider:
+ description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ url:
+ default: kubernetes.default
+ description: configures the Kubernetes server Address.
+ type: string
+ type: object
+ type: object
+ onboardbase:
+ description: Onboardbase configures this store to sync secrets using the Onboardbase provider
+ properties:
+ apiHost:
+ default: https://public.onboardbase.com/api/v1/
+ description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
+ type: string
+ auth:
+ description: Auth configures how the Operator authenticates with the Onboardbase API
+ properties:
+ apiKeyRef:
+ description: |-
+ OnboardbaseAPIKey is the APIKey generated by an admin account.
+ It is used to recognize and authorize access to a project and environment within onboardbase
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ passcodeRef:
+ description: OnboardbasePasscode is the passcode attached to the API Key
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - apiKeyRef
+ - passcodeRef
+ type: object
+ environment:
+ default: development
+ description: Environment is the name of an environmnent within a project to pull the secrets from
+ type: string
+ project:
+ default: development
+ description: Project is an onboardbase project that the secrets should be pulled from
+ type: string
+ required:
+ - apiHost
+ - auth
+ - environment
+ - project
+ type: object
+ onepassword:
+ description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against OnePassword Connect Server
+ properties:
+ secretRef:
+ description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
+ properties:
+ connectTokenSecretRef:
+ description: The ConnectToken is used for authentication to a 1Password Connect Server.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - connectTokenSecretRef
+ type: object
+ required:
+ - secretRef
+ type: object
+ connectHost:
+ description: ConnectHost defines the OnePassword Connect Server to connect to
+ type: string
+ vaults:
+ additionalProperties:
+ type: integer
+ description: Vaults defines which OnePassword vaults to search in which order
+ type: object
+ required:
+ - auth
+ - connectHost
+ - vaults
+ type: object
+ oracle:
+ description: Oracle configures this store to sync secrets using Oracle Vault provider
+ properties:
+ auth:
+ description: |-
+ Auth configures how secret-manager authenticates with the Oracle Vault.
+ If empty, use the instance principal, otherwise the user credentials specified in Auth.
+ properties:
+ secretRef:
+ description: SecretRef to pass through sensitive information.
+ properties:
+ fingerprint:
+ description: Fingerprint is the fingerprint of the API private key.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privatekey:
+ description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - fingerprint
+ - privatekey
+ type: object
+ tenancy:
+ description: Tenancy is the tenancy OCID where user is located.
+ type: string
+ user:
+ description: User is an access OCID specific to the account.
+ type: string
+ required:
+ - secretRef
+ - tenancy
+ - user
+ type: object
+ compartment:
+ description: |-
+ Compartment is the vault compartment OCID.
+ Required for PushSecret
+ type: string
+ encryptionKey:
+ description: |-
+ EncryptionKey is the OCID of the encryption key within the vault.
+ Required for PushSecret
+ type: string
+ principalType:
+ description: |-
+ The type of principal to use for authentication. If left blank, the Auth struct will
+ determine the principal type. This optional field must be specified if using
+ workload identity.
+ enum:
+ - ""
+ - UserPrincipal
+ - InstancePrincipal
+ - Workload
+ type: string
+ region:
+ description: Region is the region where vault is located.
+ type: string
+ serviceAccountRef:
+ description: |-
+ ServiceAccountRef specified the service account
+ that should be used when authenticating with WorkloadIdentity.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ vault:
+ description: Vault is the vault's OCID of the specific vault where secret is located.
+ type: string
+ required:
+ - region
+ - vault
+ type: object
+ passbolt:
+ properties:
+ auth:
+ description: Auth defines the information necessary to authenticate against Passbolt Server
+ properties:
+ passwordSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ privateKeySecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - passwordSecretRef
+ - privateKeySecretRef
+ type: object
+ host:
+ description: Host defines the Passbolt Server to connect to
+ type: string
+ required:
+ - auth
+ - host
+ type: object
+ passworddepot:
+ description: Configures a store to sync secrets with a Password Depot instance.
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with a Password Depot instance.
+ properties:
+ secretRef:
+ properties:
+ credentials:
+ description: Username / Password is used for authentication.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - secretRef
+ type: object
+ database:
+ description: Database to use as source
+ type: string
+ host:
+ description: URL configures the Password Depot instance URL.
+ type: string
+ required:
+ - auth
+ - database
+ - host
+ type: object
+ previder:
+ description: Previder configures this store to sync secrets using the Previder provider
+ properties:
+ auth:
+ description: PreviderAuth contains a secretRef for credentials.
+ properties:
+ secretRef:
+ description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
+ properties:
+ accessToken:
+ description: The AccessToken is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - accessToken
+ type: object
+ type: object
+ baseUri:
+ type: string
+ required:
+ - auth
+ type: object
+ pulumi:
+ description: Pulumi configures this store to sync secrets using the Pulumi provider
+ properties:
+ accessToken:
+ description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
+ properties:
+ secretRef:
+ description: SecretRef is a reference to a secret containing the Pulumi API token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ apiUrl:
+ default: https://api.pulumi.com/api/esc
+ description: APIURL is the URL of the Pulumi API.
+ type: string
+ environment:
+ description: |-
+ Environment are YAML documents composed of static key-value pairs, programmatic expressions,
+ dynamically retrieved values from supported providers including all major clouds,
+ and other Pulumi ESC environments.
+ To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
+ type: string
+ organization:
+ description: |-
+ Organization are a space to collaborate on shared projects and stacks.
+ To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
+ type: string
+ project:
+ description: Project is the name of the Pulumi ESC project the environment belongs to.
+ type: string
+ required:
+ - accessToken
+ - environment
+ - organization
+ - project
+ type: object
+ scaleway:
+ description: Scaleway
+ properties:
+ accessKey:
+ description: AccessKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ apiUrl:
+ description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
+ type: string
+ projectId:
+ description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
+ type: string
+ region:
+ description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
+ type: string
+ secretKey:
+ description: SecretKey is the non-secret part of the api key.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - accessKey
+ - projectId
+ - region
+ - secretKey
+ type: object
+ secretserver:
+ description: |-
+ SecretServer configures this store to sync secrets using SecretServer provider
+ https://docs.delinea.com/online-help/secret-server/start.htm
+ properties:
+ password:
+ description: Password is the secret server account password.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ serverURL:
+ description: |-
+ ServerURL
+ URL to your secret server installation
+ type: string
+ username:
+ description: Username is the secret server account username.
+ properties:
+ secretRef:
+ description: SecretRef references a key in a secret that will be used as value.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ value:
+ description: Value can be specified directly to set a value without using a secret.
+ type: string
+ type: object
+ required:
+ - password
+ - serverURL
+ - username
+ type: object
+ senhasegura:
+ description: Senhasegura configures this store to sync secrets using senhasegura provider
+ properties:
+ auth:
+ description: Auth defines parameters to authenticate in senhasegura
+ properties:
+ clientId:
+ type: string
+ clientSecretSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - clientId
+ - clientSecretSecretRef
+ type: object
+ ignoreSslCertificate:
+ default: false
+ description: IgnoreSslCertificate defines if SSL certificate must be ignored
+ type: boolean
+ module:
+ description: Module defines which senhasegura module should be used to get secrets
+ type: string
+ url:
+ description: URL of senhasegura
+ type: string
+ required:
+ - auth
+ - module
+ - url
+ type: object
+ vault:
+ description: Vault configures this store to sync secrets using Hashi provider
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with Vault using the App Role auth mechanism,
+ with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in Vault, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in Vault.
+ type: string
+ roleRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role ID used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role id.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - secretRef
+ type: object
+ cert:
+ description: |-
+ Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+ Cert authentication method
+ properties:
+ clientCert:
+ description: |-
+ ClientCert is a certificate to authenticate using the Cert Vault
+ authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing client private key to
+ authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ iam:
+ description: |-
+ Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
+ AWS IAM authentication method
+ properties:
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ jwt:
+ description: Specify a service account with IRSA enabled
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ path:
+ description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
+ type: string
+ region:
+ description: AWS region
+ type: string
+ role:
+ description: This is the AWS role to be assumed before talking to vault
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ vaultAwsIamServerID:
+ description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
+ type: string
+ vaultRole:
+ description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
+ type: string
+ required:
+ - vaultRole
+ type: object
+ jwt:
+ description: |-
+ Jwt authenticates with Vault by passing role and JWT token using the
+ JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: |-
+ Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Optional audiences field that will be used to request a temporary Kubernetes service
+ account token for the service account referenced by `serviceAccountRef`.
+ Defaults to a single audience `vault` it not specified.
+ Deprecated: use serviceAccountRef.Audiences instead
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: |-
+ Optional expiration time in seconds that will be used to request a temporary
+ Kubernetes service account token for the service account referenced by
+ `serviceAccountRef`.
+ Deprecated: this will be removed in the future.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: |-
+ Path where the JWT authentication backend is mounted
+ in Vault, e.g: "jwt"
+ type: string
+ role:
+ description: |-
+ Role is a JWT role to authenticate using the JWT/OIDC Vault
+ authentication method
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Vault by passing the ServiceAccount
+ token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: |-
+ Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+ "kubernetes"
+ type: string
+ role:
+ description: |-
+ A required field containing the Vault Role to assume. A Role binds a
+ Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Vault. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Vault. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: |-
+ Ldap authenticates with Vault by passing username/password pair using
+ the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: |-
+ Path where the LDAP authentication backend is mounted
+ in Vault, e.g: "ldap"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the LDAP
+ user used to authenticate with Vault using the LDAP authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a LDAP user name used to authenticate using the LDAP Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
+ Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ This will default to Vault.Namespace field if set, or empty otherwise
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ userPass:
+ description: UserPass authenticates with Vault by passing username/password pair
+ properties:
+ path:
+ default: user
+ description: |-
+ Path where the UserPassword authentication backend is mounted
+ in Vault, e.g: "user"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the
+ user used to authenticate with Vault using the UserPass authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a user name used to authenticate using the UserPass Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate Vault server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: |-
+ ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+ leader instead of simply retrying within a loop. This can increase performance if
+ the option is enabled serverside.
+ https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers to be added in Vault request
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the Vault KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from Vault is optional and will be appended
+ if not present in specified path.
+ type: string
+ readYourWrites:
+ description: |-
+ ReadYourWrites ensures isolated read-after-write semantics by
+ providing discovered cluster replication states in each request.
+ More information about eventual consistency in Vault can be found here
+ https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ tls:
+ description: |-
+ The configuration used for client side related TLS communication, when the Vault server
+ requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
+ This parameter is ignored for plain HTTP protocol connection.
+ It's worth noting this configuration is different from the "TLS certificates auth method",
+ which is available under the `auth.cert` section.
+ properties:
+ certSecretRef:
+ description: |-
+ CertSecretRef is a certificate added to the transport layer
+ when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.crt'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ keySecretRef:
+ description: |-
+ KeySecretRef to a key in a Secret resource containing client private key
+ added to the transport layer when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.key'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ version:
+ default: v2
+ description: |-
+ Version is the Vault KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ webhook:
+ description: Webhook configures this store to sync secrets using a generic templated webhook
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate webhook server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: |-
+ Secrets to fill in templates
+ These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ yandexcertificatemanager:
+ description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ yandexlockbox:
+ description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
+ properties:
+ apiEndpoint:
+ description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
+ type: string
+ auth:
+ description: Auth defines the information necessary to authenticate against Yandex Lockbox
+ properties:
+ authorizedKeySecretRef:
+ description: The authorized key used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ caProvider:
+ description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
+ properties:
+ certSecretRef:
+ description: |-
+ A reference to a specific 'key' within a Secret resource,
+ In some instances, `key` is a required field.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ required:
+ - auth
+ type: object
+ type: object
+ refreshInterval:
+ description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
+ type: integer
+ retrySettings:
+ description: Used to configure http retries if failed
+ properties:
+ maxRetries:
+ format: int32
+ type: integer
+ retryInterval:
+ type: string
+ type: object
+ required:
+ - provider
+ type: object
+ status:
+ description: SecretStoreStatus defines the observed state of the SecretStore.
+ properties:
+ capabilities:
+ description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/uuid.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/uuid.yaml
new file mode 100644
index 000000000..d12aaf2f7
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/uuid.yaml
@@ -0,0 +1,72 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: uuids.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: UUID
+ listKind: UUIDList
+ plural: uuids
+ shortNames:
+ - uuids
+ singular: uuid
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: UUIDSpec controls the behavior of the uuid generator.
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/vaultdynamicsecret.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/vaultdynamicsecret.yaml
new file mode 100644
index 000000000..8459dbbac
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/vaultdynamicsecret.yaml
@@ -0,0 +1,708 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: vaultdynamicsecrets.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: VaultDynamicSecret
+ listKind: VaultDynamicSecretList
+ plural: vaultdynamicsecrets
+ shortNames:
+ - vaultdynamicsecret
+ singular: vaultdynamicsecret
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ controller:
+ description: |-
+ Used to select the correct ESO controller (think: ingress.ingressClassName)
+ The ESO controller is instantiated with a specific controller name and filters VDS based on this property
+ type: string
+ method:
+ description: Vault API method to use (GET/POST/other)
+ type: string
+ parameters:
+ description: Parameters to pass to Vault write (for non-GET methods)
+ x-kubernetes-preserve-unknown-fields: true
+ path:
+ description: Vault path to obtain the dynamic secret from
+ type: string
+ provider:
+ description: Vault provider common spec
+ properties:
+ auth:
+ description: Auth configures how secret-manager authenticates with the Vault server.
+ properties:
+ appRole:
+ description: |-
+ AppRole authenticates with Vault using the App Role auth mechanism,
+ with the role and secret stored in a Kubernetes Secret resource.
+ properties:
+ path:
+ default: approle
+ description: |-
+ Path where the App Role authentication backend is mounted
+ in Vault, e.g: "approle"
+ type: string
+ roleId:
+ description: |-
+ RoleID configured in the App Role authentication backend when setting
+ up the authentication backend in Vault.
+ type: string
+ roleRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role ID used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role id.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ Reference to a key in a Secret that contains the App Role secret used
+ to authenticate with Vault.
+ The `key` field must be specified and denotes which entry within the Secret
+ resource is used as the app role secret.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ - secretRef
+ type: object
+ cert:
+ description: |-
+ Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
+ Cert authentication method
+ properties:
+ clientCert:
+ description: |-
+ ClientCert is a certificate to authenticate using the Cert Vault
+ authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing client private key to
+ authenticate with Vault using the Cert authentication method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ iam:
+ description: |-
+ Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
+ AWS IAM authentication method
+ properties:
+ externalID:
+ description: AWS External ID set on assumed IAM roles
+ type: string
+ jwt:
+ description: Specify a service account with IRSA enabled
+ properties:
+ serviceAccountRef:
+ description: A reference to a ServiceAccount resource.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ type: object
+ path:
+ description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
+ type: string
+ region:
+ description: AWS region
+ type: string
+ role:
+ description: This is the AWS role to be assumed before talking to vault
+ type: string
+ secretRef:
+ description: Specify credentials in a Secret object
+ properties:
+ accessKeyIDSecretRef:
+ description: The AccessKeyID is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ secretAccessKeySecretRef:
+ description: The SecretAccessKey is used for authentication
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ sessionTokenSecretRef:
+ description: |-
+ The SessionToken used for authentication
+ This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
+ see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ vaultAwsIamServerID:
+ description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
+ type: string
+ vaultRole:
+ description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
+ type: string
+ required:
+ - vaultRole
+ type: object
+ jwt:
+ description: |-
+ Jwt authenticates with Vault by passing role and JWT token using the
+ JWT/OIDC authentication method
+ properties:
+ kubernetesServiceAccountToken:
+ description: |-
+ Optional ServiceAccountToken specifies the Kubernetes service account for which to request
+ a token for with the `TokenRequest` API.
+ properties:
+ audiences:
+ description: |-
+ Optional audiences field that will be used to request a temporary Kubernetes service
+ account token for the service account referenced by `serviceAccountRef`.
+ Defaults to a single audience `vault` it not specified.
+ Deprecated: use serviceAccountRef.Audiences instead
+ items:
+ type: string
+ type: array
+ expirationSeconds:
+ description: |-
+ Optional expiration time in seconds that will be used to request a temporary
+ Kubernetes service account token for the service account referenced by
+ `serviceAccountRef`.
+ Deprecated: this will be removed in the future.
+ Defaults to 10 minutes.
+ format: int64
+ type: integer
+ serviceAccountRef:
+ description: Service account field containing the name of a kubernetes ServiceAccount.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - serviceAccountRef
+ type: object
+ path:
+ default: jwt
+ description: |-
+ Path where the JWT authentication backend is mounted
+ in Vault, e.g: "jwt"
+ type: string
+ role:
+ description: |-
+ Role is a JWT role to authenticate using the JWT/OIDC Vault
+ authentication method
+ type: string
+ secretRef:
+ description: |-
+ Optional SecretRef that refers to a key in a Secret resource containing JWT token to
+ authenticate with Vault using the JWT/OIDC authentication method.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ required:
+ - path
+ type: object
+ kubernetes:
+ description: |-
+ Kubernetes authenticates with Vault by passing the ServiceAccount
+ token stored in the named Secret resource to the Vault server.
+ properties:
+ mountPath:
+ default: kubernetes
+ description: |-
+ Path where the Kubernetes authentication backend is mounted in Vault, e.g:
+ "kubernetes"
+ type: string
+ role:
+ description: |-
+ A required field containing the Vault Role to assume. A Role binds a
+ Kubernetes ServiceAccount with a set of Vault policies.
+ type: string
+ secretRef:
+ description: |-
+ Optional secret field containing a Kubernetes ServiceAccount JWT used
+ for authenticating with Vault. If a name is specified without a key,
+ `token` is the default. If one is not specified, the one bound to
+ the controller will be used.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ serviceAccountRef:
+ description: |-
+ Optional service account field containing the name of a kubernetes ServiceAccount.
+ If the service account is specified, the service account secret token JWT will be used
+ for authenticating with Vault. If the service account selector is not supplied,
+ the secretRef will be used instead.
+ properties:
+ audiences:
+ description: |-
+ Audience specifies the `aud` claim for the service account token
+ If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
+ then this audiences will be appended to the list
+ items:
+ type: string
+ type: array
+ name:
+ description: The name of the ServiceAccount resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ required:
+ - name
+ type: object
+ required:
+ - mountPath
+ - role
+ type: object
+ ldap:
+ description: |-
+ Ldap authenticates with Vault by passing username/password pair using
+ the LDAP authentication method
+ properties:
+ path:
+ default: ldap
+ description: |-
+ Path where the LDAP authentication backend is mounted
+ in Vault, e.g: "ldap"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the LDAP
+ user used to authenticate with Vault using the LDAP authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a LDAP user name used to authenticate using the LDAP Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
+ Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ This will default to Vault.Namespace field if set, or empty otherwise
+ type: string
+ tokenSecretRef:
+ description: TokenSecretRef authenticates with Vault by presenting a token.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ userPass:
+ description: UserPass authenticates with Vault by passing username/password pair
+ properties:
+ path:
+ default: user
+ description: |-
+ Path where the UserPassword authentication backend is mounted
+ in Vault, e.g: "user"
+ type: string
+ secretRef:
+ description: |-
+ SecretRef to a key in a Secret resource containing password for the
+ user used to authenticate with Vault using the UserPass authentication
+ method
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ username:
+ description: |-
+ Username is a user name used to authenticate using the UserPass Vault
+ authentication method
+ type: string
+ required:
+ - path
+ - username
+ type: object
+ type: object
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate Vault server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate Vault server certificate.
+ properties:
+ key:
+ description: The key where the CA certificate can be found in the Secret or ConfigMap.
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: |-
+ The namespace the Provider type is in.
+ Can only be defined when used in a ClusterSecretStore.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ forwardInconsistent:
+ description: |-
+ ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
+ leader instead of simply retrying within a loop. This can increase performance if
+ the option is enabled serverside.
+ https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
+ type: boolean
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers to be added in Vault request
+ type: object
+ namespace:
+ description: |-
+ Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
+ Vault environments to support Secure Multi-tenancy. e.g: "ns1".
+ More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
+ type: string
+ path:
+ description: |-
+ Path is the mount path of the Vault KV backend endpoint, e.g:
+ "secret". The v2 KV secret engine version specific "/data" path suffix
+ for fetching secrets from Vault is optional and will be appended
+ if not present in specified path.
+ type: string
+ readYourWrites:
+ description: |-
+ ReadYourWrites ensures isolated read-after-write semantics by
+ providing discovered cluster replication states in each request.
+ More information about eventual consistency in Vault can be found here
+ https://www.vaultproject.io/docs/enterprise/consistency
+ type: boolean
+ server:
+ description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
+ type: string
+ tls:
+ description: |-
+ The configuration used for client side related TLS communication, when the Vault server
+ requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
+ This parameter is ignored for plain HTTP protocol connection.
+ It's worth noting this configuration is different from the "TLS certificates auth method",
+ which is available under the `auth.cert` section.
+ properties:
+ certSecretRef:
+ description: |-
+ CertSecretRef is a certificate added to the transport layer
+ when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.crt'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ keySecretRef:
+ description: |-
+ KeySecretRef to a key in a Secret resource containing client private key
+ added to the transport layer when communicating with the Vault server.
+ If no key for the Secret is specified, external-secret will default to 'tls.key'.
+ properties:
+ key:
+ description: |-
+ The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
+ defaulted, in others it may be required.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ namespace:
+ description: |-
+ Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
+ to the namespace of the referent.
+ type: string
+ type: object
+ type: object
+ version:
+ default: v2
+ description: |-
+ Version is the Vault KV secret engine version. This can be either "v1" or
+ "v2". Version defaults to "v2".
+ enum:
+ - v1
+ - v2
+ type: string
+ required:
+ - auth
+ - server
+ type: object
+ resultType:
+ default: Data
+ description: |-
+ Result type defines which data is returned from the generator.
+ By default it is the "data" section of the Vault API response.
+ When using e.g. /auth/token/create the "data" section is empty but
+ the "auth" section contains the generated token.
+ Please refer to the vault docs regarding the result data structure.
+ enum:
+ - Data
+ - Auth
+ type: string
+ required:
+ - path
+ - provider
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/crds/webhook.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/crds/webhook.yaml
new file mode 100644
index 000000000..9e0c42cc1
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/crds/webhook.yaml
@@ -0,0 +1,158 @@
+{{- if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ {{- with .Values.crds.annotations }}
+ {{- toYaml . | nindent 4}}
+ {{- end }}
+ {{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+ controller-gen.kubebuilder.io/version: v0.16.3
+ labels:
+ external-secrets.io/component: controller
+ name: webhooks.generators.external-secrets.io
+spec:
+ group: generators.external-secrets.io
+ names:
+ categories:
+ - external-secrets
+ - external-secrets-generators
+ kind: Webhook
+ listKind: WebhookList
+ plural: webhooks
+ shortNames:
+ - webhookl
+ singular: webhook
+ scope: Namespaced
+ versions:
+ - name: v1alpha1
+ schema:
+ openAPIV3Schema:
+ description: |-
+ Webhook connects to a third party API server to handle the secrets generation
+ configuration parameters in spec.
+ You can specify the server, the token, and additional body parameters.
+ See documentation for the full API specification for requests and responses.
+ properties:
+ apiVersion:
+ description: |-
+ APIVersion defines the versioned schema of this representation of an object.
+ Servers should convert recognized schemas to the latest internal value, and
+ may reject unrecognized values.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+ type: string
+ kind:
+ description: |-
+ Kind is a string value representing the REST resource this object represents.
+ Servers may infer this from the endpoint the client submits requests to.
+ Cannot be updated.
+ In CamelCase.
+ More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+ type: string
+ metadata:
+ type: object
+ spec:
+ description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
+ properties:
+ body:
+ description: Body
+ type: string
+ caBundle:
+ description: |-
+ PEM encoded CA bundle used to validate webhook server certificate. Only used
+ if the Server URL is using HTTPS protocol. This parameter is ignored for
+ plain HTTP protocol connection. If not set the system root certificates
+ are used to validate the TLS connection.
+ format: byte
+ type: string
+ caProvider:
+ description: The provider for the CA bundle to use to validate webhook server certificate.
+ properties:
+ key:
+ description: The key the value inside of the provider type to use, only used with "Secret" type
+ type: string
+ name:
+ description: The name of the object located at the provider type.
+ type: string
+ namespace:
+ description: The namespace the Provider type is in.
+ type: string
+ type:
+ description: The type of provider to use such as "Secret", or "ConfigMap".
+ enum:
+ - Secret
+ - ConfigMap
+ type: string
+ required:
+ - name
+ - type
+ type: object
+ headers:
+ additionalProperties:
+ type: string
+ description: Headers
+ type: object
+ method:
+ description: Webhook Method
+ type: string
+ result:
+ description: Result formatting
+ properties:
+ jsonPath:
+ description: Json path of return value
+ type: string
+ type: object
+ secrets:
+ description: |-
+ Secrets to fill in templates
+ These secrets will be passed to the templating function as key value pairs under the given name
+ items:
+ properties:
+ name:
+ description: Name of this secret in templates
+ type: string
+ secretRef:
+ description: Secret ref to fill in credentials
+ properties:
+ key:
+ description: The key where the token is found.
+ type: string
+ name:
+ description: The name of the Secret resource being referred to.
+ type: string
+ type: object
+ required:
+ - name
+ - secretRef
+ type: object
+ type: array
+ timeout:
+ description: Timeout
+ type: string
+ url:
+ description: Webhook url to call
+ type: string
+ required:
+ - result
+ - url
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+{{- if .Values.crds.conversion.enabled }}
+ conversion:
+ strategy: Webhook
+ webhook:
+ conversionReviewVersions:
+ - v1
+ clientConfig:
+ service:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ .Release.Namespace | quote }}
+ path: /convert
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/deployment.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/deployment.yaml
new file mode 100644
index 000000000..75a908e63
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/deployment.yaml
@@ -0,0 +1,146 @@
+{{- if .Values.createOperator }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "external-secrets.fullname" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ {{- with .Values.deploymentAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 8 }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
+ automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
+ {{- with .Values.podSecurityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ hostNetwork: {{ .Values.hostNetwork }}
+ containers:
+ - name: {{ .Chart.Name }}
+ {{- with .Values.securityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.image) | trim }}
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ {{- if or (.Values.leaderElect) (.Values.scopedNamespace) (.Values.processClusterStore) (.Values.processClusterExternalSecret) (.Values.concurrent) (.Values.extraArgs) }}
+ args:
+ {{- if .Values.leaderElect }}
+ - --enable-leader-election=true
+ {{- end }}
+ {{- if .Values.scopedNamespace }}
+ - --namespace={{ .Values.scopedNamespace }}
+ {{- end }}
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ - --enable-cluster-store-reconciler=false
+ - --enable-cluster-external-secret-reconciler=false
+ {{- else }}
+ {{- if not .Values.processClusterStore }}
+ - --enable-cluster-store-reconciler=false
+ {{- end }}
+ {{- if not .Values.processClusterExternalSecret }}
+ - --enable-cluster-external-secret-reconciler=false
+ {{- end }}
+ {{- end }}
+ {{- if not .Values.processPushSecret }}
+ - --enable-push-secret-reconciler=false
+ {{- end }}
+ {{- if .Values.controllerClass }}
+ - --controller-class={{ .Values.controllerClass }}
+ {{- end }}
+ {{- if .Values.extendedMetricLabels }}
+ - --enable-extended-metric-labels={{ .Values.extendedMetricLabels }}
+ {{- end }}
+ {{- if .Values.concurrent }}
+ - --concurrent={{ .Values.concurrent }}
+ {{- end }}
+ {{- range $key, $value := .Values.extraArgs }}
+ {{- if $value }}
+ - --{{ $key }}={{ $value }}
+ {{- else }}
+ - --{{ $key }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ - --metrics-addr=:{{ .Values.metrics.listen.port }}
+ - --loglevel={{ .Values.log.level }}
+ - --zap-time-encoding={{ .Values.log.timeEncoding }}
+ ports:
+ - containerPort: {{ .Values.metrics.listen.port }}
+ protocol: TCP
+ name: metrics
+ {{- with .Values.extraEnv }}
+ env:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- if .Values.extraVolumeMounts }}
+ volumeMounts:
+ {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
+ {{- end }}
+ {{- if .Values.extraContainers }}
+ {{ toYaml .Values.extraContainers | nindent 8}}
+ {{- end }}
+ dnsPolicy: {{ .Values.dnsPolicy }}
+ {{- if .Values.dnsConfig }}
+ dnsConfig:
+ {{- toYaml .Values.dnsConfig | nindent 8 }}
+ {{- end }}
+ {{- if .Values.extraVolumes }}
+ volumes:
+ {{- toYaml .Values.extraVolumes | nindent 8 }}
+ {{- end }}
+ {{- with .Values.nodeSelector | default .Values.global.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity | default .Values.global.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations | default .Values.global.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.priorityClassName }}
+ priorityClassName: {{ .Values.priorityClassName }}
+ {{- end }}
+ {{- if .Values.podSpecExtra }}
+ {{- toYaml .Values.podSpecExtra | nindent 6 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/extra-manifests.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/extra-manifests.yaml
new file mode 100644
index 000000000..1dfe8f48f
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/extra-manifests.yaml
@@ -0,0 +1,4 @@
+{{- range .Values.extraObjects }}
+---
+{{ include "external-secrets.render" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/poddisruptionbudget.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/poddisruptionbudget.yaml
new file mode 100644
index 000000000..7b75ca3f4
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/poddisruptionbudget.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-pdb
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+spec:
+ {{- if .Values.podDisruptionBudget.minAvailable }}
+ minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+ {{- end }}
+ {{- if .Values.podDisruptionBudget.maxUnavailable }}
+ maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/rbac.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/rbac.yaml
new file mode 100644
index 000000000..4f4ab48fe
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/rbac.yaml
@@ -0,0 +1,301 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-controller
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ namespace: {{ .Values.scopedNamespace | quote }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "secretstores"
+ - "clustersecretstores"
+ - "externalsecrets"
+ - "clusterexternalsecrets"
+ - "pushsecrets"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "externalsecrets"
+ - "externalsecrets/status"
+ - "externalsecrets/finalizers"
+ - "secretstores"
+ - "secretstores/status"
+ - "secretstores/finalizers"
+ - "clustersecretstores"
+ - "clustersecretstores/status"
+ - "clustersecretstores/finalizers"
+ - "clusterexternalsecrets"
+ - "clusterexternalsecrets/status"
+ - "clusterexternalsecrets/finalizers"
+ - "pushsecrets"
+ - "pushsecrets/status"
+ - "pushsecrets/finalizers"
+ verbs:
+ - "get"
+ - "update"
+ - "patch"
+ - apiGroups:
+ - "generators.external-secrets.io"
+ resources:
+ - "acraccesstokens"
+ - "ecrauthorizationtokens"
+ - "fakes"
+ - "gcraccesstokens"
+ - "githubaccesstokens"
+ - "passwords"
+ - "vaultdynamicsecrets"
+ - "webhooks"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - apiGroups:
+ - ""
+ resources:
+ - "serviceaccounts"
+ - "namespaces"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - apiGroups:
+ - ""
+ resources:
+ - "configmaps"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - apiGroups:
+ - ""
+ resources:
+ - "secrets"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+ - "create"
+ - "update"
+ - "delete"
+ - "patch"
+ - apiGroups:
+ - ""
+ resources:
+ - "serviceaccounts/token"
+ verbs:
+ - "create"
+ - apiGroups:
+ - ""
+ resources:
+ - "events"
+ verbs:
+ - "create"
+ - "patch"
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "externalsecrets"
+ verbs:
+ - "create"
+ - "update"
+ - "delete"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-view
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ namespace: {{ .Values.scopedNamespace | quote }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ rbac.authorization.k8s.io/aggregate-to-view: "true"
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "externalsecrets"
+ - "secretstores"
+ - "clustersecretstores"
+ - "pushsecrets"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+ - apiGroups:
+ - "generators.external-secrets.io"
+ resources:
+ - "acraccesstokens"
+ - "ecrauthorizationtokens"
+ - "fakes"
+ - "gcraccesstokens"
+ - "githubaccesstokens"
+ - "passwords"
+ - "vaultdynamicsecrets"
+ - "webhooks"
+ verbs:
+ - "get"
+ - "watch"
+ - "list"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-edit
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ namespace: {{ .Values.scopedNamespace | quote }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ rbac.authorization.k8s.io/aggregate-to-edit: "true"
+ rbac.authorization.k8s.io/aggregate-to-admin: "true"
+rules:
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "externalsecrets"
+ - "secretstores"
+ - "clustersecretstores"
+ - "pushsecrets"
+ verbs:
+ - "create"
+ - "delete"
+ - "deletecollection"
+ - "patch"
+ - "update"
+ - apiGroups:
+ - "generators.external-secrets.io"
+ resources:
+ - "acraccesstokens"
+ - "ecrauthorizationtokens"
+ - "fakes"
+ - "gcraccesstokens"
+ - "githubaccesstokens"
+ - "passwords"
+ - "vaultdynamicsecrets"
+ - "webhooks"
+ verbs:
+ - "create"
+ - "delete"
+ - "deletecollection"
+ - "patch"
+ - "update"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+kind: RoleBinding
+{{- else }}
+kind: ClusterRoleBinding
+{{- end }}
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-controller
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ namespace: {{ .Values.scopedNamespace | quote }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ {{- if and .Values.scopedNamespace .Values.scopedRBAC }}
+ kind: Role
+ {{- else }}
+ kind: ClusterRole
+ {{- end }}
+ name: {{ include "external-secrets.fullname" . }}-controller
+subjects:
+ - name: {{ include "external-secrets.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ kind: ServiceAccount
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-leaderelection
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - "configmaps"
+ resourceNames:
+ - "external-secrets-controller"
+ verbs:
+ - "get"
+ - "update"
+ - "patch"
+ - apiGroups:
+ - ""
+ resources:
+ - "configmaps"
+ verbs:
+ - "create"
+ - apiGroups:
+ - "coordination.k8s.io"
+ resources:
+ - "leases"
+ verbs:
+ - "get"
+ - "create"
+ - "update"
+ - "patch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-leaderelection
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "external-secrets.fullname" . }}-leaderelection
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "external-secrets.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+{{- if .Values.rbac.servicebindings.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-servicebindings
+ labels:
+ servicebinding.io/controller: "true"
+ {{- include "external-secrets.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - "external-secrets.io"
+ resources:
+ - "externalsecrets"
+ verbs:
+ - "get"
+ - "list"
+ - "watch"
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/service.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/service.yaml
new file mode 100644
index 000000000..94859a34e
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/service.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.metrics.service.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-metrics
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ {{- with .Values.metrics.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.metrics.service.port }}
+ protocol: TCP
+ targetPort: metrics
+ name: metrics
+ selector:
+ {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/serviceaccount.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/serviceaccount.yaml
new file mode 100644
index 000000000..ceaa98e1c
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "external-secrets.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+ {{- with .Values.serviceAccount.extraLabels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/servicemonitor.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/servicemonitor.yaml
new file mode 100644
index 000000000..31451791a
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/servicemonitor.yaml
@@ -0,0 +1,164 @@
+{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-metrics
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.metrics.service.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+ labels:
+ {{- include "external-secrets.labels" . | nindent 4 }}
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+ name: {{ include "external-secrets.fullname" . }}-metrics
+ namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "external-secrets.selectorLabels" . | nindent 6 }}
+ namespaceSelector:
+ matchNames:
+ - {{ template "external-secrets.namespace" . }}
+ endpoints:
+ - port: metrics
+ interval: {{ .Values.serviceMonitor.interval }}
+ scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+ honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+ {{- with .Values.serviceMonitor.metricRelabelings }}
+ metricRelabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.serviceMonitor.relabelings }}
+ relabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+---
+{{- if .Values.webhook.create }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook-metrics
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook-metrics.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.webhook.metrics.service.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+ name: {{ include "external-secrets.fullname" . }}-webhook-metrics
+ namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "external-secrets-webhook-metrics.labels" . | nindent 6 }}
+ namespaceSelector:
+ matchNames:
+ - {{ template "external-secrets.namespace" . }}
+ endpoints:
+ - port: metrics
+ interval: {{ .Values.serviceMonitor.interval }}
+ scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+ honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+ {{- with .Values.serviceMonitor.metricRelabelings }}
+ metricRelabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.serviceMonitor.relabelings }}
+ relabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+{{- end }}
+---
+{{- if .Values.certController.create }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-cert-controller-metrics.labels" . | nindent 4 }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: {{ .Values.certController.metrics.listen.port }}
+ protocol: TCP
+ name: metrics
+ selector:
+ {{- include "external-secrets-cert-controller.selectorLabels" . | nindent 4 }}
+---
+apiVersion: "monitoring.coreos.com/v1"
+kind: ServiceMonitor
+metadata:
+ labels:
+ {{- include "external-secrets-cert-controller.labels" . | nindent 4 }}
+{{- if .Values.serviceMonitor.additionalLabels }}
+{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
+{{- end }}
+ name: {{ include "external-secrets.fullname" . }}-cert-controller-metrics
+ namespace: {{ .Values.serviceMonitor.namespace | default (include "external-secrets.namespace" .) | quote }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "external-secrets-cert-controller-metrics.labels" . | nindent 6 }}
+ namespaceSelector:
+ matchNames:
+ - {{ template "external-secrets.namespace" . }}
+ endpoints:
+ - port: metrics
+ interval: {{ .Values.serviceMonitor.interval }}
+ scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
+ honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+ {{- with .Values.serviceMonitor.metricRelabelings }}
+ metricRelabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+ {{- with .Values.serviceMonitor.relabelings }}
+ relabelings:
+ {{- toYaml . | nindent 6 }}
+ {{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/validatingwebhook.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/validatingwebhook.yaml
new file mode 100644
index 000000000..63b39763f
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/validatingwebhook.yaml
@@ -0,0 +1,78 @@
+{{- if .Values.webhook.create }}
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: secretstore-validate
+ labels:
+ external-secrets.io/component: webhook
+ {{- with .Values.commonLabels }}
+ {{ toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ annotations:
+ cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+webhooks:
+- name: "validate.secretstore.external-secrets.io"
+ rules:
+ - apiGroups: ["external-secrets.io"]
+ apiVersions: ["v1beta1"]
+ operations: ["CREATE", "UPDATE", "DELETE"]
+ resources: ["secretstores"]
+ scope: "Namespaced"
+ clientConfig:
+ service:
+ namespace: {{ template "external-secrets.namespace" . }}
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ path: /validate-external-secrets-io-v1beta1-secretstore
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+
+- name: "validate.clustersecretstore.external-secrets.io"
+ rules:
+ - apiGroups: ["external-secrets.io"]
+ apiVersions: ["v1beta1"]
+ operations: ["CREATE", "UPDATE", "DELETE"]
+ resources: ["clustersecretstores"]
+ scope: "Cluster"
+ clientConfig:
+ service:
+ namespace: {{ template "external-secrets.namespace" . }}
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ path: /validate-external-secrets-io-v1beta1-clustersecretstore
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+ name: externalsecret-validate
+ labels:
+ external-secrets.io/component: webhook
+ {{- with .Values.commonLabels }}
+ {{ toYaml . | nindent 4 }}
+ {{- end }}
+ {{- if and .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
+ annotations:
+ cert-manager.io/inject-ca-from: {{ template "external-secrets.namespace" . }}/{{ include "external-secrets.fullname" . }}-webhook
+ {{- end }}
+webhooks:
+- name: "validate.externalsecret.external-secrets.io"
+ rules:
+ - apiGroups: ["external-secrets.io"]
+ apiVersions: ["v1beta1"]
+ operations: ["CREATE", "UPDATE", "DELETE"]
+ resources: ["externalsecrets"]
+ scope: "Namespaced"
+ clientConfig:
+ service:
+ namespace: {{ template "external-secrets.namespace" . }}
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ path: /validate-external-secrets-io-v1beta1-externalsecret
+ admissionReviewVersions: ["v1", "v1beta1"]
+ sideEffects: None
+ timeoutSeconds: 5
+ failurePolicy: {{ .Values.webhook.failurePolicy}}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-certificate.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-certificate.yaml
new file mode 100644
index 000000000..adb19fd95
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-certificate.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.webhook.create .Values.webhook.certManager.enabled .Values.webhook.certManager.cert.create }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ external-secrets.io/component: webhook
+ {{- with .Values.webhook.certManager.cert.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ commonName: {{ include "external-secrets.fullname" . }}-webhook
+ dnsNames:
+ - {{ include "external-secrets.fullname" . }}-webhook
+ - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}
+ - {{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
+ issuerRef:
+ {{- toYaml .Values.webhook.certManager.cert.issuerRef | nindent 4 }}
+ {{- with .Values.webhook.certManager.cert.duration }}
+ duration: {{ . | quote }}
+ {{- end }}
+ {{- with .Values.webhook.certManager.cert.renewBefore }}
+ renewBefore: {{ . | quote }}
+ {{- end }}
+ secretName: {{ include "external-secrets.fullname" . }}-webhook
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-deployment.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-deployment.yaml
new file mode 100644
index 000000000..7419a426b
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-deployment.yaml
@@ -0,0 +1,128 @@
+{{- if .Values.webhook.create }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ {{- with .Values.webhook.deploymentAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.webhook.replicaCount }}
+ revisionHistoryLimit: {{ .Values.webhook.revisionHistoryLimit }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.webhook.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 8 }}
+ {{- with .Values.webhook.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ {{- with .Values.webhook.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ hostNetwork: {{ .Values.webhook.hostNetwork}}
+ serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
+ automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
+ {{- with .Values.webhook.podSecurityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ containers:
+ - name: webhook
+ {{- with .Values.webhook.securityContext }}
+ {{- if and (.enabled) (gt (keys . | len) 1) }}
+ securityContext:
+ {{- include "external-secrets.renderSecurityContext" (dict "securityContext" . "context" $) | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ image: {{ include "external-secrets.image" (dict "chartAppVersion" .Chart.AppVersion "image" .Values.webhook.image) | trim }}
+ imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
+ args:
+ - webhook
+ - --port={{ .Values.webhook.port }}
+ - --dns-name={{ include "external-secrets.fullname" . }}-webhook.{{ template "external-secrets.namespace" . }}.svc
+ - --cert-dir={{ .Values.webhook.certDir }}
+ - --check-interval={{ .Values.webhook.certCheckInterval }}
+ - --metrics-addr=:{{ .Values.webhook.metrics.listen.port }}
+ - --healthz-addr={{ .Values.webhook.readinessProbe.address }}:{{ .Values.webhook.readinessProbe.port }}
+ - --loglevel={{ .Values.webhook.log.level }}
+ - --zap-time-encoding={{ .Values.webhook.log.timeEncoding }}
+ {{- if .Values.webhook.lookaheadInterval }}
+ - --lookahead-interval={{ .Values.webhook.lookaheadInterval }}
+ {{- end }}
+ {{- range $key, $value := .Values.webhook.extraArgs }}
+ {{- if $value }}
+ - --{{ $key }}={{ $value }}
+ {{- else }}
+ - --{{ $key }}
+ {{- end }}
+ {{- end }}
+ ports:
+ - containerPort: {{ .Values.webhook.metrics.listen.port }}
+ protocol: TCP
+ name: metrics
+ - containerPort: {{ .Values.webhook.port }}
+ protocol: TCP
+ name: webhook
+ readinessProbe:
+ httpGet:
+ port: {{ .Values.webhook.readinessProbe.port }}
+ path: /readyz
+ initialDelaySeconds: 20
+ periodSeconds: 5
+ {{- with .Values.webhook.extraEnv }}
+ env:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ {{- with .Values.webhook.resources }}
+ resources:
+ {{- toYaml . | nindent 12 }}
+ {{- end }}
+ volumeMounts:
+ - name: certs
+ mountPath: {{ .Values.webhook.certDir }}
+ readOnly: true
+ {{- if .Values.webhook.extraVolumeMounts }}
+ {{- toYaml .Values.webhook.extraVolumeMounts | nindent 12 }}
+ {{- end }}
+ volumes:
+ - name: certs
+ secret:
+ secretName: {{ include "external-secrets.fullname" . }}-webhook
+ {{- if .Values.webhook.extraVolumes }}
+ {{- toYaml .Values.webhook.extraVolumes | nindent 8 }}
+ {{- end }}
+ {{- with .Values.webhook.nodeSelector | default .Values.global.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.webhook.affinity | default .Values.global.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.webhook.tolerations | default .Values.global.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.webhook.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.webhook.priorityClassName }}
+ priorityClassName: {{ .Values.webhook.priorityClassName }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-poddisruptionbudget.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-poddisruptionbudget.yaml
new file mode 100644
index 000000000..58345ba68
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-poddisruptionbudget.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.webhook.create .Values.webhook.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook-pdb
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ external-secrets.io/component: webhook
+spec:
+ {{- if .Values.webhook.podDisruptionBudget.minAvailable }}
+ minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+ {{- end }}
+ {{- if .Values.webhook.podDisruptionBudget.maxUnavailable }}
+ maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
+ {{- end }}
+ selector:
+ matchLabels:
+ {{- include "external-secrets-webhook.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-secret.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-secret.yaml
new file mode 100644
index 000000000..fa7760ed6
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-secret.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.webhook.create (not .Values.webhook.certManager.enabled) }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ external-secrets.io/component: webhook
+ {{- with .Values.webhook.secretAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-service.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-service.yaml
new file mode 100644
index 000000000..59dbddc95
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-service.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.webhook.create }}
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ include "external-secrets.fullname" . }}-webhook
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ external-secrets.io/component: webhook
+ {{- if .Values.webhook.metrics.service.enabled }}
+ {{- with .Values.webhook.metrics.service.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- end }}
+spec:
+ type: ClusterIP
+ {{- if .Values.service.ipFamilyPolicy }}
+ ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }}
+ {{- end }}
+ {{- if .Values.service.ipFamilies }}
+ ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }}
+ {{- end }}
+ ports:
+ - port: 443
+ targetPort: {{ .Values.webhook.port }}
+ protocol: TCP
+ name: webhook
+ {{- if .Values.webhook.metrics.service.enabled }}
+ - port: {{ .Values.webhook.metrics.service.port }}
+ protocol: TCP
+ targetPort: metrics
+ name: metrics
+ {{- end }}
+ selector:
+ {{- include "external-secrets-webhook.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/templates/webhook-serviceaccount.yaml b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-serviceaccount.yaml
new file mode 100644
index 000000000..193621842
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/templates/webhook-serviceaccount.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.webhook.create .Values.webhook.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "external-secrets-webhook.serviceAccountName" . }}
+ namespace: {{ template "external-secrets.namespace" . }}
+ labels:
+ {{- include "external-secrets-webhook.labels" . | nindent 4 }}
+ {{- with .Values.webhook.serviceAccount.extraLabels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.webhook.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+{{- end }}
diff --git a/charts/external-secrets/external-secrets/0.10.5/values.schema.json b/charts/external-secrets/external-secrets/0.10.5/values.schema.json
new file mode 100644
index 000000000..08cef96a3
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/values.schema.json
@@ -0,0 +1,905 @@
+{
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "properties": {
+ "affinity": {
+ "properties": {},
+ "type": "object"
+ },
+ "bitwarden-sdk-server": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "certController": {
+ "properties": {
+ "affinity": {
+ "properties": {},
+ "type": "object"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "deploymentAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "extraArgs": {
+ "properties": {},
+ "type": "object"
+ },
+ "extraEnv": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraVolumes": {
+ "type": "array"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "hostNetwork": {
+ "type": "boolean"
+ },
+ "image": {
+ "properties": {
+ "flavour": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "type": "array"
+ },
+ "log": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "timeEncoding": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "metrics": {
+ "properties": {
+ "listen": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "properties": {},
+ "type": "object"
+ },
+ "podAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "podDisruptionBudget": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "minAvailable": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "podLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "rbac": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "readinessProbe": {
+ "properties": {
+ "address": {
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "requeueInterval": {
+ "type": "string"
+ },
+ "resources": {
+ "properties": {},
+ "type": "object"
+ },
+ "revisionHistoryLimit": {
+ "type": "integer"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "automount": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "commonLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "concurrent": {
+ "type": "integer"
+ },
+ "controllerClass": {
+ "type": "string"
+ },
+ "crds": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "conversion": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "createClusterExternalSecret": {
+ "type": "boolean"
+ },
+ "createClusterSecretStore": {
+ "type": "boolean"
+ },
+ "createPushSecret": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "createOperator": {
+ "type": "boolean"
+ },
+ "deploymentAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "dnsConfig": {
+ "properties": {},
+ "type": "object"
+ },
+ "dnsPolicy": {
+ "type": "string"
+ },
+ "extendedMetricLabels": {
+ "type": "boolean"
+ },
+ "extraArgs": {
+ "properties": {},
+ "type": "object"
+ },
+ "extraContainers": {
+ "type": "array"
+ },
+ "extraEnv": {
+ "type": "array"
+ },
+ "extraObjects": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraVolumes": {
+ "type": "array"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "global": {
+ "properties": {
+ "affinity": {
+ "properties": {},
+ "type": "object"
+ },
+ "compatibility": {
+ "properties": {
+ "openshift": {
+ "properties": {
+ "adaptSecurityContext": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "nodeSelector": {
+ "properties": {},
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "hostNetwork": {
+ "type": "boolean"
+ },
+ "image": {
+ "properties": {
+ "flavour": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "type": "array"
+ },
+ "installCRDs": {
+ "type": "boolean"
+ },
+ "leaderElect": {
+ "type": "boolean"
+ },
+ "log": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "timeEncoding": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "metrics": {
+ "properties": {
+ "listen": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "namespaceOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "properties": {},
+ "type": "object"
+ },
+ "podAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "podDisruptionBudget": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "minAvailable": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "podLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "podSpecExtra": {
+ "properties": {},
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "processClusterExternalSecret": {
+ "type": "boolean"
+ },
+ "processClusterStore": {
+ "type": "boolean"
+ },
+ "processPushSecret": {
+ "type": "boolean"
+ },
+ "rbac": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "servicebindings": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "properties": {},
+ "type": "object"
+ },
+ "revisionHistoryLimit": {
+ "type": "integer"
+ },
+ "scopedNamespace": {
+ "type": "string"
+ },
+ "scopedRBAC": {
+ "type": "boolean"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "ipFamilies": {
+ "type": "array"
+ },
+ "ipFamilyPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "automount": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceMonitor": {
+ "properties": {
+ "additionalLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "honorLabels": {
+ "type": "boolean"
+ },
+ "interval": {
+ "type": "string"
+ },
+ "metricRelabelings": {
+ "type": "array"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "relabelings": {
+ "type": "array"
+ },
+ "scrapeTimeout": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ },
+ "webhook": {
+ "properties": {
+ "affinity": {
+ "properties": {},
+ "type": "object"
+ },
+ "certCheckInterval": {
+ "type": "string"
+ },
+ "certDir": {
+ "type": "string"
+ },
+ "certManager": {
+ "properties": {
+ "addInjectorAnnotations": {
+ "type": "boolean"
+ },
+ "cert": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "duration": {
+ "type": "string"
+ },
+ "issuerRef": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "renewBefore": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "deploymentAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "extraArgs": {
+ "properties": {},
+ "type": "object"
+ },
+ "extraEnv": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraVolumes": {
+ "type": "array"
+ },
+ "failurePolicy": {
+ "type": "string"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "hostNetwork": {
+ "type": "boolean"
+ },
+ "image": {
+ "properties": {
+ "flavour": {
+ "type": "string"
+ },
+ "pullPolicy": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "type": "array"
+ },
+ "log": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "timeEncoding": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "lookaheadInterval": {
+ "type": "string"
+ },
+ "metrics": {
+ "properties": {
+ "listen": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "properties": {},
+ "type": "object"
+ },
+ "podAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "podDisruptionBudget": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "minAvailable": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "podLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "rbac": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "readinessProbe": {
+ "properties": {
+ "address": {
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "properties": {},
+ "type": "object"
+ },
+ "revisionHistoryLimit": {
+ "type": "integer"
+ },
+ "secretAnnotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "properties": {},
+ "type": "object"
+ },
+ "automount": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraLabels": {
+ "properties": {},
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "topologySpreadConstraints": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+}
diff --git a/charts/external-secrets/external-secrets/0.10.5/values.yaml b/charts/external-secrets/external-secrets/0.10.5/values.yaml
new file mode 100644
index 000000000..21f4a94c3
--- /dev/null
+++ b/charts/external-secrets/external-secrets/0.10.5/values.yaml
@@ -0,0 +1,532 @@
+global:
+ nodeSelector: {}
+ tolerations: []
+ topologySpreadConstraints: []
+ affinity: {}
+ compatibility:
+ openshift:
+ # -- Manages the securityContext properties to make them compatible with OpenShift.
+ # Possible values:
+ # auto - Apply configurations if it is detected that OpenShift is the target platform.
+ # force - Always apply configurations.
+ # disabled - No modification applied.
+ adaptSecurityContext: auto
+
+replicaCount: 1
+
+bitwarden-sdk-server:
+ enabled: false
+
+# -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+revisionHistoryLimit: 10
+
+image:
+ repository: oci.external-secrets.io/external-secrets/external-secrets
+ pullPolicy: IfNotPresent
+ # -- The image tag to use. The default is the chart appVersion.
+ tag: ""
+ # -- The flavour of tag you want to use
+ # There are different image flavours available, like distroless and ubi.
+ # Please see GitHub release notes for image tags for these flavors.
+ # By default, the distroless image is used.
+ flavour: ""
+
+# -- If set, install and upgrade CRDs through helm chart.
+installCRDs: true
+
+crds:
+ # -- If true, create CRDs for Cluster External Secret.
+ createClusterExternalSecret: true
+ # -- If true, create CRDs for Cluster Secret Store.
+ createClusterSecretStore: true
+ # -- If true, create CRDs for Push Secret.
+ createPushSecret: true
+ annotations: {}
+ conversion:
+ enabled: true
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+namespaceOverride: ""
+
+# -- Additional labels added to all helm chart resources.
+commonLabels: {}
+
+# -- If true, external-secrets will perform leader election between instances to ensure no more
+# than one instance of external-secrets operates at a time.
+leaderElect: false
+
+# -- If set external secrets will filter matching
+# Secret Stores with the appropriate controller values.
+controllerClass: ""
+
+# -- If true external secrets will use recommended kubernetes
+# annotations as prometheus metric labels.
+extendedMetricLabels: false
+
+# -- If set external secrets are only reconciled in the
+# provided namespace
+scopedNamespace: ""
+
+# -- Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace
+# and implicitly disable cluster stores and cluster external secrets
+scopedRBAC: false
+
+# -- if true, the operator will process cluster external secret. Else, it will ignore them.
+processClusterExternalSecret: true
+
+# -- if true, the operator will process cluster store. Else, it will ignore them.
+processClusterStore: true
+
+# -- if true, the operator will process push secret. Else, it will ignore them.
+processPushSecret: true
+
+# -- Specifies whether an external secret operator deployment be created.
+createOperator: true
+
+# -- Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at
+# a time.
+concurrent: 1
+# -- Specifices Log Params to the Webhook
+log:
+ level: info
+ timeEncoding: epoch
+service:
+ # -- Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
+ ipFamilyPolicy: ""
+ # -- Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
+ ipFamilies: []
+
+serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: true
+ # -- Automounts the service account token in all containers of the pod
+ automount: true
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- Extra Labels to add to the service account.
+ extraLabels: {}
+ # -- The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+
+rbac:
+ # -- Specifies whether role and rolebinding resources should be created.
+ create: true
+
+ servicebindings:
+ # -- Specifies whether a clusterrole to give servicebindings read access should be created.
+ create: true
+
+## -- Extra environment variables to add to container.
+extraEnv: []
+
+## -- Map of extra arguments to pass to container.
+extraArgs: {}
+
+## -- Extra volumes to pass to pod.
+extraVolumes: []
+
+## -- Extra Kubernetes objects to deploy with the helm chart
+extraObjects: []
+
+## -- Extra volumes to mount to the container.
+extraVolumeMounts: []
+
+## -- Extra containers to add to the pod.
+extraContainers: []
+
+# -- Annotations to add to Deployment
+deploymentAnnotations: {}
+
+# -- Annotations to add to Pod
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext:
+ enabled: true
+ # fsGroup: 2000
+
+securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ enabled: true
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+
+resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+serviceMonitor:
+ # -- Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics
+ enabled: false
+
+ # -- namespace where you want to install ServiceMonitors
+ namespace: ""
+
+ # -- Additional labels
+ additionalLabels: {}
+
+ # -- Interval to scrape metrics
+ interval: 30s
+
+ # -- Timeout if metrics can't be retrieved in given time interval
+ scrapeTimeout: 25s
+
+ # -- Let prometheus add an exported_ prefix to conflicting labels
+ honorLabels: false
+
+ # -- Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
+ metricRelabelings: []
+ # - action: replace
+ # regex: (.*)
+ # replacement: $1
+ # sourceLabels:
+ # - exported_namespace
+ # targetLabel: namespace
+
+ # -- Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
+ relabelings: []
+ # - sourceLabels: [__meta_kubernetes_pod_node_name]
+ # separator: ;
+ # regex: ^(.*)$
+ # targetLabel: nodename
+ # replacement: $1
+ # action: replace
+
+metrics:
+
+ listen:
+ port: 8080
+
+ service:
+ # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+ enabled: false
+
+ # -- Metrics service port to scrape
+ port: 8080
+
+ # -- Additional service annotations
+ annotations: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+topologySpreadConstraints: []
+
+affinity: {}
+
+# -- Pod priority class name.
+priorityClassName: ""
+
+# -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+ enabled: false
+ minAvailable: 1
+ # maxUnavailable: 1
+
+# -- Run the controller on the host network
+hostNetwork: false
+
+webhook:
+ # -- Specifies whether a webhook deployment be created.
+ create: true
+ # -- Specifices the time to check if the cert is valid
+ certCheckInterval: "5m"
+ # -- Specifices the lookaheadInterval for certificate validity
+ lookaheadInterval: ""
+ replicaCount: 1
+ # -- Specifices Log Params to the Webhook
+ log:
+ level: info
+ timeEncoding: epoch
+ # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+ revisionHistoryLimit: 10
+
+ certDir: /tmp/certs
+ # -- Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore
+ failurePolicy: Fail
+ # -- Specifies if webhook pod should use hostNetwork or not.
+ hostNetwork: false
+ image:
+ repository: oci.external-secrets.io/external-secrets/external-secrets
+ pullPolicy: IfNotPresent
+ # -- The image tag to use. The default is the chart appVersion.
+ tag: ""
+ # -- The flavour of tag you want to use
+ flavour: ""
+ imagePullSecrets: []
+ nameOverride: ""
+ fullnameOverride: ""
+ # -- The port the webhook will listen to
+ port: 10250
+ rbac:
+ # -- Specifies whether role and rolebinding resources should be created.
+ create: true
+ serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: true
+ # -- Automounts the service account token in all containers of the pod
+ automount: true
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- Extra Labels to add to the service account.
+ extraLabels: {}
+ # -- The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+ nodeSelector: {}
+
+ certManager:
+ # -- Enabling cert-manager support will disable the built in secret and
+ # switch to using cert-manager (installed separately) to automatically issue
+ # and renew the webhook certificate. This chart does not install
+ # cert-manager for you, See https://cert-manager.io/docs/
+ enabled: false
+ # -- Automatically add the cert-manager.io/inject-ca-from annotation to the
+ # webhooks and CRDs. As long as you have the cert-manager CA Injector
+ # enabled, this will automatically setup your webhook's CA to the one used
+ # by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector
+ addInjectorAnnotations: true
+ cert:
+ # -- Create a certificate resource within this chart. See
+ # https://cert-manager.io/docs/usage/certificate/
+ create: true
+ # -- For the Certificate created by this chart, setup the issuer. See
+ # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec
+ issuerRef:
+ group: cert-manager.io
+ kind: "Issuer"
+ name: "my-issuer"
+ # -- Set the requested duration (i.e. lifetime) of the Certificate. See
+ # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+ # One year by default.
+ duration: "8760h"
+ # -- How long before the currently issued certificate’s expiry
+ # cert-manager should renew the certificate. See
+ # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+ # Note that renewBefore should be greater than .webhook.lookaheadInterval
+ # since the webhook will check this far in advance that the certificate is
+ # valid.
+ renewBefore: ""
+ # -- Add extra annotations to the Certificate resource.
+ annotations: {}
+
+ tolerations: []
+
+ topologySpreadConstraints: []
+
+ affinity: {}
+
+ # -- Pod priority class name.
+ priorityClassName: ""
+
+ # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ podDisruptionBudget:
+ enabled: false
+ minAvailable: 1
+ # maxUnavailable: 1
+
+ metrics:
+
+ listen:
+ port: 8080
+
+ service:
+ # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+ enabled: false
+
+ # -- Metrics service port to scrape
+ port: 8080
+
+ # -- Additional service annotations
+ annotations: {}
+
+
+ readinessProbe:
+ # -- Address for readiness probe
+ address: ""
+ # -- ReadinessProbe port for kubelet
+ port: 8081
+
+
+ ## -- Extra environment variables to add to container.
+ extraEnv: []
+
+ ## -- Map of extra arguments to pass to container.
+ extraArgs: {}
+
+ ## -- Extra volumes to pass to pod.
+ extraVolumes: []
+
+ ## -- Extra volumes to mount to the container.
+ extraVolumeMounts: []
+
+ # -- Annotations to add to Secret
+ secretAnnotations: {}
+
+ # -- Annotations to add to Deployment
+ deploymentAnnotations: {}
+
+ # -- Annotations to add to Pod
+ podAnnotations: {}
+
+ podLabels: {}
+
+ podSecurityContext:
+ enabled: true
+ # fsGroup: 2000
+
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ enabled: true
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+
+ resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+certController:
+ # -- Specifies whether a certificate controller deployment be created.
+ create: true
+ requeueInterval: "5m"
+ replicaCount: 1
+ # -- Specifices Log Params to the Webhook
+ log:
+ level: info
+ timeEncoding: epoch
+ # -- Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy)
+ revisionHistoryLimit: 10
+
+ image:
+ repository: oci.external-secrets.io/external-secrets/external-secrets
+ pullPolicy: IfNotPresent
+ tag: ""
+ flavour: ""
+ imagePullSecrets: []
+ nameOverride: ""
+ fullnameOverride: ""
+ rbac:
+ # -- Specifies whether role and rolebinding resources should be created.
+ create: true
+ serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: true
+ # -- Automounts the service account token in all containers of the pod
+ automount: true
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- Extra Labels to add to the service account.
+ extraLabels: {}
+ # -- The name of the service account to use.
+ # If not set and create is true, a name is generated using the fullname template.
+ name: ""
+ nodeSelector: {}
+
+ tolerations: []
+
+ topologySpreadConstraints: []
+
+ affinity: {}
+
+ # -- Run the certController on the host network
+ hostNetwork: false
+
+ # -- Pod priority class name.
+ priorityClassName: ""
+
+ # -- Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+ podDisruptionBudget:
+ enabled: false
+ minAvailable: 1
+ # maxUnavailable: 1
+
+ metrics:
+
+ listen:
+ port: 8080
+
+ service:
+ # -- Enable if you use another monitoring tool than Prometheus to scrape the metrics
+ enabled: false
+
+ # -- Metrics service port to scrape
+ port: 8080
+
+ # -- Additional service annotations
+ annotations: {}
+
+ readinessProbe:
+ # -- Address for readiness probe
+ address: ""
+ # -- ReadinessProbe port for kubelet
+ port: 8081
+
+ ## -- Extra environment variables to add to container.
+ extraEnv: []
+
+ ## -- Map of extra arguments to pass to container.
+ extraArgs: {}
+
+
+ ## -- Extra volumes to pass to pod.
+ extraVolumes: []
+
+ ## -- Extra volumes to mount to the container.
+ extraVolumeMounts: []
+
+ # -- Annotations to add to Deployment
+ deploymentAnnotations: {}
+
+ # -- Annotations to add to Pod
+ podAnnotations: {}
+
+ podLabels: {}
+
+ podSecurityContext:
+ enabled: true
+ # fsGroup: 2000
+
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ enabled: true
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+
+ resources: {}
+ # requests:
+ # cpu: 10m
+ # memory: 32Mi
+
+# -- Specifies `dnsPolicy` to deployment
+dnsPolicy: ClusterFirst
+
+# -- Specifies `dnsOptions` to deployment
+dnsConfig: {}
+
+# -- Any extra pod spec on the deployment
+podSpecExtra: {}
diff --git a/charts/instana/instana-agent/1.2.74/.helmignore b/charts/instana/instana-agent/1.2.74/.helmignore
new file mode 100644
index 000000000..b4fa6cb0d
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+# OWNERS file for helm
+OWNERS
diff --git a/charts/instana/instana-agent/1.2.74/Chart.yaml b/charts/instana/instana-agent/1.2.74/Chart.yaml
new file mode 100644
index 000000000..821447f44
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/Chart.yaml
@@ -0,0 +1,27 @@
+annotations:
+ artifacthub.io/links: |
+ - name: Instana website
+ url: https://www.ibm.com/products/instana
+ - name: Instana Helm charts
+ url: https://github.com/instana/helm-charts
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Instana Agent
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: instana-agent
+apiVersion: v2
+appVersion: 1.276.0
+description: Instana Agent for Kubernetes
+home: https://www.instana.com/
+icon: file://assets/icons/instana-agent.png
+kubeVersion: '>=1.21-0'
+maintainers:
+- email: felix.marx@ibm.com
+ name: FelixMarxIBM
+- email: henning.treu@ibm.com
+ name: htreu
+- email: torsten.kohn@ibm.com
+ name: tkohn
+name: instana-agent
+sources:
+- https://github.com/instana/instana-agent-docker
+version: 1.2.74
diff --git a/charts/instana/instana-agent/1.2.74/DEPLOYMENT.md b/charts/instana/instana-agent/1.2.74/DEPLOYMENT.md
new file mode 100644
index 000000000..510dea06d
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/DEPLOYMENT.md
@@ -0,0 +1,54 @@
+# Kubernetes Deployment Mode (tech preview)
+
+Instana has always endeavored to make the experience of using Instana as seamless as possible from auto-instrumentation to one-liner installs. To date for our customers with Kubernetes clusters containing more than 1,000 entities this wasn’t the case. The Kubernetes sensor as a deployment is one of many steps we’re taking to improve the experience of operating Instana in Kubernetes. This is a tech preview however we have a high degree of confidence it will work well in your production workloads. The fundamental change moves the Kubernetes sensor from the DaemonSet responsible for monitoring your hosts and processes into its own dedicated Deployment where it does not contend for resources with other sensors. An overview of this deployment is below:
+
+
+
+This change provides a few primary benefits including:
+
+* Lower load on the Kubernetes api-server as it eliminates per node pod monitoring.
+* Lower load on the Kubernetes api-server as it reduces the endpoint watch to 2 leader elector side cars.
+* Lower memory and CPU requests in the DaemonSet as it is no longer responsible for monitoring Kubernetes.
+* Elimination of the leader elector sidecar in the DaemonSet as it is only required for the Kubernetes sensor.
+* Better performance of the Kubernetes sensor as it is isolated from other sensors and does not contend for CPU and memory.
+* Better scaling behaviour as you can adjust the memory and CPU requirements to monitor your clusters without overprovisioning utilisation cluster wide.
+
+The primary drawback of this model in the tech preview include:
+
+* Reduced control and observability of the Kubernetes specific Agents in the Agent dashboard.
+* Some unnecessary features are still enabled in the Kubernetes sensor (e.g. trace sinks, and host monitoring).
+
+Some limitations remain unchanged from the previous sensor:
+
+* Clusters with a high number of entities (e.g. pods, deployments, etc) are likely to have non-deterministic behaviour due to limitations we impose on message sizes. This is unlikely to be experienced in clusters with fewer than 500 hosts.
+* The ServiceAccount is shared between both the DaemonSet and Deployment meaning no change in the security posture. We plan to add an additional service account to limit access to the api-server to only the Kubernetes sensor Deployment.
+
+## Installation
+
+For clusters with minimal controls you can install the tech preview with the following Helm install command:
+
+```
+helm template instana-agent \
+ --repo https://agents.instana.io/helm \
+ --namespace instana-agent \
+ --create-namespace \
+ --set agent.key=${AGENT_KEY} \
+ --set agent.endpointHost=${BACKEND_URL} \
+ --set agent.endpointPort=443 \
+ --set cluster.name=${CLUSTER_NAME} \
+ --set zone.name=${ZONE_NAME} \
+ --set kubernetes.deployment.enabled=true \
+ instana-agent
+```
+
+If your cluster employs Pod Security Policies you will need the following additional flag:
+
+```
+--set podSecurityPolicy.enable=true
+```
+
+If you are deploying into an OpenShift 4.x cluster you will need the following additional flag:
+
+```
+--set openshift=true
+```
diff --git a/charts/instana/instana-agent/1.2.74/README.md b/charts/instana/instana-agent/1.2.74/README.md
new file mode 100644
index 000000000..46c72b5a5
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/README.md
@@ -0,0 +1,694 @@
+# Instana
+
+Instana is an [APM solution](https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring, tracing and root cause analysis.
+This solution is optimized for [Kubernetes](https://www.instana.com/automatic-kubernetes-monitoring/).
+
+This chart adds the Instana Agent to all schedulable nodes in your cluster via a privileged `DaemonSet` and accompanying resources like `ConfigurationMap`s, `Secret`s and RBAC settings.
+
+## Prerequisites
+
+* Kubernetes 1.21+ OR OpenShift 4.8+
+* Helm 3
+
+## Installation
+
+To configure the installation you can either specify the options on the command line using the **--set** switch, or you can edit **values.yaml**.
+
+First, create a namespace for the instana-agent
+
+```bash
+kubectl create namespace instana-agent
+```
+
+To install the chart with the release name `instana-agent` and set the values on the command line run:
+
+```bash
+$ helm install instana-agent --namespace instana-agent \
+--repo https://agents.instana.io/helm \
+--set agent.key=INSTANA_AGENT_KEY \
+--set agent.endpointHost=HOST \
+--set zone.name=ZONE_NAME \
+instana-agent
+```
+
+**OpenShift:** When targetting an OpenShift 4.x cluster, add `--set openshift=true`.
+
+### Required Settings
+
+#### Configuring the Instana Backend
+
+In order to report the data it collects to the Instana backend for analysis, the Instana agent must know which backend to report to, and which credentials to use to authenticate, known as "agent key".
+
+As described by the [Install Using the Helm Chart](https://www.instana.com/docs/setup_and_manage/host_agent/on/kubernetes#install-using-the-helm-chart) documentation, you will find the right values for the following fields inside Instana itself:
+
+* `agent.endpointHost`
+* `agent.endpointPort`
+* `agent.key`
+
+_Note:_ You can find the options mentioned in the [configuration section below](#configuration-reference)
+
+If your agents report into a self-managed Instana unit (also known as "on-prem"), you will also need to configure a "download key", which allows the agent to fetch its components from the Instana repository.
+The download key is set via the following value:
+
+* `agent.downloadKey`
+
+#### Zone and Cluster
+
+Instana needs to know how to name your Kubernetes cluster and, optionally, how to group your Instana agents in [Custom zones](https://www.instana.com/docs/setup_and_manage/host_agent/configuration/#custom-zones) using the following fields:
+
+* `zone.name`
+* `cluster.name`
+
+Either `zone.name` or `cluster.name` are required.
+If you omit `cluster.name`, the value of `zone.name` will be used as cluster name as well.
+If you omit `zone.name`, the host zone will be automatically determined by the availability zone information provided by the [supported Cloud providers](https://www.instana.com/docs/setup_and_manage/cloud_service_agents).
+
+## Uninstallation
+
+To uninstall/delete the `instana-agent` release:
+
+```bash
+helm del instana-agent -n instana-agent
+```
+
+## Configuration Reference
+
+The following table lists the configurable parameters of the Instana chart and their default values.
+
+| Parameter | Description | Default |
+| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `agent.configuration_yaml` | Custom content for the agent configuration.yaml file | `nil` See [below](#agent-configuration) for more details |
+| `agent.configuration.autoMountConfigEntries` | (Experimental, needs Helm 3.1+) Automatically look up the entries of the default `instana-agent` ConfigMap, and mount as agent configuration files in the `instana-agent` container under the `/opt/instana/agent/etc/instana` directory all ConfigMap entries with keys that match the `configuration-*.yaml` scheme. | `false` |
+| `agent.configuration.hotreloadEnabled` | Enables hot-reload of a configuration.yaml upon changes in the `instana-agent` ConfigMap without requiring a restart of a pod | `false` |
+| `agent.endpointHost` | Instana Agent backend endpoint host | `ingress-red-saas.instana.io` (US and ROW). If in Europe, please override with `ingress-blue-saas.instana.io` |
+| `agent.endpointPort` | Instana Agent backend endpoint port | `443` |
+| `agent.key` | Your Instana Agent key | `nil` You must provide your own key unless `agent.keysSecret` is specified |
+| `agent.downloadKey` | Your Instana Download key | `nil` Usually not required |
+| `agent.keysSecret` | As an alternative to specifying `agent.key` and, optionally, `agent.downloadKey`, you can instead specify the name of the secret in the namespace in which you install the Instana agent that carries the agent key and download key | `nil` Usually not required, see [Bring your own Keys secret](#bring-your-own-keys-secret) for more details |
+| `agent.additionalBackends` | List of additional backends to report to; it must specify the `endpointHost` and `key` fields, and optionally `endpointPort` | `[]` Usually not required; see [Configuring Additional Backends](#configuring-additional-backends) for more info and examples |
+| `agent.tls.secretName` | The name of the secret of type `kubernetes.io/tls` which contains the TLS relevant data. If the name is provided, `agent.tls.certificate` and `agent.tls.key` will be ignored. | `nil` |
+| `agent.tls.certificate` | The certificate data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`. | `nil` |
+| `agent.tls.key` | The private key data encoded as base64. Which will be used to create a new secret of type `kubernetes.io/tls`. | `nil` |
+| `agent.image.name` | The image name to pull | `instana/agent` |
+| `agent.image.digest` | The image digest to pull; if specified, it causes `agent.image.tag` to be ignored | `nil` |
+| `agent.image.tag` | The image tag to pull; this property is ignored if `agent.image.digest` is specified | `latest` |
+| `agent.image.pullPolicy` | Image pull policy | `Always` |
+| `agent.image.pullSecrets` | Image pull secrets; if not specified (default) _and_ `agent.image.name` starts with `containers.instana.io`, it will be automatically set to `[{ "name": "containers-instana-io" }]` to match the default secret created in this case. | `nil` |
+| `agent.listenAddress` | List of addresses to listen on, or "*" for all interfaces | `nil` |
+| `agent.mode` | Agent mode. Supported values are `APM`, `INFRASTRUCTURE`, `AWS` | `APM` |
+| `agent.instanaMvnRepoUrl` | Override for the Maven repository URL when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
+| `agent.instanaMvnRepoFeaturesPath` | Override for the Maven repository features path the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
+| `agent.instanaMvnRepoSharedPath` | Override for the Maven repository shared path when the Agent needs to connect to a locally provided Maven repository 'proxy' | `nil` Usually not required |
+| `agent.updateStrategy.type` | [DaemonSet update strategy type](https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/); valid values are `OnDelete` and `RollingUpdate` | `RollingUpdate` |
+| `agent.updateStrategy.rollingUpdate.maxUnavailable` | How many agent pods can be updated at once; this value is ignored if `agent.updateStrategy.type` is different than `RollingUpdate` | `1` |
+| `agent.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available | `0` |
+| `agent.pod.annotations` | Additional annotations to apply to the pod | `{}` |
+| `agent.pod.labels` | Additional labels to apply to the Agent pod | `{}` |
+| `agent.pod.priorityClassName` | Name of an _existing_ PriorityClass that should be set on the agent pods | `nil` |
+| `agent.proxyHost` | Hostname/address of a proxy | `nil` |
+| `agent.proxyPort` | Port of a proxy | `nil` |
+| `agent.proxyProtocol` | Proxy protocol. Supported proxy types are `http` (for both HTTP and HTTPS proxies), `socks4`, `socks5`. | `nil` |
+| `agent.proxyUser` | Username of the proxy auth | `nil` |
+| `agent.proxyPassword` | Password of the proxy auth | `nil` |
+| `agent.proxyUseDNS` | Boolean if proxy also does DNS | `nil` |
+| `agent.pod.limits.cpu` | Container cpu limits in cpu cores | `1.5` |
+| `agent.pod.limits.memory` | Container memory limits in MiB | `768Mi` |
+| `agent.pod.requests.cpu` | Container cpu requests in cpu cores | `0.5` |
+| `agent.pod.requests.memory` | Container memory requests in MiB | `768Mi` |
+| `agent.pod.tolerations` | Tolerations for pod assignment | `[]` |
+| `agent.pod.affinity` | Affinity for pod assignment | `{}` |
+| `agent.serviceMesh.enabled` | Activate Instana Agent JVM monitoring service mesh support for Istio or OpenShift ServiceMesh | `true` |
+| `agent.env` | Additional environment variables for the agent | `{}` |
+| `agent.redactKubernetesSecrets` | Enable additional secrets redaction for selected Kubernetes resources | `nil` See [Kubernetes secrets](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#secrets) for more details. |
+| `cluster.name` | Display name of the monitored cluster | Value of `zone.name` |
+| `leaderElector.port` | Instana leader elector sidecar port | `42655` |
+| `leaderElector.image.name` | The elector image name to pull. _Note: leader-elector is deprecated and will no longer be updated._ | `instana/leader-elector` |
+| `leaderElector.image.digest` | The image digest to pull; if specified, it causes `leaderElector.image.tag` to be ignored. _Note: leader-elector is deprecated and will no longer be updated._ | `nil` |
+| `leaderElector.image.tag` | The image tag to pull; this property is ignored if `leaderElector.image.digest` is specified. _Note: leader-elector is deprecated and will no longer be updated._ | `latest` |
+| `k8s_sensor.deployment.enabled` | Isolate k8sensor with a deployment |
+| `k8s_sensor.deployment.minReadySeconds` | The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available | `0` | `true` |
+| `k8s_sensor.image.name` | The k8sensor image name to pull | `gcr.io/instana/k8sensor` |
+| `k8s_sensor.image.digest` | The image digest to pull; if specified, it causes `k8s_sensor.image.tag` to be ignored | `nil` |
+| `k8s_sensor.image.tag` | The image tag to pull; this property is ignored if `k8s_sensor.image.digest` is specified | `latest` |
+| `k8s_sensor.deployment.pod.limits.cpu` | CPU request for the `k8sensor` pods | `4` |
+| `k8s_sensor.deployment.pod.limits.memory` | Memory request limits for the `k8sensor` pods | `6144Mi` |
+| `k8s_sensor.deployment.pod.requests.cpu` | CPU limit for the `k8sensor` pods | `1.5` |
+| `k8s_sensor.deployment.pod.requests.memory` | Memory limit for the `k8sensor` pods | `1024Mi` |
+| `podSecurityPolicy.enable` | Whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to be `true` as well and it is available until Kubernetes version v1.25. | `false` See [PodSecurityPolicy](https://docs.instana.io/setup_and_manage/host_agent/on/kubernetes/#podsecuritypolicy) for more details. |
+| `podSecurityPolicy.name` | Name of an _existing_ PodSecurityPolicy to authorize for the Instana Agent pods. If not provided and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created for you. | `nil` |
+| `rbac.create` | Whether RBAC resources should be created | `true` |
+| `openshift` | Whether to install the Helm chart as needed in OpenShift; this setting implies `rbac.create=true` | `false` |
+| `opentelemetry.grpc.enabled` | Whether to configure the agent to accept telemetry from OpenTelemetry applications via gRPC. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `true` |
+| `opentelemetry.http.enabled` | Whether to configure the agent to accept telemetry from OpenTelemetry applications via HTTP. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `true` |
+| `prometheus.remoteWrite.enabled` | Whether to configure the agent to accept metrics over its implementation of the `remote_write` Prometheus endpoint. This option also implies `service.create=true`, and requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. | `false` |
+| `service.create` | Whether to create a service that exposes the agents' Prometheus, OpenTelemetry and other APIs inside the cluster. Requires Kubernetes 1.21+, as it relies on `internalTrafficPolicy`. The `ServiceInternalTrafficPolicy` feature gate needs to be enabled (default: enabled). | `true` |
+| `serviceAccount.create` | Whether a ServiceAccount should be created | `true` |
+| `serviceAccount.name` | Name of the ServiceAccount to use | `instana-agent` |
+| `serviceAccount.annotations` | Annotations to add to the service account | `{}` |
+| `zone.name` | Zone that detected technologies will be assigned to | `nil` You must provide either `zone.name` or `cluster.name`, see [above](#installation) for details |
+| `zones` | Multi-zone daemonset configuration. | `nil` see [below](#multiple-zones) for details |
+| `k8s_sensor.podDisruptionBudget.enabled` | Whether to create DisruptionBudget for k8sensor to limit the number of concurrent disruptions | `false` |
+| `k8s_sensor.deployment.pod.affinity` | `k8sensor` deployment affinity format | `podAntiAffinity` defined in `values.yaml` |
+
+### Agent Modes
+
+Agent can have either `APM` or `INFRASTRUCTURE`.
+Default is APM and if you want to override that, ensure you set value:
+
+* `agent.mode`
+
+For more information on agent modes, refer to the [Host Agent Modes](https://www.instana.com/docs/setup_and_manage/host_agent#host-agent-modes) documentation.
+
+### Agent Configuration
+
+Besides the settings listed above, there are many more settings that can be applied to the agent via the so-called "Agent Configuration File", often also referred to as `configuration.yaml` file.
+An overview of the settings that can be applied is provided in the [Agent Configuration File](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#agent-configuration-file) documentation.
+To configure the agent, you can either:
+
+* edit the [config map](templates/agent-configmap.yaml), or
+* provide the configuration via the `agent.configuration_yaml` parameter in [values.yaml](values.yaml)
+
+This configuration will be used for all Instana Agents on all nodes. Visit the [agent configuration documentation](https://docs.instana.io/setup_and_manage/host_agent/#agent-configuration-file) for more details on configuration options.
+
+_Note:_ This Helm Chart does not support configuring [Multiple Configuration Files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files).
+
+### Agent Pod Sizing
+
+The `agent.pod.requests.cpu`, `agent.pod.requests.memory`, `agent.pod.limits.cpu` and `agent.pod.limits.memory` settings allow you to change the sizing of the `instana-agent` pods.
+If you are using the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) functionality, you may be able to reduce the default amount of resources, and especially memory, allocated to the Instana agents that monitor your applications.
+Actual sizing data depends very much on how many pods, containers and applications are monitored, and how much traces they generate, so we cannot really provide a rule of thumb for the sizing.
+
+### Bring your own Keys secret
+
+In case you have automation that creates secrets for you, it may not be desirable for this Helm chart to create a secret containing the `agent.key` and `agent.downloadKey`.
+In this case, you can instead specify the name of an alread-existing secret in the namespace in which you install the Instana agent that carries the agent key and download key.
+
+The secret you specify The secret you specify _must_ have a field called `key`, which would contain the value you would otherwise set to `agent.key`, and _may_ contain a field called `downloadKey`, which would contain the value you would otherwise set to `agent.downloadKey`.
+
+### Configuring Additional Configuration Files
+
+[Multiple configuration files](https://www.instana.com/docs/setup_and_manage/host_agent/configuration#multiple-configuration-files) is a capability of the Instana agent that allows for modularity in its configurations files.
+
+The experimental `agent.configuration.autoMountConfigEntries`, which uses functionality available in Helm 3.1+ to automatically look up the entries of the default `instana-agent` ConfigMap, and mount as agent configuration files in the `instana-agent` container under the `/opt/instana/agent/etc/instana` directory all ConfigMap entries with keys that match the `configuration-*.yaml` scheme.
+
+**IMPORTANT:** Needs Helm 3.1+ as it is built on the `lookup` function
+**IMPORTANT:** Editing the ConfigMap adding keys requires a `helm upgrade` to take effect
+
+### Configuring Additional Backends
+
+You may want to have your Instana agents report to multiple backends.
+The first backend must be configured as shown in the [Configuring the Instana Backend](#configuring-the-instana-backend); every backend after the first, is configured in the `agent.additionalBackends` list in the [values.yaml](values.yaml) as follows:
+
+```yaml
+agent:
+ additionalBackends:
+ # Second backend
+ - endpointHost: my-instana.instana.io # endpoint host; e.g., my-instana.instana.io
+ endpointPort: 443 # default is 443, so this line could be omitted
+ key: ABCDEFG # agent key for this backend
+ # Third backend
+ - endpointHost: another-instana.instana.io # endpoint host; e.g., my-instana.instana.io
+ endpointPort: 1444 # default is 443, so this line could be omitted
+ key: LMNOPQR # agent key for this backend
+```
+
+The snippet above configures the agent to report to two additional backends.
+The same effect as the above can be accomplished via the command line via:
+
+```sh
+$ helm install -n instana-agent instana-agent ... \
+ --repo https://agents.instana.io/helm \
+ --set 'agent.additionalBackends[0].endpointHost=my-instana.instana.io' \
+ --set 'agent.additionalBackends[0].endpointPort=443' \
+ --set 'agent.additionalBackends[0].key=ABCDEFG' \
+ --set 'agent.additionalBackends[1].endpointHost=another-instana.instana.io' \
+ --set 'agent.additionalBackends[1].endpointPort=1444' \
+ --set 'agent.additionalBackends[1].key=LMNOPQR' \
+ instana-agent
+```
+
+_Note:_ There is no hard limitation on the number of backends an Instana agent can report to, although each comes at the cost of a slight increase in CPU and memory consumption.
+
+### Configuring a Proxy between the Instana agents and the Instana backend
+
+If your infrastructure uses a proxy, you should ensure that you set values for:
+
+* `agent.proxyHost`
+* `agent.pod.proxyPort`
+* `agent.pod.proxyProtocol`
+* `agent.pod.proxyUser`
+* `agent.pod.proxyPassword`
+* `agent.pod.proxyUseDNS`
+
+#### Same Proxy for Repository and the Instana backend
+
+If the same proxy is utilized for both backend and repository, configure only the 'Agent' proxy settings using the following parameter:
+ ```
+ --set agent.proxyHost=''
+ ```
+
+#### Separate Proxies for Repository and the Instana backend
+
+In scenarios where distinct proxy settings are employed for the backend and repository, both proxies must be configured separately. The key is to ensure that `INSTANA_REPOSITORY_PROXY_ENABLED=true` is set.
+
+To use this variant, execute helm install with the following additional parameters:
+
+```
+--set agent.proxyHost='Hostname/address of a proxy'
+--set agent.env.INSTANA_REPOSITORY_PROXY_ENABLED='true'
+--set agent.env.INSTANA_REPOSITORY_PROXY_HOST='Hostname/address of a proxy'
+```
+Make sure to replace 'Hostname/address of a proxy' with the actual hostname or address of your proxy.
+
+### Configuring which Networks the Instana Agent should listen on
+
+If your infrastructure has multiple networks defined, you might need to allow the agent to listen on all addresses (typically with value set to `*`):
+
+* `agent.listenAddress`
+
+### Setup TLS Encryption for Agent Endpoint
+
+TLS encryption can be added via two variants.
+Either an existing secret can be used or a certificate and a private key can be used during the installation.
+
+#### Using existing secret
+
+An existing secret of type `kubernetes.io/tls` can be used.
+Only the `secretName` must be provided during the installation with `--set 'agent.tls.secretName='`.
+The files from the provided secret are then mounted into the agent.
+
+#### Provide certificate and private key
+
+On the other side, a certificate and a private key can be added during the installation.
+The certificate and private key must be base64 encoded.
+
+To use this variant, execute `helm install` with the following additional parameters:
+
+```
+--set 'agent.tls.certificate='
+--set 'agent.tls.key='
+```
+
+If `agent.tls.secretName` is set, then `agent.tls.certificate` and `agent.tls.key` are ignored.
+
+### Development and debugging options
+
+These options will be rarely used outside of development or debugging of the agent.
+
+| Parameter | Description | Default |
+| ----------------------- | ------------------------------------------------ | ------- |
+| `agent.host.repository` | Host path to mount as the agent maven repository | `nil` |
+
+### Kubernetes Sensor Deployment
+
+ _Note: leader-elector and kubernetes sensor is deprecated and will no longer be updated. Instead, k8s_sensor should be used._
+
+The data about Kubernetes resources is collected by the Kubernetes sensor in the Instana agent.
+With default configurations, only one Instana agent at any one time is capturing the bulk of Kubernetes data.
+Which agent gets the task is coordinated by a leader elector mechanism running inside the `leader-elector` container of the `instana-agent` pods.
+However, on large Kubernetes clusters, the load on the one Instana agent that fetches the Kubernetes data can be substantial and, to some extent, has lead to rather "generous" resource requests and limits for all the Instana agents across the cluster, as any one of them could become the leader at some point.
+
+The Helm chart has a special mode, enabled by setting `k8s_sensor.deployment.enabled=true`, that will actually schedule additional Instana agents running _only_ the Kubernetes sensor that run in a dedicated `k8sensor` Deployment inside the `instana-agent` namespace.
+The pods containing agents that run only the Kubernetes sensor are called `k8sensor` pods.
+When `k8s_sensor.deployment.enabled=true`, the `instana-agent` pods running inside the daemonset do _not_ contain the `leader-elector` container, which is instead scheduled inside the `k8sensor` pods.
+
+The `instana-agent` and `k8sensor` pods share the same configurations in terms of backend-related configurations (including [additional backends](#configuring-additional-backends)).
+
+It is advised to use the `k8s_sensor.deployment.enabled=true` mode on clusters of more than 10 nodes, and in that case, you may be able to reduce the amount of resources assigned to the `instana-agent` pods, especially in terms of memory, using the [Agent Pod Sizing](#agent-pod-sizing) settings.
+The `k8s_sensor.deployment.pod.requests.cpu`, `k8s_sensor.deployment.pod.requests.memory`, `k8s_sensor.deployment.pod.limits.cpu` and `k8s_sensor.deployment.pod.limits.memory` settings, on the other hand, allows you to change the sizing of the `k8sensor` pods.
+
+#### Determine Special Mode Enabled
+
+To determine if Kubernetes sensor is running in a decidated `k8sensor` deployment, list deployments in the `instana-agent` namespace.
+
+```
+kubectl get deployments -n instana-agent
+```
+
+If it shows `k8sensor` in the list, then the special mode is enabled
+
+#### Upgrade Kubernetes Sensor
+
+To upgrade the kubernetes sensor to the lastest version, perform a rolling restart of the `k8sensor` deployment using the following command:
+
+```
+kubectl rollout restart deployment k8sensor -n instana-agent
+```
+
+### Multiple Zones
+
+You can list zones to use affinities and tolerations as the basis to associate a specific daemonset per tainted node pool. Each zone will have the following data:
+
+* `name` (required) - zone name.
+* `mode` (optional) - instana agent mode (e.g. APM, INFRASTRUCTURE, etc).
+* `affinity` (optional) - standard kubernetes pod affinity list for the daemonset.
+* `tolerations` (optional) - standard kubernetes pod toleration list for the daemonset.
+
+The following is an example that will create 2 zones an api-server and a worker zone:
+
+```yaml
+zones:
+ - name: workers
+ mode: APM
+ - name: api-server
+ mode: INFRASTRUCTURE
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ tolerations:
+ - key: "node-role.kubernetes.io/master"
+ operator: "Exists"
+ effect: "NoSchedule"
+```
+
+## Changelog
+
+### 1.2.74
+
+* Enable OTLP by default
+
+### 1.2.73
+
+* Fix label for `io.instana/zone` to reflect the real agent mode
+* Change the charts flag from ENABLE_AGENT_SOCKET to serviceMesh.enabled
+* Add type: DirectoryOrCreate to DaemonSet definitions to ensure required directories exist
+
+### 1.2.72
+
+* Add minReadySeconds field to agent daemonset yaml
+
+### 1.2.71
+
+* Fix usage of digest for pulling images
+
+### 1.2.70
+
+* Allow the configuration of `minReadySeconds` for the agent daemonset and deployment
+
+### 1.2.69
+
+* Add possibility to set annotations for the serviceAccount.
+
+### 1.2.68
+
+* Add leader elector configuration back to allow for proper deprecation
+
+### 1.2.67
+
+* Fix variable name in the K8s deployment
+
+### 1.2.66
+
+* Allign the default Memory requests to 768Mi for the Agent container.
+
+### 1.2.65
+
+* Ensure we have appropriate SCC when running with new K8s sensor.
+
+### 1.2.64
+
+* Remove RBAC not required by agent when kubernetes-sensor is disabed.
+* Add settings override for k8s-sensor affinity
+* Add optional pod disruption budget for k8s-sensor
+
+### 1.2.63
+
+* Add RBAC required to allow access to /metrics end-points.
+
+### 1.2.62
+
+* Include k8s-sensor resources in the default static YAML definitions
+
+### 1.2.61
+
+* Increase timeout and initialDelay for the Agent container
+* Add OTLP ports to headless service
+
+### 1.2.60
+
+* Enable the k8s_sensor by default
+
+### 1.2.59
+
+* Introduce unique selectorLabels and commonLabels for k8s-sensor deployment
+
+### 1.2.58
+
+* Default to `internalTrafficPolicy` instead of `topologyKeys` for rendering of static YAMLs
+
+### 1.2.57
+
+* Fix vulnerability in the leader-elector image
+
+### 1.2.49
+
+* Add zone name to label `io.instana/zone` in daemonset
+
+### 1.2.48
+
+* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
+* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
+
+### 1.2.47
+
+* Roll back the changes from version 1.2.46 to be compatible with the Agent Operator installation
+
+### 1.2.46
+
+* Use K8sensor by default.
+* kubernetes.deployment.enabled setting overrides k8s_sensor.deployment.enabled setting.
+* Use feature PSP flag in k8sensor ClusterRole only when podsecuritypolicy.enable is true.
+* Throw failure if customer specifies proxy with k8sensor.
+* Set env var INSTANA_KUBERNETES_REDACT_SECRETS true if agent.redactKubernetesSecrets is enabled.
+
+### 1.2.45
+
+* Use agent key secret in k8sensor deployment.
+
+### 1.2.44
+
+* Add support for enabling the hot-reload of `configuration.yaml` when the default `instana-agent` ConfigMap changes
+* Enablement is done via the flag `--set agent.configuration.hotreloadEnabled=true`
+
+### 1.2.43
+
+* Bump leader-elector image to v0.5.16 (Update dependencies)
+
+### 1.2.42
+
+* Add support for creating multiple zones within the same cluster using affinity and tolerations.
+
+### 1.2.41
+
+* Add additional permissions (HPA, ResourceQuotas, etc) to k8sensor clusterrole.
+
+### 1.2.40
+
+* Mount all system mounts mountPropagation: HostToContainer.
+
+### 1.2.39
+
+* Add NO_PROXY to k8sensor deployment to prevent api-server requests from being routed to the proxy.
+
+### 1.2.38
+
+* Fix issue related to EKS version format when enabling OTel service.
+
+### 1.2.37
+
+* Fix issue where cluster_zone is used as cluster_name when `k8s_sensor.deployment.enabled=true`.
+* Set `HTTPS_PROXY` in k8s deployment when proxy information is set.
+
+### 1.2.36
+
+* Remove Service `topologyKeys`, which was removed in Kubernetes v1.22. Replaced by `internalTrafficPolicy` which is available with Kubernetes v1.21+.
+
+### 1.2.35
+
+* Fix invalid backend port for new Kubernetes sensor (k8sensor)
+
+### 1.2.34
+
+* Add support for new Kubernetes sensor (k8sensor)
+ * New Kubernetes sensor can be used via the flag `--set k8s_sensor.deployment.enabled=true`
+
+### 1.2.33
+
+* Bump leader-elector image to v0.5.15 (Update dependencies)
+
+### 1.2.32
+
+* Add support for containerd montoring on TKGI
+
+### 1.2.31
+
+* Bump leader-elector image to v0.5.14 (Update dependencies)
+
+### 1.2.30
+
+* Pull agent image from IBM Cloud Container Registry (icr.io/instana/agent). No code changes have been made.
+* Bump leader-elector image to v0.5.13 and pull from IBM Cloud Container Registry (icr.io/instana/leader-elector). No code changes have been made.
+
+### 1.2.29
+
+* Add an additional port to the Instana Agent `Service` definition, for the OpenTelemetry registered IANA port 4317.
+
+### 1.2.28
+
+* Fix deployment when `cluster.name` is not specified. Should be allowed according to docs but previously broke the Pod
+ when starting up.
+
+### 1.2.27
+
+* Update leader elector image to `0.5.10` to tone down logging and make it configurable
+
+### 1.2.26
+
+* Add TLS support. An existing secret can be used of type `kubernetes.io/tls`. Or provide a certificate and a private key, which creates a new secret.
+* Update leader elector image version to 0.5.9 to support PPCle
+
+### 1.2.25
+
+* Add `agent.pod.labels` to add custom labels to the Instana Agent pods
+
+### 1.2.24
+
+* Bump leader-elector image to v0.5.8 which includes a health-check endpoint. Update the `livenessProbe`
+ correspondingly.
+
+### 1.2.23
+
+* Bump leader-elector image to v0.5.7 to fix a potential Golang bug in the elector
+
+### 1.2.22
+
+* Fix templating scope when defining multiple backends
+
+### 1.2.21
+
+* Internal updates
+
+### 1.2.20
+
+* upgrade leader-elector image to v0.5.6 to enable usage on s390x and arm64
+
+### 1.2.18 / 1.2.19
+
+* Internal change on generated DaemonSet YAML from the Helm charts
+
+### 1.2.17
+
+* Update Pod Security Policies as the `readOnly: true` appears not to be working for the mount points and
+ actually causes the Agent deployment to fail when these policies are enforced in the cluster.
+
+### 1.2.16
+
+* Add configuration option for `INSTANA_MVN_REPOSITORY_URL` setting on the Agent container.
+
+### 1.2.15
+
+* Internal pipeline changes. No significant changes to the Helm charts
+
+### v1.2.14
+
+* Update Agent container mounts. Make some read-only as we don't need all mounts with read-write permissions.
+ Additionally add the mount for `/var/data` which is needed in certain environments for the Agent to function
+ properly.
+
+### v1.2.13
+
+* Update memory settings specifically for the Kubernetes sensor (Technical Preview)
+
+### v1.2.11
+
+* Simplify setup for using OpenTelemetry and the Prometheus `remote_write` endpoint using the `opentelemetry.enabled` and `prometheus.remoteWrite.enabled` settings, respectively.
+
+### v1.2.9
+
+* **Technical Preview:** Introduce a new mode of running to the Kubernetes sensor using a dedicated deployment.
+ See the [Kubernetes Sensor Deployment](#kubernetes-sensor-deployment) section for more information.
+
+### v1.2.7
+
+* Fix: Make service opt-in, as it uses functionality (`topologyKeys`) that is available only in K8S 1.17+.
+
+### v1.2.6
+
+* Fix bug that might cause some OpenShift-specific resources to be created in other flavours of Kubernetes.
+
+### v1.2.5
+
+* Introduce the `instana-agent:instana-agent` Kubernetes service that allows you to talk to the Instana agent on the same node.
+
+### v1.2.3
+
+* Bug fix: Extend the built-in Pod Security Policy to cover the Docker socket mount for Tanzu Kubernetes Grid systems.
+
+### v1.2.1
+
+* Support OpenShift 4.x: just add --set openshift=true to the usual settings, and off you go :-)
+* Restructure documentation for consistency and readability
+* Deprecation: Helm 2 is no longer supported; the minimum Helm API version is now v2, which will make Helm 2 refuse to process the chart.
+
+### v1.1.10
+
+* Some linting of the whitespaces in the generated YAML
+
+### v1.1.9
+
+* Update the README to replace all references of `stable/instana-agent` with specifically setting the repo flag to `https://agents.instana.io/helm`.
+* Add support for TKGI and PKS systems, providing a workaround for the [unexpected Docker socket location](https://github.com/cloudfoundry-incubator/kubo-release/issues/329).
+
+### v1.1.7
+
+* Store the cluster name in a new `cluster-name` entry of the `instana-agent` ConfigMap rather than directly as the value of the `INSTANA_KUBERNETES_CLUSTER_NAME`, so that you can edit the cluster name in the ConfigMap in deployments like VMware Tanzu Kubernetes Grid in which, when installing the Instana agent over the [Instana tile](https://www.instana.com/docs/setup_and_manage/host_agent/on/vmware_tanzu), you do not have directly control to the configuration of the cluster name.
+If you edit the ConfigMap, you will need to delete the `instana-agent` pods for its new value to take effect.
+
+### v1.1.6
+
+* Allow to use user-specified memony measurement units in `agent.pod.requests.memory` and `agent.pod.limits.memory`.
+ If the value set is numerical, the Chart will assume it to be expressed in `Mi` for backwards compatibility.
+* Exposed `agent.updateStrategy.type` and `agent.updateStrategy.rollingUpdate.maxUnavailable` settings.
+
+### v1.1.5
+
+Restore compatibility with Helm 2 that was broken in v1.1.4 by the usage of the `lookup` function, a function actually introduced only with Helm 3.1.
+Coincidentally, this has been an _excellent_ opportunity to introduce `helm lint` to our validation pipeline and end-to-end tests with Helm 2 ;-)
+
+### v1.1.4
+
+* Bring-your-own secret for agent keys: using the new `agent.keysSecret` setting, you can specify the name of the secret that contains the agent key and, optionally, the download key; refer to [Bring your own Keys secret](#bring-your-own-keys-secret) for more details.
+* Add support for affinities for the instana agent pod via the `agent.pod.affinity` setting.
+* Put some love into the ArtifactHub.io metadata; likely to add some more improvements related to this over time.
+
+### v1.1.3
+
+* No new features, just ironing some wrinkles out of our release automation.
+
+### v1.1.2
+
+* Improvement: Seamless support for Instana static agent images: When using an `agent.image.name` starting with `containers.instana.io`, automatically create a secret called `containers-instana-io` containing the `.dockerconfigjson` for `containers.instana.io`, using `_` as username and `agent.downloadKey` or, if missing, `agent.key` as password. If you want to control the creation of the image pull secret, or disable it, you can use `agent.image.pullSecrets`, passing to it the YAML to use for the `imagePullSecrets` field of the Daemonset spec, including an empty array `[]` to mount no pull secrets, no matter what.
+
+### v1.1.1
+
+* Fix: Recreate the `instana-agent` pods when there is a change in one of the following configuration, which are mapped to the chart-managed ConfigMap:
+
+* `agent.configuration_yaml`
+* `agent.additional_backends`
+
+The pod recreation is achieved by annotating the `instana-agent` Pod with a new `instana-configuration-hash` annotation that has, as value, the SHA-1 hash of the configurations used to populate the ConfigMap.
+This way, when the configuration changes, the respective change in the `instana-configuration-hash` annotation will cause the agent pods to be recreated.
+This technique has been described at [1] (or, at least, that is were we learned about it) and it is pretty cool :-)
+
+### v1.1.0
+
+* Improvement: The `instana-agent` Helm chart has a new home at `https://agents.instana.io/helm` and `https://github.com/instana/helm-charts/instana-agent`!
+This release is functionally equivalent to `1.0.34`, but we bumped the major to denote the new location ;-)
+
+## References
+
+[1] ["Using Kubernetes Helm to push ConfigMap changes to your Deployments", by Sander Knape; Mar 7, 2019](https://sanderknape.com/2019/03/kubernetes-helm-configmaps-changes-deployments/)
diff --git a/charts/instana/instana-agent/1.2.74/app-readme.md b/charts/instana/instana-agent/1.2.74/app-readme.md
new file mode 100644
index 000000000..0e26c8623
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/app-readme.md
@@ -0,0 +1,5 @@
+# Instana
+
+Instana is an [APM solution(https://www.instana.com/) built for microservices that enables IT Ops to build applications faster and deliver higher quality services by automating monitoring tracing and root cause analysis. This solution is optimized for [Rancher](https://www.instana.com/rancher/).
+
+This chart adds the Instana Agent to all schedulable nodes in your cluster via a `DaemonSet`.
diff --git a/charts/instana/instana-agent/1.2.74/kubernetes.deployment.enabled.png b/charts/instana/instana-agent/1.2.74/kubernetes.deployment.enabled.png
new file mode 100644
index 000000000..9358f6f14
Binary files /dev/null and b/charts/instana/instana-agent/1.2.74/kubernetes.deployment.enabled.png differ
diff --git a/charts/instana/instana-agent/1.2.74/kubernetes_deployment_mode_diagram.py b/charts/instana/instana-agent/1.2.74/kubernetes_deployment_mode_diagram.py
new file mode 100644
index 000000000..b3c304cf6
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/kubernetes_deployment_mode_diagram.py
@@ -0,0 +1,20 @@
+from diagrams import Cluster, Diagram
+from diagrams.k8s.compute import Deploy, DaemonSet, Pod
+from diagrams.k8s.podconfig import ConfigMap
+
+with Diagram("kubernetes.deployment.enabled", show=True, direction="LR"):
+ ds = None
+ deploy = None
+ with Cluster("Namespace\ninstana-agent"):
+ with Cluster("Deployment\nkubernetes-sensor"):
+ deploy = Pod("2 Replicas\nKubernetes Sensor")
+
+ with Cluster("DaemonSet\ninstana-agent"):
+ ds = Pod('Per Node\nHost & APM')
+
+ cm = ConfigMap("instana-agent")
+ dcm = ConfigMap("instana-agent-deployment")
+
+ cm >> deploy
+ cm >> ds
+ dcm >> deploy
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/questions.yml b/charts/instana/instana-agent/1.2.74/questions.yml
new file mode 100644
index 000000000..bf9d1a46d
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/questions.yml
@@ -0,0 +1,236 @@
+questions:
+# Basic agent configuration
+- variable: agent.key
+ label: agent.key
+ description: "Your Instana Agent key is the secret token which your agent uses to authenticate to Instana's servers"
+ type: string
+ required: true
+ group: "Agent Configuration"
+- variable: agent.endpointHost
+ label: agent.endpointHost
+ description: "The hostname of the Instana server your agents will connect to. Defaults to ingress-red-saas.instana.io for US and ROW. If in Europe, please use ingress-blue-saas.instana.io"
+ type: string
+ required: true
+ default: "ingress-red-saas.instana.io"
+ group: "Agent Configuration"
+- variable: zone.name
+ label: zone.name
+ description: "Custom zone that detected technologies will be assigned to"
+ type: string
+ required: true
+ group: "Agent Configuration"
+# Advanced agent configuration
+- variable: advancedAgentConfiguration
+ description: "Show advanced configuration for the Instana Agent"
+ label: Show advanced configuration
+ type: boolean
+ default: false
+ show_subquestion_if: true
+ group: "Advanced Agent Configuration"
+ subquestions:
+ - variable: agent.configuration_yaml
+ label: agent.configuration_yaml (Optional)
+ description: "Custom content for the agent configuration.yaml file in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.downloadKey
+ label: agent.downloadKey (Optional)
+ description: "Your Instana download key"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.endpointPort
+ label: agent.endpointPort
+ description: "The Agent backend port number (as a string) of the Instana server your agents will connect to"
+ type: string
+ required: true
+ default: "443"
+ group: "Advanced Agent Configuration"
+ - variable: agent.image.name
+ label: agent.image.name
+ description: "The name of the Instana Agent container image"
+ type: string
+ required: true
+ default: "instana/agent"
+ group: "Advanced Agent Configuration"
+ - variable: agent.image.tag
+ label: agent.image.tag
+ description: "The tag name of the Instana Agent container image"
+ type: string
+ required: true
+ default: "latest"
+ group: "Advanced Agent Configuration"
+ - variable: agent.image.pullPolicy
+ label: agent.image.pullPolicy
+ description: "Specifies when to pull the Instana Agent image container"
+ type: string
+ required: true
+ default: "Always"
+ group: "Advanced Agent Configuration"
+ - variable: agent.listenAddress
+ label: agent.listenAddress (Optional)
+ description: "The IP address the agent HTTP server will listen to, or '*' for all interfaces"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.mode
+ label: agent.mode (Optional)
+ description: "Agent mode. Possible options are: APM, INFRASTRUCTURE or AWS"
+ type: enum
+ options:
+ - "APM"
+ - "INFRASTRUCTURE"
+ - "AWS"
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.annotations
+ label: agent.pod.annotations (Optional)
+ description: "Additional annotations to be added to the agent pods in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.limits.cpu
+ label: agent.pod.limits.cpu
+ description: "CPU units allocation limits for the agent pods"
+ type: string
+ required: true
+ default: "1.5"
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.limits.memory
+ label: agent.pod.limits.memory
+ description: "Memory allocation limits in MiB for the agent pods"
+ type: int
+ required: true
+ default: 512
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyHost
+ label: agent.pod.proxyHost (Optional)
+ description: "Hostname/address of a proxy. Sets the INSTANA_AGENT_PROXY_HOST environment variable"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyPort
+ label: agent.pod.proxyPort (Optional)
+ description: "Port of a proxy. Sets the INSTANA_AGENT_PROXY_PORT environment variable"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyProtocol
+ label: agent.pod.proxyProtocol (Optional)
+ description: "Proxy protocol. Sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable. Supported proxy types are http, socks4, socks5"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyUser
+ label: agent.pod.proxyUser (Optional)
+ description: "Username of the proxy auth. Sets the INSTANA_AGENT_PROXY_USER environment variable"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyPassword
+ label: agent.pod.proxyPassword (Optional)
+ description: "Password of the proxy auth. Sets the INSTANA_AGENT_PROXY_PASSWORD environment variable"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.proxyUseDNS
+ label: agent.pod.proxyUseDNS. (Optional)
+ description: "Boolean if proxy also does DNS. Sets the INSTANA_AGENT_PROXY_USE_DNS environment variable"
+ type: enum
+ options:
+ - "true"
+ - "false"
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.requests.cpu
+ label: agent.pod.requests.cpu
+ description: "Requested CPU units allocation for the agent pods"
+ type: string
+ required: true
+ default: "0.5"
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.requests.memory
+ label: agent.pod.requests.memory
+ description: "Requested memory allocation in MiB for the agent pods"
+ type: int
+ required: true
+ default: 512
+ group: "Advanced Agent Configuration"
+ - variable: agent.pod.tolerations
+ label: agent.pod.tolerations (Optional)
+ description: "Tolerations to influence agent pod assignment in YAML format. Please use the 'Edit as YAML' feature in the Rancher UI for the best editing experience."
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: agent.redactKubernetesSecrets
+ label: agent.redactKubernetesSecrets (Optional)
+ description: "Enable additional secrets redaction for selected Kubernetes resources"
+ type: boolean
+ required: false
+ default: false
+ group: "Advanced Agent Configuration"
+ - variable: cluster.name
+ label: cluster.name (Optional)
+ description: "The name that will be assigned to this cluster in Instana. See the 'Installing the Chart' section in the 'Detailed Descriptions' tab for more details"
+ type: string
+ required: false
+ group: "Advanced Agent Configuration"
+ - variable: leaderElector.image.name
+ label: leaderElector.image.name
+ description: "The name of the leader elector container image"
+ type: string
+ required: true
+ default: "instana/leader-elector"
+ group: "Advanced Agent Configuration"
+ - variable: leaderElector.image.tag
+ label: leaderElector.image.tag
+ description: "The tag name of the leader elector container image"
+ type: string
+ required: true
+ default: "0.5.4"
+ group: "Advanced Agent Configuration"
+ - variable: leaderElector.port
+ label: leaderElector.port
+ description: "The port on which the leader elector sidecar is exposed"
+ type: int
+ required: true
+ default: 42655
+ group: "Advanced Agent Configuration"
+- variable: podSecurityPolicy.enable
+ label: podSecurityPolicy.enable (Optional)
+ description: "Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods. Requires `rbac.create` to also be `true`"
+ type: boolean
+ show_if: "rbac.create=true"
+ required: false
+ default: false
+ group: "Pod Security Policy Configuration"
+- variable: podSecurityPolicy.name
+ label: podSecurityPolicy.name (Optional)
+ description: "The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods. If not set and `podSecurityPolicy.enable` is `true`, a PodSecurityPolicy will be created with a name generated using the fullname template"
+ type: string
+ show_if: "rbac.create=true&&podSecurityPolicy.enable=true"
+ required: false
+ group: "Pod Security Policy Configuration"
+- variable: rbac.create
+ label: rbac.create
+ description: "Specifies whether RBAC resources should be created"
+ type: boolean
+ required: true
+ default: true
+ group: "RBAC Configuration"
+- variable: serviceAccount.create
+ label: serviceAccount.create
+ description: "Specifies whether a ServiceAccount should be created"
+ type: boolean
+ required: true
+ default: true
+ show_subquestion_if: true
+ group: "RBAC Configuration"
+ subquestions:
+ - variable: serviceAccount.name
+ label: Name of the ServiceAccount (Optional)
+ description: "The name of the ServiceAccount to use. If not set and `serviceAccount.create` is true, a name is generated using the fullname template."
+ type: string
+ required: false
+ group: "RBAC Configuration"
diff --git a/charts/instana/instana-agent/1.2.74/templates/NOTES.txt b/charts/instana/instana-agent/1.2.74/templates/NOTES.txt
new file mode 100644
index 000000000..7c6530246
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/NOTES.txt
@@ -0,0 +1,71 @@
+{{- if (and (not (or .Values.agent.key .Values.agent.keysSecret )) (and (not .Values.zone.name) (not .Values.cluster.name))) }}
+##############################################################################
+#### ERROR: You did not specify your secret agent key. ####
+#### ERROR: You also did not specify a zone or name for this cluster. ####
+##############################################################################
+
+This agent deployment will be incomplete until you set your agent key and zone or name for this cluster:
+
+ helm upgrade {{ .Release.Name }} --reuse-values \
+ --repo https://agents.instana.io/helm \
+ --set agent.key=$(YOUR_SECRET_AGENT_KEY) \
+ --set zone.name=$(YOUR_ZONE_NAME) instana-agent
+
+Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
+
+ helm upgrade {{ .Release.Name }} --reuse-values \
+ --repo https://agents.instana.io/helm \
+ --set agent.key=$(YOUR_SECRET_AGENT_KEY) \
+ --set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
+
+- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
+- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
+- YOUR_CLUSTER_NAME should be the custom name of your cluster.
+
+At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
+
+{{- else if (and (not .Values.zone.name) (not .Values.cluster.name)) }}
+##############################################################################
+#### ERROR: You did not specify a zone or name for this cluster. ####
+##############################################################################
+
+This agent deployment will be incomplete until you set a zone for this cluster:
+
+ helm upgrade {{ .Release.Name }} --reuse-values \
+ --repo https://agents.instana.io/helm \
+ --set zone.name=$(YOUR_ZONE_NAME) instana-agent
+
+Alternatively, you may specify a cluster name and the zone will be detected from availability zone information on the host:
+
+ helm upgrade {{ .Release.Name }} --reuse-values \
+ --repo https://agents.instana.io/helm \
+ --set cluster.name=$(YOUR_CLUSTER_NAME) instana-agent
+
+- YOUR_ZONE_NAME should be the zone that detected technologies will be assigned to.
+- YOUR_CLUSTER_NAME should be the custom name of your cluster.
+
+At least one of zone.name or cluster.name is required. This cluster will be reported with the name of the zone unless you specify a cluster name.
+
+{{- else if not (or .Values.agent.key .Values.agent.keysSecret )}}
+##############################################################################
+#### ERROR: You did not specify your secret agent key. ####
+##############################################################################
+
+This agent deployment will be incomplete until you set your agent key:
+
+ helm upgrade {{ .Release.Name }} --reuse-values \
+ --repo https://agents.instana.io/helm \
+ --set agent.key=$(YOUR_SECRET_AGENT_KEY) instana-agent
+
+- YOUR_SECRET_AGENT_KEY can be obtained from the Management Portal section of your Instana installation.
+
+{{- else -}}
+It may take a few moments for the agents to fully deploy. You can see what agents are running by listing resources in the {{ .Release.Namespace }} namespace:
+
+ kubectl get all -n {{ .Release.Namespace }}
+
+You can get the logs for all of the agents with `kubectl logs`:
+
+ kubectl logs -l app.kubernetes.io/name={{ .Release.Name }} -n {{ .Release.Namespace }} -c instana-agent
+
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/_helpers.tpl b/charts/instana/instana-agent/1.2.74/templates/_helpers.tpl
new file mode 100644
index 000000000..4d4e0b8e9
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/_helpers.tpl
@@ -0,0 +1,385 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "instana-agent.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "instana-agent.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "instana-agent.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+The name of the ServiceAccount used.
+*/}}
+{{- define "instana-agent.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+ {{ default (include "instana-agent.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+ {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+The name of the PodSecurityPolicy used.
+*/}}
+{{- define "instana-agent.podSecurityPolicyName" -}}
+{{- if .Values.podSecurityPolicy.enable -}}
+{{ default (include "instana-agent.fullname" .) .Values.podSecurityPolicy.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Prints out the name of the secret to use to retrieve the agent key
+*/}}
+{{- define "instana-agent.keysSecretName" -}}
+{{- if .Values.agent.keysSecret -}}
+{{ .Values.agent.keysSecret }}
+{{- else -}}
+{{ template "instana-agent.fullname" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Add Helm metadata to resource labels.
+*/}}
+{{- define "instana-agent.commonLabels" -}}
+app.kubernetes.io/name: {{ include "instana-agent.name" . }}
+app.kubernetes.io/version: {{ .Chart.Version }}
+{{- if not .Values.templating }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "instana-agent.chart" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Add Helm metadata to resource labels.
+*/}}
+{{- define "k8s-sensor.commonLabels" -}}
+{{/* Following label is used to determine whether to disable the Kubernetes host sensor */}}
+app: k8sensor
+app.kubernetes.io/name: {{ include "instana-agent.name" . }}-k8s-sensor
+app.kubernetes.io/version: {{ .Chart.Version }}
+{{- if not .Values.templating }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "instana-agent.chart" . }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Add Helm metadata to selector labels specifically for deployments/daemonsets/statefulsets.
+*/}}
+{{- define "instana-agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "instana-agent.name" . }}
+{{- if not .Values.templating }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Add Helm metadata to selector labels specifically for deployments/daemonsets/statefulsets.
+*/}}
+{{- define "k8s-sensor.selectorLabels" -}}
+app: k8sensor
+app.kubernetes.io/name: {{ include "instana-agent.name" . }}-k8s-sensor
+{{- if not .Values.templating }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Generates the dockerconfig for the credentials to pull from containers.instana.io
+*/}}
+{{- define "imagePullSecretContainersInstanaIo" }}
+{{- $registry := "containers.instana.io" }}
+{{- $username := "_" }}
+{{- $password := default .Values.agent.key .Values.agent.downloadKey }}
+{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" $registry (printf "%s:%s" $username $password | b64enc) | b64enc }}
+{{- end }}
+
+{{/*
+Output limits or defaults
+*/}}
+{{- define "instana-agent.resources" -}}
+{{- $memory := default "768Mi" .memory -}}
+{{- $cpu := default 0.5 .cpu -}}
+memory: "{{ dict "memory" $memory | include "ensureMemoryMeasurement" }}"
+cpu: {{ $cpu }}
+{{- end -}}
+
+{{/*
+Ensure a unit of memory measurement is added to the value
+*/}}
+{{- define "ensureMemoryMeasurement" }}
+{{- $value := .memory }}
+{{- if kindIs "string" $value }}
+{{- print $value }}
+{{- else }}
+{{- print ($value | toString) "Mi" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Composes a container image from a dict containing a "name" field (required), "tag" and "digest" (both optional, if both provided, "digest" has priority)
+*/}}
+{{- define "image" }}
+{{- $name := .name }}
+{{- $tag := .tag }}
+{{- $digest := .digest }}
+{{- if $digest }}
+{{- printf "%s@sha256:%s" $name $digest }}
+{{- else if $tag }}
+{{- printf "%s:%s" $name $tag }}
+{{- else }}
+{{- print $name }}
+{{- end }}
+{{- end }}
+
+{{- define "volumeMountsForConfigFileInConfigMap" }}
+{{- $configMapName := (include "instana-agent.fullname" .) }}
+{{- $configMapNameSpace := .Release.Namespace }}
+{{- $configMap := tpl ( ( "{{ lookup \"v1\" \"ConfigMap\" \"map-namespace\" \"map-name\" | toYaml }}" | replace "map-namespace" $configMapNameSpace ) | replace "map-name" $configMapName ) . }}
+{{- if $configMap }}
+{{- $configMapObject := $configMap | fromYaml }}
+{{- range $key, $val := $configMapObject.data }}
+{{- if regexMatch "configuration-disable-kubernetes-sensor\\.yaml" $key }}
+{{/* Nothing to do here, this is a special case we want to ignore */}}
+{{- else if regexMatch "configuration-opentelemetry\\.yaml" $key }}
+{{/* Nothing to do here, this is a special case we want to ignore */}}
+{{- else if regexMatch "configuration-prometheus-remote-write\\.yaml" $key }}
+{{/* Nothing to do here, this is a special case we want to ignore */}}
+{{- else if regexMatch "configuration-.*\\.yaml" $key }}
+- name: configuration
+ subPath: {{ $key }}
+ mountPath: /opt/instana/agent/etc/instana/{{ $key }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{- define "instana-agent.commonEnv" -}}
+- name: INSTANA_AGENT_LEADER_ELECTOR_PORT
+ value: {{ .Values.leaderElector.port | quote }}
+{{- if .Values.zone.name }}
+- name: INSTANA_ZONE
+ value: {{ .Values.zone.name | quote }}
+{{- end }}
+{{- if .Values.cluster.name }}
+- name: INSTANA_KUBERNETES_CLUSTER_NAME
+ valueFrom:
+ configMapKeyRef:
+ name: {{ template "instana-agent.fullname" . }}
+ key: cluster_name
+{{- end }}
+- name: INSTANA_AGENT_ENDPOINT
+ value: {{ .Values.agent.endpointHost | quote }}
+- name: INSTANA_AGENT_ENDPOINT_PORT
+ value: {{ .Values.agent.endpointPort | quote }}
+- name: INSTANA_AGENT_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "instana-agent.keysSecretName" . }}
+ key: key
+- name: INSTANA_DOWNLOAD_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "instana-agent.keysSecretName" . }}
+ key: downloadKey
+ optional: true
+{{- if .Values.agent.instanaMvnRepoUrl }}
+- name: INSTANA_MVN_REPOSITORY_URL
+ value: {{ .Values.agent.instanaMvnRepoUrl | quote }}
+{{- end }}
+{{- if .Values.agent.instanaMvnRepoFeaturesPath }}
+- name: INSTANA_MVN_REPOSITORY_FEATURES_PATH
+ value: {{ .Values.agent.instanaMvnRepoFeaturesPath | quote }}
+{{- end }}
+{{- if .Values.agent.instanaMvnRepoSharedPath }}
+- name: INSTANA_MVN_REPOSITORY_SHARED_PATH
+ value: {{ .Values.agent.instanaMvnRepoSharedPath | quote }}
+{{- end }}
+{{- if .Values.agent.proxyHost }}
+- name: INSTANA_AGENT_PROXY_HOST
+ value: {{ .Values.agent.proxyHost | quote }}
+{{- end }}
+{{- if .Values.agent.proxyPort }}
+- name: INSTANA_AGENT_PROXY_PORT
+ value: {{ .Values.agent.proxyPort | quote }}
+{{- end }}
+{{- if .Values.agent.proxyProtocol }}
+- name: INSTANA_AGENT_PROXY_PROTOCOL
+ value: {{ .Values.agent.proxyProtocol | quote }}
+{{- end }}
+{{- if .Values.agent.proxyUser }}
+- name: INSTANA_AGENT_PROXY_USER
+ value: {{ .Values.agent.proxyUser | quote }}
+{{- end }}
+{{- if .Values.agent.proxyPassword }}
+- name: INSTANA_AGENT_PROXY_PASSWORD
+ value: {{ .Values.agent.proxyPassword | quote }}
+{{- end }}
+{{- if .Values.agent.proxyUseDNS }}
+- name: INSTANA_AGENT_PROXY_USE_DNS
+ value: {{ .Values.agent.proxyUseDNS | quote }}
+{{- end }}
+{{- if .Values.agent.listenAddress }}
+- name: INSTANA_AGENT_HTTP_LISTEN
+ value: {{ .Values.agent.listenAddress | quote }}
+{{- end }}
+{{- if .Values.agent.serviceMesh.enabled }}
+- name: ENABLE_AGENT_SOCKET
+ value: {{ .Values.agent.serviceMesh.enabled | quote }}
+{{- end }}
+{{- if .Values.agent.redactKubernetesSecrets }}
+- name: INSTANA_KUBERNETES_REDACT_SECRETS
+ value: {{ .Values.agent.redactKubernetesSecrets | quote }}
+{{- end }}
+- name: INSTANA_AGENT_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+- name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+{{- range $key, $value := .Values.agent.env }}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{- end }}
+{{- end -}}
+
+{{- define "instana-agent.commonVolumeMounts" -}}
+{{- if .Values.agent.host.repository }}
+- name: repo
+ mountPath: /opt/instana/agent/data/repo
+{{- end }}
+{{- if .Values.agent.additionalBackends -}}
+{{- range $index,$backend := .Values.agent.additionalBackends }}
+{{- $backendIndex :=add $index 2 }}
+- name: additional-backend-{{$backendIndex}}
+ subPath: additional-backend-{{$backendIndex}}
+ mountPath: /opt/instana/agent/etc/instana/com.instana.agent.main.sender.Backend-{{$backendIndex}}.cfg
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "instana-agent.commonVolumes" -}}
+- name: configuration
+ configMap:
+ name: {{ include "instana-agent.fullname" . }}
+{{- if .Values.agent.host.repository }}
+- name: repo
+ hostPath:
+ path: {{ .Values.agent.host.repository }}
+{{- end }}
+{{- if .Values.agent.additionalBackends }}
+{{- range $index,$backend := .Values.agent.additionalBackends }}
+{{ $backendIndex :=add $index 2 -}}
+- name: additional-backend-{{$backendIndex}}
+ configMap:
+ name: {{ include "instana-agent.fullname" $ }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{- define "instana-agent.livenessProbe" -}}
+httpGet:
+ host: 127.0.0.1 # localhost because Pod has hostNetwork=true
+ path: /status
+ port: 42699
+initialDelaySeconds: 600 # startupProbe isnt available before K8s 1.16
+timeoutSeconds: 5
+periodSeconds: 10
+failureThreshold: 3
+{{- end -}}
+
+{{- define "leader-elector.container" -}}
+- name: leader-elector
+ image: {{ include "image" .Values.leaderElector.image | quote }}
+ env:
+ - name: INSTANA_AGENT_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - "/busybox/sh"
+ - "-c"
+ - "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)"
+ resources:
+ requests:
+ cpu: 0.1
+ memory: "64Mi"
+ livenessProbe:
+ httpGet: # Leader elector /health endpoint expects version 0.5.8 minimum, otherwise always returns 200 OK
+ host: 127.0.0.1 # localhost because Pod has hostNetwork=true
+ path: /health
+ port: {{ .Values.leaderElector.port }}
+ initialDelaySeconds: 30
+ timeoutSeconds: 3
+ periodSeconds: 3
+ failureThreshold: 3
+ ports:
+ - containerPort: {{ .Values.leaderElector.port }}
+{{- end -}}
+
+{{- define "instana-agent.tls-volume" -}}
+- name: {{ include "instana-agent.fullname" . }}-tls
+ secret:
+ secretName: {{ .Values.agent.tls.secretName | default (printf "%s-tls" (include "instana-agent.fullname" .)) }}
+ defaultMode: 0440
+{{- end -}}
+
+{{- define "instana-agent.tls-volumeMounts" -}}
+- name: {{ include "instana-agent.fullname" . }}-tls
+ mountPath: /opt/instana/agent/etc/certs
+ readOnly: true
+{{- end -}}
+
+
+{{- define "k8sensor.commonEnv" -}}
+{{- range $key, $value := .Values.agent.env }}
+- name: {{ $key }}
+ value: {{ $value | quote }}
+{{- end }}
+{{- end -}}
+
+{{/*NOTE: These are nested templates not functions, if I format this to make it readable then it won't work the way */}}
+{{/*we need it to since all of the newlines and spaces will be included into the output. Helm is */}}
+{{/*not fundamentally designed to do what we are doing here.*/}}
+
+{{- define "instana-agent.opentelemetry.grpc.isEnabled" -}}{{ if hasKey .Values "opentelemetry" }}{{ if hasKey .Values.opentelemetry "grpc" }}{{ if hasKey .Values.opentelemetry.grpc "enabled" }}{{ .Values.opentelemetry.grpc.enabled }}{{ else }}{{ true }}{{ end }}{{ else }}{{ if hasKey .Values.opentelemetry "enabled" }}{{ .Values.opentelemetry.enabled }}{{ else }}{{ false }}{{ end }}{{ end }}{{ else }}{{ false }}{{ end }}{{- end -}}
+
+{{- define "instana-agent.opentelemetry.http.isEnabled" -}}{{ if hasKey .Values "opentelemetry" }}{{ if hasKey .Values.opentelemetry "http" }}{{ if hasKey .Values.opentelemetry.http "enabled" }}{{ .Values.opentelemetry.http.enabled }}{{ else }}{{ true }}{{ end }}{{ else }}{{ false }}{{ end }}{{ else }}{{ false }}{{ end }}{{- end -}}
+
+{{- define "kubeVersion" -}}
+{{- if (regexMatch "\\d+\\.\\d+\\.\\d+-(?:eks|gke).+" .Capabilities.KubeVersion.Version) -}}
+ {{- regexFind "\\d+\\.\\d+\\.\\d+" .Capabilities.KubeVersion.Version -}}
+{{- else -}}
+ {{- printf .Capabilities.KubeVersion.Version }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/agent-configmap.yaml b/charts/instana/instana-agent/1.2.74/templates/agent-configmap.yaml
new file mode 100644
index 000000000..e6b396855
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/agent-configmap.yaml
@@ -0,0 +1,63 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ template "instana-agent.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+data:
+ {{- if .Values.cluster.name }}
+ cluster_name: {{ .Values.cluster.name | quote }}
+ {{- end }}
+ configuration.yaml: |
+
+ {{- if .Values.agent.configuration_yaml }}
+ {{ .Values.agent.configuration_yaml | nindent 4 }}
+ {{- end }}
+
+ {{ if or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) }}
+ configuration-opentelemetry.yaml: |
+ com.instana.plugin.opentelemetry: {{ toYaml .Values.opentelemetry | nindent 6 }}
+ {{ end }}
+
+ {{- if .Values.prometheus.remoteWrite.enabled }}
+ configuration-prometheus-remote-write.yaml: |
+ com.instana.plugin.prometheus:
+ remote_write:
+ enabled: true
+ {{- end }}
+
+ {{- if or .Values.kubernetes.deployment.enabled .Values.k8s_sensor.deployment.enabled }}
+ configuration-disable-kubernetes-sensor.yaml: |
+ com.instana.plugin.kubernetes:
+ enabled: false
+ {{- end }}
+
+ {{- if .Values.agent.additionalBackends }}
+ {{- $proxyHost := .Values.agent.proxyHost }}
+ {{- $proxyPort := .Values.agent.proxyPort }}
+ {{- $proxyUser := .Values.agent.proxyUser }}
+ {{- $proxyPassword := .Values.agent.proxyPassword }}
+ {{- $proxyUseDNS := .Values.agent.proxyUseDNS }}
+ {{- range $index,$backend := .Values.agent.additionalBackends }}
+ {{ $backendIndex :=add $index 2 -}}
+ additional-backend-{{$backendIndex}}: |
+ host={{ .endpointHost }}
+ port={{ default 443 .endpointPort }}
+ key={{ .key }}
+ protocol=HTTP/2
+ {{- if $proxyHost }}
+ proxy.type=HTTP
+ proxy.host={{ $proxyHost }}
+ proxy.port={{ $proxyPort }}
+ {{- if $proxyUser }}
+ proxy.user={{ $proxyUser }}
+ proxy.password={{ $proxyPassword }}
+ {{- end }}
+ {{- if $proxyUseDNS }}
+ proxyUseDNS=true
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ {{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/agent-daemonset-with-zones.yaml b/charts/instana/instana-agent/1.2.74/templates/agent-daemonset-with-zones.yaml
new file mode 100644
index 000000000..6e1fe2474
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/agent-daemonset-with-zones.yaml
@@ -0,0 +1,218 @@
+{{- if or .Values.agent.key .Values.agent.keysSecret }}
+{{- if and .Values.cluster.name .Values.zones }}
+{{ $opentelemetryIsEnabled := (or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) )}}
+{{- range $.Values.zones }}
+{{- $fullname := printf "%s-%s" (include "instana-agent.fullname" $) .name -}}
+{{- $tolerations := .tolerations -}}
+{{- $affinity := .affinity -}}
+{{- $mode := .mode -}}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ $fullname }}
+ namespace: {{ $.Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" $ | nindent 4 }}
+ io.instana/zone: {{.name}}
+spec:
+ selector:
+ matchLabels:
+ {{- include "instana-agent.selectorLabels" $ | nindent 6 }}
+ io.instana/zone: {{.name}}
+ updateStrategy:
+ type: {{ $.Values.agent.updateStrategy.type }}
+ {{- if eq $.Values.agent.updateStrategy.type "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ $.Values.agent.updateStrategy.rollingUpdate.maxUnavailable }}
+ {{- end }}
+ minReadySeconds: {{ $.Values.agent.minReadySeconds }}
+ template:
+ metadata:
+ labels:
+ io.instana/zone: {{.name}}
+ {{- if $.Values.agent.pod.labels }}
+ {{- toYaml $.Values.agent.pod.labels | nindent 8 }}
+ {{- end }}
+ {{- include "instana-agent.commonLabels" $ | nindent 8 }}
+ instana/agent-mode: {{ $mode | default "APM" | quote }}
+ annotations:
+ {{- if $.Values.agent.pod.annotations }}
+ {{- toYaml $.Values.agent.pod.annotations | nindent 8 }}
+ {{- end }}
+ # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
+ # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
+ instana-configuration-hash: {{ $.Values.agent.configuration_yaml | cat ";" | cat ( join "," $.Values.agent.additionalBackends ) | sha1sum }}
+ spec:
+ serviceAccountName: {{ template "instana-agent.serviceAccountName" $ }}
+ {{- if $.Values.agent.pod.nodeSelector }}
+ nodeSelector:
+ {{- range $key, $value := $.Values.agent.pod.nodeSelector }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ hostNetwork: true
+ hostPID: true
+ {{- if $.Values.agent.pod.priorityClassName }}
+ priorityClassName: {{ $.Values.agent.pod.priorityClassName | quote }}
+ {{- end }}
+ dnsPolicy: ClusterFirstWithHostNet
+ {{- if typeIs "[]interface {}" $.Values.agent.image.pullSecrets }}
+ imagePullSecrets:
+ {{- toYaml $.Values.agent.image.pullSecrets | nindent 8 }}
+ {{- else if $.Values.agent.image.name | hasPrefix "containers.instana.io" }}
+ imagePullSecrets:
+ - name: containers-instana-io
+ {{- end }}
+ containers:
+ - name: instana-agent
+ image: {{ include "image" $.Values.agent.image | quote}}
+ imagePullPolicy: {{ $.Values.agent.image.pullPolicy }}
+ env:
+ - name: INSTANA_ZONE
+ value: {{ .name | quote }}
+ {{- if $mode }}
+ - name: INSTANA_AGENT_MODE
+ value: {{ $mode | quote }}
+ {{- end }}
+ {{- include "instana-agent.commonEnv" $ | nindent 12 }}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: dev
+ mountPath: /dev
+ mountPropagation: HostToContainer
+ - name: run
+ mountPath: /run
+ mountPropagation: HostToContainer
+ - name: var-run
+ mountPath: /var/run
+ mountPropagation: HostToContainer
+ {{- if not (or $.Values.openshift ($.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+ - name: var-run-kubo
+ mountPath: /var/vcap/sys/run/docker
+ mountPropagation: HostToContainer
+ - name: var-run-containerd
+ mountPath: /var/vcap/sys/run/containerd
+ mountPropagation: HostToContainer
+ - name: var-containerd-config
+ mountPath: /var/vcap/jobs/containerd/config
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: sys
+ mountPath: /sys
+ mountPropagation: HostToContainer
+ - name: var-log
+ mountPath: /var/log
+ mountPropagation: HostToContainer
+ - name: var-lib
+ mountPath: /var/lib
+ mountPropagation: HostToContainer
+ - name: var-data
+ mountPath: /var/data
+ mountPropagation: HostToContainer
+ - name: machine-id
+ mountPath: /etc/machine-id
+ - name: configuration
+ {{- if $.Values.agent.configuration.hotreloadEnabled }}
+ mountPath: /root/
+ {{- else }}
+ subPath: configuration.yaml
+ mountPath: /root/configuration.yaml
+ {{- end }}
+ {{- if $.Values.agent.tls }}
+ {{- if or $.Values.agent.tls.secretName (and $.Values.agent.tls.certificate $.Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volumeMounts" $ | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- include "instana-agent.commonVolumeMounts" $ | nindent 12 }}
+ {{- if $.Values.agent.configuration.autoMountConfigEntries }}
+ {{- include "volumeMountsForConfigFileInConfigMap" $ | nindent 12 }}
+ {{- end }}
+ {{- if or $.Values.kubernetes.deployment.enabled $.Values.k8s_sensor.deployment.enabled }}
+ - name: configuration
+ subPath: configuration-disable-kubernetes-sensor.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-disable-kubernetes-sensor.yaml
+ {{- end }}
+ {{- if $opentelemetryIsEnabled }}
+ - name: configuration
+ subPath: configuration-opentelemetry.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-opentelemetry.yaml
+ {{- end }}
+ {{- if $.Values.prometheus.remoteWrite.enabled }}
+ - name: configuration
+ subPath: configuration-prometheus-remote-write.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-prometheus-remote-write.yaml
+ {{- end }}
+ livenessProbe:
+ {{- include "instana-agent.livenessProbe" $ | nindent 12 }}
+ resources:
+ requests:
+ {{- include "instana-agent.resources" $.Values.agent.pod.requests | nindent 14 }}
+ limits:
+ {{- include "instana-agent.resources" $.Values.agent.pod.limits | nindent 14 }}
+ ports:
+ - containerPort: 42699
+ {{- if and (not $.Values.kubernetes.deployment.enabled) (not $.Values.k8s_sensor.deployment.enabled) }}
+ {{- include "leader-elector.container" $ | nindent 8 }}
+ {{- end }}
+
+ {{ if $tolerations -}}
+ tolerations:
+ {{- toYaml $tolerations | nindent 8 }}
+ {{- end }}
+
+ {{ if $affinity -}}
+ affinity:
+ {{- toYaml $affinity | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: run
+ hostPath:
+ path: /run
+ - name: var-run
+ hostPath:
+ path: /var/run
+ {{- if not (or $.Values.openshift ($.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+ # Systems based on the kubo BOSH release (that is, VMware TKGI and older PKS) do not keep the Docker
+ # socket in /var/run/docker.sock , but rather in /var/vcap/sys/run/docker/docker.sock .
+ # The Agent images will check if there is a Docker socket here and, if so, adjust the symlinking before
+ # starting the Agent. See https://github.com/cloudfoundry-incubator/kubo-release/issues/329
+ - name: var-run-kubo
+ hostPath:
+ path: /var/vcap/sys/run/docker
+ - name: var-run-containerd
+ hostPath:
+ path: /var/vcap/sys/run/containerd
+ - name: var-containerd-config
+ hostPath:
+ path: /var/vcap/jobs/containerd/config
+ {{- end }}
+ - name: sys
+ hostPath:
+ path: /sys
+ - name: var-log
+ hostPath:
+ path: /var/log
+ - name: var-lib
+ hostPath:
+ path: /var/lib
+ - name: var-data
+ hostPath:
+ path: /var/data
+ - name: machine-id
+ hostPath:
+ path: /etc/machine-id
+ {{- if $.Values.agent.tls }}
+ {{- if or $.Values.agent.tls.secretName (and $.Values.agent.tls.certificate $.Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volume" . | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ {{- include "instana-agent.commonVolumes" $ | nindent 8 }}
+{{ printf "\n" }}
+{{ end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/agent-daemonset.yaml b/charts/instana/instana-agent/1.2.74/templates/agent-daemonset.yaml
new file mode 100644
index 000000000..bbc3c7a0e
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/agent-daemonset.yaml
@@ -0,0 +1,209 @@
+# TODO: Combine into single template with agent-daemonset-with-zones.yaml
+{{- if or .Values.agent.key .Values.agent.keysSecret }}
+{{- if and (or .Values.zone.name .Values.cluster.name) (not .Values.zones) }}
+{{- $fullname := include "instana-agent.fullname" . -}}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: {{ $fullname }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ selector:
+ matchLabels:
+ {{- include "instana-agent.selectorLabels" . | nindent 6 }}
+ updateStrategy:
+ type: {{ .Values.agent.updateStrategy.type }}
+ {{- if eq .Values.agent.updateStrategy.type "RollingUpdate" }}
+ rollingUpdate:
+ maxUnavailable: {{ .Values.agent.updateStrategy.rollingUpdate.maxUnavailable }}
+ {{- end }}
+ minReadySeconds: {{ $.Values.agent.minReadySeconds }}
+ template:
+ metadata:
+ labels:
+ {{- if .Values.agent.pod.labels }}
+ {{- toYaml .Values.agent.pod.labels | nindent 8 }}
+ {{- end }}
+ {{- include "instana-agent.commonLabels" . | nindent 8 }}
+ instana/agent-mode: {{ .Values.agent.mode | default "APM" | quote }}
+ annotations:
+ {{- if .Values.agent.pod.annotations }}
+ {{- toYaml .Values.agent.pod.annotations | nindent 8 }}
+ {{- end }}
+ # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
+ # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
+ instana-configuration-hash: {{ .Values.agent.configuration_yaml | cat ";" | cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
+ spec:
+ serviceAccountName: {{ template "instana-agent.serviceAccountName" . }}
+ {{- if .Values.agent.pod.nodeSelector }}
+ nodeSelector:
+ {{- range $key, $value := .Values.agent.pod.nodeSelector }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ hostNetwork: true
+ hostPID: true
+ {{- if .Values.agent.pod.priorityClassName }}
+ priorityClassName: {{ .Values.agent.pod.priorityClassName | quote }}
+ {{- end }}
+ dnsPolicy: ClusterFirstWithHostNet
+ {{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
+ imagePullSecrets:
+ {{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
+ {{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
+ imagePullSecrets:
+ - name: containers-instana-io
+ {{- end }}
+ containers:
+ - name: instana-agent
+ image: {{ include "image" .Values.agent.image | quote}}
+ imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
+ env:
+ {{- if .Values.agent.mode }}
+ - name: INSTANA_AGENT_MODE
+ value: {{ .Values.agent.mode | quote }}
+ {{- end }}
+ {{- include "instana-agent.commonEnv" . | nindent 12 }}
+ securityContext:
+ privileged: true
+ volumeMounts:
+ - name: dev
+ mountPath: /dev
+ mountPropagation: HostToContainer
+ - name: run
+ mountPath: /run
+ mountPropagation: HostToContainer
+ - name: var-run
+ mountPath: /var/run
+ mountPropagation: HostToContainer
+ {{- if not (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+ - name: var-run-kubo
+ mountPath: /var/vcap/sys/run/docker
+ mountPropagation: HostToContainer
+ - name: var-run-containerd
+ mountPath: /var/vcap/sys/run/containerd
+ mountPropagation: HostToContainer
+ - name: var-containerd-config
+ mountPath: /var/vcap/jobs/containerd/config
+ mountPropagation: HostToContainer
+ {{- end }}
+ - name: sys
+ mountPath: /sys
+ mountPropagation: HostToContainer
+ - name: var-log
+ mountPath: /var/log
+ mountPropagation: HostToContainer
+ - name: var-lib
+ mountPath: /var/lib
+ mountPropagation: HostToContainer
+ - name: var-data
+ mountPath: /var/data
+ mountPropagation: HostToContainer
+ - name: machine-id
+ mountPath: /etc/machine-id
+ - name: configuration
+ {{- if $.Values.agent.configuration.hotreloadEnabled }}
+ mountPath: /root/
+ {{- else }}
+ subPath: configuration.yaml
+ mountPath: /root/configuration.yaml
+ {{- end }}
+ {{- if .Values.agent.tls }}
+ {{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volumeMounts" . | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ {{- include "instana-agent.commonVolumeMounts" . | nindent 12 }}
+ {{- if .Values.agent.configuration.autoMountConfigEntries }}
+ {{- include "volumeMountsForConfigFileInConfigMap" . | nindent 12 }}
+ {{- end }}
+ {{- if or .Values.kubernetes.deployment.enabled .Values.k8s_sensor.deployment.enabled }}
+ - name: configuration # TODO: These shouldn't have the same name
+ subPath: configuration-disable-kubernetes-sensor.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-disable-kubernetes-sensor.yaml
+ {{- end }}
+ {{- if or (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) }}
+ - name: configuration
+ subPath: configuration-opentelemetry.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-opentelemetry.yaml
+ {{- end }}
+ {{- if .Values.prometheus.remoteWrite.enabled }}
+ - name: configuration
+ subPath: configuration-prometheus-remote-write.yaml
+ mountPath: /opt/instana/agent/etc/instana/configuration-prometheus-remote-write.yaml
+ {{- end }}
+ livenessProbe:
+ {{- include "instana-agent.livenessProbe" . | nindent 12 }}
+ resources:
+ requests:
+ {{- include "instana-agent.resources" .Values.agent.pod.requests | nindent 14 }}
+ limits:
+ {{- include "instana-agent.resources" .Values.agent.pod.limits | nindent 14 }}
+ ports:
+ - containerPort: 42699
+ {{- if and (not .Values.kubernetes.deployment.enabled) (not .Values.k8s_sensor.deployment.enabled) }}
+ {{- include "leader-elector.container" . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.agent.pod.tolerations }}
+ tolerations:
+ {{- toYaml .Values.agent.pod.tolerations | nindent 8 }}
+ {{- end }}
+ {{- if .Values.agent.pod.affinity }}
+ affinity:
+ {{- toYaml .Values.agent.pod.affinity | nindent 8 }}
+ {{- end }}
+ volumes:
+ - name: dev
+ hostPath:
+ path: /dev
+ - name: run
+ hostPath:
+ path: /run
+ - name: var-run
+ hostPath:
+ path: /var/run
+ {{- if not (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+ # Systems based on the kubo BOSH release (that is, VMware TKGI and older PKS) do not keep the Docker
+ # socket in /var/run/docker.sock , but rather in /var/vcap/sys/run/docker/docker.sock .
+ # The Agent images will check if there is a Docker socket here and, if so, adjust the symlinking before
+ # starting the Agent. See https://github.com/cloudfoundry-incubator/kubo-release/issues/329
+ - name: var-run-kubo
+ hostPath:
+ path: /var/vcap/sys/run/docker
+ type: DirectoryOrCreate
+ - name: var-run-containerd
+ hostPath:
+ path: /var/vcap/sys/run/containerd
+ type: DirectoryOrCreate
+ - name: var-containerd-config
+ hostPath:
+ path: /var/vcap/jobs/containerd/config
+ type: DirectoryOrCreate
+ {{- end }}
+ - name: sys
+ hostPath:
+ path: /sys
+ - name: var-log
+ hostPath:
+ path: /var/log
+ - name: var-lib
+ hostPath:
+ path: /var/lib
+ - name: var-data
+ hostPath:
+ path: /var/data
+ type: DirectoryOrCreate
+ - name: machine-id
+ hostPath:
+ path: /etc/machine-id
+ {{- if .Values.agent.tls }}
+ {{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volume" . | nindent 8 }}
+ {{- end }}
+ {{- end }}
+ {{- include "instana-agent.commonVolumes" . | nindent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/clusterrole.yaml b/charts/instana/instana-agent/1.2.74/templates/clusterrole.yaml
new file mode 100644
index 000000000..11509928d
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/clusterrole.yaml
@@ -0,0 +1,88 @@
+{{- if or .Values.rbac.create (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "instana-agent.fullname" . }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+ - "/version"
+ - "/healthz"
+ - "/metrics"
+ - "/stats/summary"
+ - "/metrics/cadvisor"
+ verbs: ["get"]
+{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
+ apiGroups: []
+ resources: []
+{{- end }}
+- apiGroups: [""]
+ resources:
+ - "nodes"
+ - "nodes/stats"
+ - "nodes/metrics"
+ - "pods"
+{{- if and $.Values.kubernetes.deployment.enabled (not $.Values.k8s_sensor.deployment.enabled) }}
+ - "namespaces"
+ - "events"
+ - "services"
+ - "endpoints"
+ - "replicationcontrollers"
+ - "componentstatuses"
+ - "resourcequotas"
+ - "persistentvolumes"
+ - "persistentvolumeclaims"
+{{- end }}
+ verbs: ["get", "list", "watch"]
+{{- if and $.Values.kubernetes.deployment.enabled (not $.Values.k8s_sensor.deployment.enabled) }}
+- apiGroups: ["batch"]
+ resources:
+ - "jobs"
+ - "cronjobs"
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["extensions"]
+ resources:
+ - "deployments"
+ - "replicasets"
+ - "ingresses"
+ verbs: ["get", "list", "watch"]
+- apiGroups: ["apps"]
+ resources:
+ - "deployments"
+ - "replicasets"
+ - "daemonsets"
+ - "statefulsets"
+ verbs: ["get", "list", "watch"]
+- apiGroups: [""]
+ resources:
+ - "endpoints"
+ verbs: ["create", "update", "patch"]
+- apiGroups: ["networking.k8s.io"]
+ resources:
+ - "ingresses"
+ verbs: ["get", "list", "watch"]
+{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
+- apiGroups: ["apps.openshift.io"]
+ resources:
+ - "deploymentconfigs"
+ verbs: ["get", "list", "watch"]
+{{- end -}}
+{{- end }}
+{{- if or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1") }}
+- apiGroups: ["security.openshift.io"]
+ resourceNames: ["privileged"]
+ resources: ["securitycontextconstraints"]
+ verbs: ["use"]
+{{- end }}
+{{- if .Values.podSecurityPolicy.enable}}
+{{- if semverCompare "< 1.25.x" (include "kubeVersion" .) }}
+- apiGroups: ["policy"]
+ resources: ["podsecuritypolicies"]
+ verbs: ["use"]
+ resourceNames:
+ - {{ template "instana-agent.podSecurityPolicyName" . }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/clusterrolebinding.yaml b/charts/instana/instana-agent/1.2.74/templates/clusterrolebinding.yaml
new file mode 100644
index 000000000..e7b6cdef7
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/clusterrolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if or .Values.rbac.create (or .Values.openshift (.Capabilities.APIVersions.Has "apps.openshift.io/v1")) }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "instana-agent.fullname" . }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: {{ template "instana-agent.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+roleRef:
+ kind: ClusterRole
+ name: {{ template "instana-agent.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/headless-service.yaml b/charts/instana/instana-agent/1.2.74/templates/headless-service.yaml
new file mode 100644
index 000000000..d5636f3bc
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/headless-service.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.service.create -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "instana-agent.fullname" . }}-headless
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ clusterIP: None
+ selector:
+{{- include "instana-agent.selectorLabels" . | nindent 4 }}
+ ports:
+ # Prometheus remote_write, Trace Web SDK and other APIs
+ - name: agent-apis
+ protocol: TCP
+ port: 42699
+ targetPort: 42699
+ {{ if eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .) }}
+ # OpenTelemetry original default port
+ - name: opentelemetry
+ protocol: TCP
+ port: 55680
+ targetPort: 55680
+ # OpenTelemetry as registered and reserved by IANA
+ - name: opentelemetry-iana
+ protocol: TCP
+ port: 4317
+ targetPort: 4317
+ {{- end -}}
+ {{ if eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .) }}
+ # OpenTelemetry HTTP port
+ - name: opentelemetry-http
+ protocol: TCP
+ port: 4318
+ targetPort: 4318
+ {{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-configmap.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-configmap.yaml
new file mode 100644
index 000000000..185a8dbcc
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-configmap.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.k8s_sensor.deployment.enabled -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: k8sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+data:
+ backend: {{ printf "%s:%v" .Values.agent.endpointHost .Values.agent.endpointPort }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-deployment.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-deployment.yaml
new file mode 100644
index 000000000..0bf308b24
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-deployment.yaml
@@ -0,0 +1,131 @@
+{{- if .Values.k8s_sensor.deployment.enabled -}}
+{{- if or .Values.agent.key .Values.agent.keysSecret -}}
+{{- if or .Values.zone.name .Values.cluster.name -}}
+
+{{- $user_name_password := "" -}}
+{{ if .Values.agent.proxyUser }}
+ {{- $user_name_password = print .Values.agent.proxyUser ":" .Values.agent.proxyPassword "@" -}}
+{{ end}}
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: k8sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ app: k8sensor
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ replicas: {{ default "1" .Values.k8s_sensor.deployment.replicas }}
+ selector:
+ matchLabels:
+ {{- include "k8s-sensor.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ labels:
+ {{- if .Values.agent.pod.labels }}
+ {{- toYaml .Values.agent.pod.labels | nindent 8 }}
+ {{- end }}
+ {{- include "k8s-sensor.commonLabels" . | nindent 8 }}
+ instana/agent-mode: KUBERNETES
+ annotations:
+ {{- if .Values.agent.pod.annotations }}
+ {{- toYaml .Values.agent.pod.annotations | nindent 8 }}
+ {{- end }}
+ # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
+ # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
+ instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
+ spec:
+ serviceAccountName: k8sensor
+ {{- if .Values.k8s_sensor.deployment.pod.nodeSelector }}
+ nodeSelector:
+ {{- range $key, $value := .Values.k8s_sensor.deployment.pod.nodeSelector }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.k8s_sensor.deployment.pod.priorityClassName }}
+ priorityClassName: {{ .Values.k8s_sensor.deployment.pod.priorityClassName | quote }}
+ {{- end }}
+ {{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
+ imagePullSecrets:
+ {{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
+ {{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
+ imagePullSecrets:
+ - name: containers-instana-io
+ {{- end }}
+ containers:
+ - name: instana-agent
+ image: {{ include "image" .Values.k8s_sensor.image | quote }}
+ imagePullPolicy: {{ .Values.k8s_sensor.image.pullPolicy }}
+ env:
+ - name: AGENT_KEY
+ valueFrom:
+ secretKeyRef:
+ name: {{ template "instana-agent.keysSecretName" . }}
+ key: key
+ - name: BACKEND
+ valueFrom:
+ configMapKeyRef:
+ name: k8sensor
+ key: backend
+ - name: BACKEND_URL
+ value: "https://$(BACKEND)"
+ - name: AGENT_ZONE
+ value: {{ empty .Values.cluster.name | ternary .Values.zone.name .Values.cluster.name}}
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ {{- if not (empty .Values.agent.proxyHost) }}
+ - name: HTTPS_PROXY
+ value: "http://{{ $user_name_password }}{{ .Values.agent.proxyHost }}:{{ .Values.agent.proxyPort }}"
+ - name: NO_PROXY
+ value: "kubernetes.default.svc"
+ {{- end }}
+ {{- if .Values.agent.redactKubernetesSecrets }}
+ - name: INSTANA_KUBERNETES_REDACT_SECRETS
+ value: {{ .Values.agent.redactKubernetesSecrets | quote }}
+ {{- end }}
+ {{- if .Values.agent.configuration_yaml }}
+ - name: CONFIG_PATH
+ value: /root
+ {{- end }}
+ {{- include "k8sensor.commonEnv" . | nindent 12 }}
+
+ volumeMounts:
+ - name: configuration
+ subPath: configuration.yaml
+ mountPath: /root/configuration.yaml
+ resources:
+ requests:
+ {{- include "instana-agent.resources" .Values.k8s_sensor.deployment.pod.requests | nindent 14 }}
+ limits:
+ {{- include "instana-agent.resources" .Values.k8s_sensor.deployment.pod.limits | nindent 14 }}
+ ports:
+ - containerPort: 42699
+ volumes:
+ - name: configuration
+ configMap:
+ name: {{ include "instana-agent.fullname" . }}
+ {{- if .Values.k8s_sensor.deployment.pod.tolerations }}
+ tolerations:
+ {{- toYaml .Values.k8s_sensor.deployment.pod.tolerations | nindent 8 }}
+ {{- end }}
+ affinity:
+ {{- toYaml .Values.k8s_sensor.deployment.pod.affinity | nindent 8 }}
+ minReadySeconds: {{ $.Values.k8s_sensor.deployment.minReadySeconds }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-pod-disruption-budget.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-pod-disruption-budget.yaml
new file mode 100644
index 000000000..568a6f4d6
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-pod-disruption-budget.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.k8s_sensor.podDisruptionBudget.enabled -}}
+{{- if (gt (int .Values.k8s_sensor.deployment.replicas) 1) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+ name: k8sensor
+spec:
+ selector:
+ matchLabels:
+ {{- include "k8s-sensor.selectorLabels" . | nindent 6 }}
+ minAvailable: {{ sub (int .Values.k8s_sensor.deployment.replicas) 1 }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-podsecuritypolicy.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-podsecuritypolicy.yaml
new file mode 100644
index 000000000..7eafa85b7
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-podsecuritypolicy.yaml
@@ -0,0 +1,27 @@
+{{- if and .Values.k8s_sensor.deployment.enabled .Values.podSecurityPolicy.enable -}}
+---
+kind: PodSecurityPolicy
+apiVersion: policy/v1beta1
+metadata:
+ name: k8sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ volumes:
+ - configMap
+ - downwardAPI
+ - emptyDir
+ - persistentVolumeClaim
+ - secret
+ - projected
+ - hostPath
+ runAsUser:
+ rule: "RunAsAny"
+ seLinux:
+ rule: "RunAsAny"
+ supplementalGroups:
+ rule: "RunAsAny"
+ fsGroup:
+ rule: "RunAsAny"
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-role.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-role.yaml
new file mode 100644
index 000000000..7e036482e
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-role.yaml
@@ -0,0 +1,124 @@
+{{- if .Values.k8s_sensor.deployment.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: k8sensor
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+rules:
+ -
+ nonResourceURLs:
+ - /version
+ - /healthz
+ verbs:
+ - get
+ -
+ apiGroups:
+ - extensions
+ resources:
+ - deployments
+ - replicasets
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - ""
+ resources:
+ - configmaps
+ - events
+ - services
+ - endpoints
+ - namespaces
+ - nodes
+ - pods
+ - replicationcontrollers
+ - resourcequotas
+ - persistentvolumes
+ - persistentvolumeclaims
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - apps
+ resources:
+ - daemonsets
+ - deployments
+ - replicasets
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - batch
+ resources:
+ - cronjobs
+ - jobs
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - ""
+ resources:
+ - pods/log
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - autoscaling
+ resources:
+ - horizontalpodautoscalers
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - apps.openshift.io
+ resources:
+ - deploymentconfigs
+ verbs:
+ - get
+ - list
+ - watch
+ -
+ apiGroups:
+ - security.openshift.io
+ resourceNames:
+ - privileged
+ resources:
+ - securitycontextconstraints
+ verbs:
+ - use
+ {{ if .Values.podSecurityPolicy.enable }}
+ -
+ apiGroups:
+ - policy
+ resourceNames:
+ - k8sensor
+ resources:
+ - podsecuritypolicies
+ verbs:
+ - use
+ {{ end }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-rolebinding.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-rolebinding.yaml
new file mode 100644
index 000000000..669b30bc9
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.k8s_sensor.deployment.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: k8sensor
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+roleRef:
+ kind: ClusterRole
+ name: k8sensor
+ apiGroup: rbac.authorization.k8s.io
+subjects:
+ - kind: ServiceAccount
+ name: k8sensor
+ namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-serviceaccount.yaml b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-serviceaccount.yaml
new file mode 100644
index 000000000..118d09cfb
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/k8s-sensor-serviceaccount.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.k8s_sensor.deployment.enabled -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: k8sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-configmap.yaml b/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-configmap.yaml
new file mode 100644
index 000000000..34d742718
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-configmap.yaml
@@ -0,0 +1,19 @@
+{{- if and .Values.kubernetes.deployment.enabled (not .Values.k8s_sensor.deployment.enabled) -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: kubernetes-sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+data:
+ # TODO We should get rid of this and imply the ring-fence iff the mode is "KUBERNETES"
+ configuration.yaml: |
+ com.instana.plugin.kubernetes:
+ enabled: true
+
+ com.instana.kubernetes:
+ leader:
+ isRingFenced: true
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-deployment.yaml b/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-deployment.yaml
new file mode 100644
index 000000000..bb2228b3a
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/kubernetes-sensor-deployment.yaml
@@ -0,0 +1,119 @@
+{{- if and .Values.kubernetes.deployment.enabled (not .Values.k8s_sensor.deployment.enabled) -}}
+{{- if or .Values.agent.key .Values.agent.keysSecret -}}
+{{- if or .Values.zone.name .Values.cluster.name -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: kubernetes-sensor
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ replicas: {{ default "1" .Values.kubernetes.deployment.replicas }}
+ selector:
+ matchLabels:
+ {{- include "instana-agent.selectorLabels" . | nindent 6 }}
+ minReadySeconds: {{ $.Values.kubernetes.deployment.minReadySeconds }}
+ template:
+ metadata:
+ labels:
+ {{- if .Values.agent.pod.labels }}
+ {{- toYaml .Values.agent.pod.labels | nindent 8 }}
+ {{- end }}
+ {{- include "instana-agent.commonLabels" . | nindent 8 }}
+ instana/agent-mode: KUBERNETES
+ annotations:
+ {{- if .Values.agent.pod.annotations }}
+ {{- toYaml .Values.agent.pod.annotations | nindent 8 }}
+ {{- end }}
+ # To ensure that changes to agent.configuration_yaml or agent.additional_backends trigger a Pod recreation, we keep a SHA here
+ # Unfortunately, we cannot use the lookup function to check on the values in the configmap, otherwise we break Helm < 3.2
+ instana-configuration-hash: {{ cat ( join "," .Values.agent.additionalBackends ) | sha1sum }}
+ spec:
+ serviceAccountName: {{ template "instana-agent.serviceAccountName" . }}
+ {{- if .Values.kubernetes.deployment.pod.nodeSelector }}
+ nodeSelector:
+ {{- range $key, $value := .Values.kubernetes.deployment.pod.nodeSelector }}
+ {{ $key }}: {{ $value | quote }}
+ {{- end }}
+ {{- end }}
+ {{- if .Values.kubernetes.deployment.pod.priorityClassName }}
+ priorityClassName: {{ .Values.kubernetes.deployment.pod.priorityClassName | quote }}
+ {{- end }}
+ {{- if typeIs "[]interface {}" .Values.agent.image.pullSecrets }}
+ imagePullSecrets:
+ {{- toYaml .Values.agent.image.pullSecrets | nindent 8 }}
+ {{- else if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
+ imagePullSecrets:
+ - name: containers-instana-io
+ {{- end }}
+ containers:
+ - name: instana-agent
+ image: {{ include "image" .Values.agent.image | quote }}
+ imagePullPolicy: {{ .Values.agent.image.pullPolicy }}
+ securityContext:
+ privileged: true
+ env:
+ - name: INSTANA_AGENT_MODE
+ value: KUBERNETES
+ {{- include "instana-agent.commonEnv" . | nindent 12 }}
+ volumeMounts:
+ {{- include "instana-agent.commonVolumeMounts" . | nindent 12 }}
+ - name: kubernetes-sensor-configuration
+ subPath: configuration.yaml
+ mountPath: /root/configuration.yaml
+ {{- if .Values.agent.tls }}
+ {{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volumeMounts" . | nindent 12 }}
+ {{- end }}
+ {{- end }}
+ resources:
+ requests:
+ {{- include "instana-agent.resources" .Values.kubernetes.deployment.pod.requests | nindent 14 }}
+ limits:
+ {{- include "instana-agent.resources" .Values.kubernetes.deployment.pod.limits | nindent 14 }}
+ ports:
+ - containerPort: 42699
+ - name: leader-elector
+ image: {{ include "image" .Values.leaderElector.image | quote }}
+ env:
+ - name: INSTANA_AGENT_POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - "/busybox/sh"
+ - "-c"
+ - "sleep 12 && /app/server --election=instana --http=localhost:{{ .Values.leaderElector.port }} --id=$(INSTANA_AGENT_POD_NAME)"
+ resources:
+ requests:
+ cpu: 0.1
+ memory: "64Mi"
+ ports:
+ - containerPort: {{ .Values.leaderElector.port }}
+ {{- if .Values.kubernetes.deployment.pod.tolerations }}
+ tolerations:
+ {{- toYaml .Values.kubernetes.deployment.pod.tolerations | nindent 8 }}
+ {{- end }}
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: ScheduleAnyway
+ labelSelector:
+ matchExpressions:
+ - key: instana/agent-mode
+ operator: In
+ values: [ KUBERNETES ]
+ volumes:
+ {{- include "instana-agent.commonVolumes" . | nindent 8 }}
+ - name: kubernetes-sensor-configuration
+ configMap:
+ name: kubernetes-sensor
+ {{- if .Values.agent.tls }}
+ {{- if or .Values.agent.tls.secretName (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+ {{- include "instana-agent.tls-volume" . | nindent 8 }}
+ {{- end }}
+ {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/instana/instana-agent/1.2.74/templates/namespace.yaml b/charts/instana/instana-agent/1.2.74/templates/namespace.yaml
new file mode 100644
index 000000000..f61ac28ef
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/namespace.yaml
@@ -0,0 +1,9 @@
+{{- if .Values.templating }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/templates/podsecuritypolicy.yaml b/charts/instana/instana-agent/1.2.74/templates/podsecuritypolicy.yaml
new file mode 100644
index 000000000..ca4e04964
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/podsecuritypolicy.yaml
@@ -0,0 +1,65 @@
+{{- if .Values.rbac.create }}
+{{- if (and .Values.podSecurityPolicy.enable (not .Values.podSecurityPolicy.name)) }}
+{{- if semverCompare "< 1.25.x" (include "kubeVersion" .) }}
+---
+kind: PodSecurityPolicy
+apiVersion: policy/v1beta1
+metadata:
+ name: {{ template "instana-agent.podSecurityPolicyName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ privileged: true
+ allowPrivilegeEscalation: true
+ volumes:
+ - configMap
+ - downwardAPI
+ - emptyDir
+ - persistentVolumeClaim
+ - secret
+ - projected
+ - hostPath
+ allowedHostPaths:
+ - pathPrefix: "/dev"
+ readOnly: false
+ - pathPrefix: "/run"
+ readOnly: false
+ - pathPrefix: "/var/run"
+ readOnly: false
+ - pathPrefix: "/var/vcap/sys/run/docker"
+ readOnly: false
+ - pathPrefix: "/var/vcap/sys/run/containerd"
+ readOnly: false
+ - pathPrefix: "/var/vcap/jobs/containerd/config"
+ readOnly: false
+ - pathPrefix: "/sys"
+ readOnly: false
+ - pathPrefix: "/var/log"
+ readOnly: false
+ - pathPrefix: "/var/lib"
+ readOnly: false
+ - pathPrefix: "/var/data"
+ readOnly: false
+ - pathPrefix: "/etc/machine-id"
+ readOnly: false
+ {{- if .Values.agent.host.repository }}
+ - pathPrefix: {{ .Values.agent.host.repository }}
+ readOnly: false
+ {{- end }}
+ hostNetwork: true
+ hostPorts:
+ - min: 0
+ max: 65535
+ hostPID: true
+ runAsUser:
+ rule: "RunAsAny"
+ seLinux:
+ rule: "RunAsAny"
+ supplementalGroups:
+ rule: "RunAsAny"
+ fsGroup:
+ rule: "RunAsAny"
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/secrets.yaml b/charts/instana/instana-agent/1.2.74/templates/secrets.yaml
new file mode 100644
index 000000000..a94462351
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/secrets.yaml
@@ -0,0 +1,55 @@
+{{- if not (typeIs "[]interface {}" .Values.agent.image.pullSecrets) }}
+{{- if .Values.agent.image.name | hasPrefix "containers.instana.io" }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: containers-instana-io
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+ .dockerconfigjson: {{ template "imagePullSecretContainersInstanaIo" . }}
+{{- end -}}
+{{- end -}}
+{{- if not .Values.agent.keysSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "instana-agent.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+type: Opaque
+data:
+{{- if .Values.templating }}
+ key: {{ .Values.agent.key }}
+ downloadKey: {{ default "''" .Values.agent.downloadKey }}
+{{- else }}
+{{- if .Values.agent.key }}
+ key: {{ .Values.agent.key | b64enc | quote }}
+{{- end }}
+{{- if .Values.agent.downloadKey }}
+ downloadKey: {{ .Values.agent.downloadKey | b64enc | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.agent.tls }}
+{{- if and (not .Values.agent.tls.secretName) (and .Values.agent.tls.certificate .Values.agent.tls.key) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+ name: {{ template "instana-agent.fullname" . }}-tls
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+ tls.crt: {{ .Values.agent.tls.certificate }}
+ tls.key: {{ .Values.agent.tls.key }}
+{{- end }}
+{{- end }}
diff --git a/charts/instana/instana-agent/1.2.74/templates/service.yaml b/charts/instana/instana-agent/1.2.74/templates/service.yaml
new file mode 100644
index 000000000..1a51a709e
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/service.yaml
@@ -0,0 +1,45 @@
+{{- if or .Values.service.create (eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .)) (eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .)) .Values.prometheus.remoteWrite.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: {{ template "instana-agent.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+{{- include "instana-agent.commonLabels" . | nindent 4 }}
+spec:
+ selector:
+{{- include "instana-agent.selectorLabels" . | nindent 4 }}
+ ports:
+ # Prometheus remote_write, Trace Web SDK and other APIs
+ - name: agent-apis
+ protocol: TCP
+ port: 42699
+ targetPort: 42699
+ {{ if eq "true" (include "instana-agent.opentelemetry.grpc.isEnabled" .) }}
+ # OpenTelemetry original default port
+ - name: opentelemetry
+ protocol: TCP
+ port: 55680
+ targetPort: 55680
+ # OpenTelemetry as registered and reserved by IANA
+ - name: opentelemetry-iana
+ protocol: TCP
+ port: 4317
+ targetPort: 4317
+ {{- end -}}
+ {{ if eq "true" (include "instana-agent.opentelemetry.http.isEnabled" .) }}
+ # OpenTelemetry HTTP port
+ - name: opentelemetry-http
+ protocol: TCP
+ port: 4318
+ targetPort: 4318
+ {{- end -}}
+ {{- if semverCompare "< 1.22.x" (include "kubeVersion" .) }}
+ # since we run agents as DaemonSets we assume every node has this Service available:
+ topologyKeys:
+ - "kubernetes.io/hostname"
+ {{- else }}
+ internalTrafficPolicy: Local
+ {{- end -}}
+{{- end -}}
diff --git a/charts/instana/instana-agent/1.2.74/templates/serviceaccount.yaml b/charts/instana/instana-agent/1.2.74/templates/serviceaccount.yaml
new file mode 100644
index 000000000..f26642835
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/templates/serviceaccount.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ template "instana-agent.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "instana-agent.commonLabels" . | nindent 4 }}
+ {{- if .Values.serviceAccount.annotations }}
+ annotations:
+ {{- if .Values.serviceAccount.annotations }}
+ {{- toYaml .Values.serviceAccount.annotations | nindent 4}}
+ {{- end }}
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/instana/instana-agent/1.2.74/values.yaml b/charts/instana/instana-agent/1.2.74/values.yaml
new file mode 100644
index 000000000..60a707def
--- /dev/null
+++ b/charts/instana/instana-agent/1.2.74/values.yaml
@@ -0,0 +1,322 @@
+# name is the value which will be used as the base resource name for various resources associated with the agent.
+# name: instana-agent
+
+agent:
+ # agent.mode is used to set agent mode and it can be APM, INFRASTRUCTURE or AWS
+ # mode: APM
+
+ # agent.key is the secret token which your agent uses to authenticate to Instana's servers.
+ key: null
+ # agent.downloadKey is key, sometimes known as "sales key", that allows you to download,
+ # software from Instana.
+ # downloadKey: null
+
+ # Rather than specifying the agent key and optionally the download key, you can "bring your
+ # own secret" creating it in the namespace in which you install the `instana-agent` and
+ # specify its name in the `keysSecret` field. The secret you create must contains
+ # a field called `key` and optionally one called `downloadKey`, which contain, respectively,
+ # the values you'd otherwise set in `.agent.key` and `agent.downloadKey`.
+ # keysSecret: null
+
+ # agent.listenAddress is the IP address the agent HTTP server will listen to.
+ # listenAddress: "*"
+
+ # agent.endpointHost is the hostname of the Instana server your agents will connect to.
+ endpointHost: ingress-red-saas.instana.io
+ # agent.endpointPort is the port number (as a String) of the Instana server your agents will connect to.
+ endpointPort: 443
+
+ # These are additional backends the Instana agent will report to besides
+ # the one configured via the `agent.endpointHost`, `agent.endpointPort` and `agent.key` setting
+ additionalBackends: []
+ # - endpointHost: ingress.instana.io
+ # endpointPort: 443
+ # key:
+
+ # TLS for end-to-end encryption between Instana agent and clients accessing the agent.
+ # The Instana agent does not yet allow enforcing TLS encryption.
+ # TLS is only enabled on a connection when requested by the client.
+ tls:
+ # In order to enable TLS, a secret of type kubernetes.io/tls must be specified.
+ # secretName is the name of the secret that has the relevant files.
+ # secretName: null
+ # Otherwise, the certificate and the private key must be provided as base64 encoded.
+ # certificate: null
+ # key: null
+
+ image:
+ # agent.image.name is the name of the container image of the Instana agent.
+ name: icr.io/instana/agent
+ # agent.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
+ #digest:
+ # agent.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
+ tag: latest
+ # agent.image.pullPolicy specifies when to pull the image container.
+ pullPolicy: Always
+ # agent.image.pullSecrets allows you to override the default pull secret that is created when agent.image.name starts with "containers.instana.io"
+ # Setting agent.image.pullSecrets prevents the creation of the default "containers-instana-io" secret.
+ # pullSecrets:
+ # - name: my_awesome_secret_instead
+ # If you want no imagePullSecrets to be specified in the agent pod, you can just pass an empty array to agent.image.pullSecrets
+ # pullSecrets: []
+
+ # The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
+ minReadySeconds: 0
+
+ updateStrategy:
+ type: RollingUpdate
+ rollingUpdate:
+ maxUnavailable: 1
+
+ pod:
+ # agent.pod.annotations are additional annotations to be added to the agent pods.
+ annotations: {}
+
+ # agent.pod.labels are additional labels to be added to the agent pods.
+ labels: {}
+
+ # agent.pod.tolerations are tolerations to influence agent pod assignment.
+ # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ tolerations: []
+
+ # agent.pod.affinity are affinities to influence agent pod assignment.
+ # https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+ affinity: {}
+
+ # agent.pod.priorityClassName is the name of an existing PriorityClass that should be set on the agent pods
+ # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+ priorityClassName: null
+
+ # agent.pod.requests and agent.pod.limits adjusts the resource assignments for the DaemonSet agent
+ # regardless of the kubernetes.deployment.enabled setting
+ requests:
+ # agent.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
+ memory: 768Mi
+ # agent.pod.requests.cpu are the requested CPU units allocation for the agent pods.
+ cpu: 0.5
+ limits:
+ # agent.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
+ memory: 768Mi
+ # agent.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
+ cpu: 1.5
+
+ # agent.proxyHost sets the INSTANA_AGENT_PROXY_HOST environment variable.
+ # proxyHost: null
+ # agent.proxyPort sets the INSTANA_AGENT_PROXY_PORT environment variable.
+ # proxyPort: 80
+ # agent.proxyProtocol sets the INSTANA_AGENT_PROXY_PROTOCOL environment variable.
+ # proxyProtocol: HTTP
+ # agent.proxyUser sets the INSTANA_AGENT_PROXY_USER environment variable.
+ # proxyUser: null
+ # agent.proxyPassword sets the INSTANA_AGENT_PROXY_PASSWORD environment variable.
+ # proxyPassword: null
+ # agent.proxyUseDNS sets the INSTANA_AGENT_PROXY_USE_DNS environment variable.
+ # proxyUseDNS: false
+
+ # use this to set additional environment variables for the instana agent
+ # for example:
+ # env:
+ # INSTANA_AGENT_TAGS: dev
+ env: {}
+
+ configuration:
+ # When setting this to true, the Helm chart will automatically look up the entries
+ # of the default instana-agent ConfigMap, and mount as agent configuration files
+ # under /opt/instana/agent/etc/instana all entries with keys that match the
+ # 'configuration-*.yaml' scheme
+ #
+ # IMPORTANT: Needs Helm 3.1+ as it is built on the `lookup` function
+ # IMPORTANT: Editing the ConfigMap adding keys requires a `helm upgrade` to take effect
+ autoMountConfigEntries: false
+
+ # When setting this to true, the updates of the default instana-agent ConfigMap
+ # will be reflected in the pod without requiring a pod restart
+ hotreloadEnabled: false
+
+ configuration_yaml: |
+ # Manual a-priori configuration. Configuration will be only used when the sensor
+ # is actually installed by the agent.
+ # The commented out example values represent example configuration and are not
+ # necessarily defaults. Defaults are usually 'absent' or mentioned separately.
+ # Changes are hot reloaded unless otherwise mentioned.
+
+ # It is possible to create files called 'configuration-abc.yaml' which are
+ # merged with this file in file system order. So 'configuration-cde.yaml' comes
+ # after 'configuration-abc.yaml'. Only nested structures are merged, values are
+ # overwritten by subsequent configurations.
+
+ # Secrets
+ # To filter sensitive data from collection by the agent, all sensors respect
+ # the following secrets configuration. If a key collected by a sensor matches
+ # an entry from the list, the value is redacted.
+ #com.instana.secrets:
+ # matcher: 'contains-ignore-case' # 'contains-ignore-case', 'contains', 'regex'
+ # list:
+ # - 'key'
+ # - 'password'
+ # - 'secret'
+
+ # Host
+ #com.instana.plugin.host:
+ # tags:
+ # - 'dev'
+ # - 'app1'
+
+ # Hardware & Zone
+ #com.instana.plugin.generic.hardware:
+ # enabled: true # disabled by default
+ # availability-zone: 'zone'
+
+ # agent.redactKubernetesSecrets sets the INSTANA_KUBERNETES_REDACT_SECRETS environment variable.
+ # redactKubernetesSecrets: null
+
+ # agent.host.repository sets a host path to be mounted as the agent maven repository (for debugging or development purposes)
+ host:
+ repository: null
+
+ # agent.serviceMesh.enabled sets the ENABLE_AGENT_SOCKET environment variable.
+ serviceMesh:
+ enabled: true
+
+cluster:
+ # cluster.name represents the name that will be assigned to this cluster in Instana
+ name: null
+
+leaderElector:
+ image:
+ # leaderElector.image.name is the name of the container image of the leader elector.
+ name: icr.io/instana/leader-elector
+ # leaderElector.image.digest is the digest (a.k.a. Image ID) of the leader elector container image; if specified, it has priority over leaderElector.image.digest, which will be ignored.
+ #digest:
+ # leaderElector.image.tag is the tag name of the agent container image; if leaderElector.image.digest is specified, this property is ignored.
+ tag: 0.5.19
+ port: 42655
+
+# openshift specifies whether the cluster role should include openshift permissions and other tweaks to the YAML.
+# The chart will try to auto-detect if the cluster is OpenShift, so you will likely not even need to set this explicitly.
+# openshift: true
+
+rbac:
+ # Specifies whether RBAC resources should be created
+ create: true
+
+service:
+ # Specifies whether to create the instana-agent service to expose within the cluster the Prometheus remote-write, OpenTelemetry GRCP endpoint and other APIs
+ # Note: Requires Kubernetes 1.17+, as it uses topologyKeys
+ create: true
+
+opentelemetry:
+# enabled: false # legacy setting, will only enable grpc, defaults to false
+ grpc:
+ enabled: true # takes precedence over legacy settings above, defaults to true if "grpc:" is present
+ http:
+ enabled: true # allows to enable http endpoints, defaults to true if "http:" is present
+
+prometheus:
+ remoteWrite:
+ enabled: false # If true, it will also apply `service.create=true`
+
+serviceAccount:
+ # Specifies whether a ServiceAccount should be created
+ create: true
+ # The name of the ServiceAccount to use.
+ # If not set and `create` is true, a name is generated using the fullname template
+ # name: instana-agent
+ # Annotations to add to the service account
+ annotations: {}
+
+podSecurityPolicy:
+ # Specifies whether a PodSecurityPolicy should be authorized for the Instana Agent pods.
+ # Requires `rbac.create` to be `true` as well and K8s version below v1.25.
+ enable: false
+ # The name of an existing PodSecurityPolicy you would like to authorize for the Instana Agent pods.
+ # If not set and `enable` is true, a PodSecurityPolicy will be created with a name generated using the fullname template.
+ name: null
+
+zone:
+ # zone.name is the custom zone that detected technologies will be assigned to
+ name: null
+
+k8s_sensor:
+ image:
+ # k8s_sensor.image.name is the name of the container image of the Instana agent.
+ name: icr.io/instana/k8sensor
+ # k8s_sensor.image.digest is the digest (a.k.a. Image ID) of the agent container image; if specified, it has priority over agent.image.tag, which will be ignored.
+ #digest:
+ # k8s_sensor.image.tag is the tag name of the agent container image; if agent.image.digest is specified, this property is ignored.
+ tag: latest
+ # k8s_sensor.image.pullPolicy specifies when to pull the image container.
+ pullPolicy: Always
+ deployment:
+ # Specifies whether or not to enable the Deployment and turn off the Kubernetes sensor in the DaemonSet
+ enabled: true
+ # Use three replicas to ensure the HA by the default.
+ replicas: 3
+ # k8s_sensor.deployment.pod adjusts the resource assignments for the agent independently of the DaemonSet agent when k8s_sensor.deployment.enabled=true
+ pod:
+ requests:
+ # k8s_sensor.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
+ memory: 128Mi
+ # k8s_sensor.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
+ cpu: 120m
+ limits:
+ # k8s_sensor.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
+ memory: 2048Mi
+ # k8s_sensor.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
+ cpu: 500m
+ affinity:
+ podAntiAffinity:
+ # Soft anti-affinity policy: try not to schedule multiple kubernetes-sensor pods on the same node.
+ # If the policy is set to "requiredDuringSchedulingIgnoredDuringExecution", if the cluster has
+ # fewer nodes than the amount of desired replicas, `helm install/upgrade --wait` will not return.
+ preferredDuringSchedulingIgnoredDuringExecution:
+ - weight: 100
+ podAffinityTerm:
+ labelSelector:
+ matchExpressions:
+ - key: instana/agent-mode
+ operator: In
+ values: [ KUBERNETES ]
+ topologyKey: "kubernetes.io/hostname"
+ # The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
+ minReadySeconds: 0
+ podDisruptionBudget:
+ # Specifies whether or not to setup a pod disruption budget for the k8sensor deployment
+ enabled: false
+
+kubernetes:
+ # Configures use of a Deployment for the Kubernetes sensor rather than as a potential member of the DaemonSet. Is only accepted if k8s_sensor.deployment.enabled=false
+ deployment:
+ # Specifies whether or not to enable the Deployment and turn off the Kubernetes sensor in the DaemonSet
+ enabled: false
+ # Use a single replica, the impact will generally be low and we need to address a host of other concerns where clusters are large.
+ replicas: 1
+ # The minimum number of seconds for which a newly created Pod should be ready without any of its containers crashing, for it to be considered available
+ minReadySeconds: 0
+ # kubernetes.deployment.pod adjusts the resource assignments for the agent independently of the DaemonSet agent when kubernetes.deployment.enabled=true
+ pod:
+ requests:
+ # kubernetes.deployment.pod.requests.memory is the requested memory allocation in MiB for the agent pods.
+ memory: 1024Mi
+ # kubernetes.deployment.pod.requests.cpu are the requested CPU units allocation for the agent pods.
+ cpu: 720m
+ limits:
+ # kubernetes.deployment.pod.limits.memory set the memory allocation limits in MiB for the agent pods.
+ memory: 3072Mi
+ # kubernetes.deployment.pod.limits.cpu sets the CPU units allocation limits for the agent pods.
+ cpu: 4
+
+# zones:
+# # Configure use of zones to use tolerations as the basis to associate a specific daemonset per tainted node pool
+# - name: pool-01
+# tolerations:
+# - key: "pool"
+# operator: "Equal"
+# value: "pool-01"
+# effect: "NoExecute"
+# - name: pool-02
+# tolerations:
+# - key: "pool"
+# operator: "Equal"
+# value: "pool-02"
+# effect: "NoExecute"
diff --git a/charts/percona/psmdb-operator/1.17.1/.helmignore b/charts/percona/psmdb-operator/1.17.1/.helmignore
new file mode 100644
index 000000000..50af03172
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/percona/psmdb-operator/1.17.1/Chart.yaml b/charts/percona/psmdb-operator/1.17.1/Chart.yaml
new file mode 100644
index 000000000..1c8586647
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/Chart.yaml
@@ -0,0 +1,20 @@
+annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Percona Operator for MongoDB
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: psmdb-operator
+apiVersion: v2
+appVersion: 1.17.0
+description: A Helm chart for deploying the Percona Operator for MongoDB
+home: https://docs.percona.com/percona-operator-for-mongodb/
+icon: file://assets/icons/psmdb-operator.png
+kubeVersion: '>=1.21-0'
+maintainers:
+- email: tomislav.plavcic@percona.com
+ name: tplavcic
+- email: natalia.marukovich@percona.com
+ name: nmarukovich
+- email: sergey.pronin@percona.com
+ name: spron-in
+name: psmdb-operator
+version: 1.17.1
diff --git a/charts/percona/psmdb-operator/1.17.1/LICENSE.txt b/charts/percona/psmdb-operator/1.17.1/LICENSE.txt
new file mode 100644
index 000000000..6a31453af
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/LICENSE.txt
@@ -0,0 +1,13 @@
+Copyright 2019 Paul Czarkowski
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
diff --git a/charts/percona/psmdb-operator/1.17.1/README.md b/charts/percona/psmdb-operator/1.17.1/README.md
new file mode 100644
index 000000000..0602b793c
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/README.md
@@ -0,0 +1,69 @@
+# Percona Operator for MongoDB
+
+Percona Operator for MongoDB allows users to deploy and manage Percona Server for MongoDB Clusters on Kubernetes.
+Useful links:
+- [Operator Github repository](https://github.com/percona/percona-server-mongodb-operator)
+- [Operator Documentation](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/index.html)
+
+## Pre-requisites
+* Kubernetes 1.27+
+* Helm v3
+
+# Installation
+
+This chart will deploy the Operator Pod for the further Percona Server for MongoDB creation in Kubernetes.
+
+## Installing the chart
+
+To install the chart with the `psmdb` release name using a dedicated namespace (recommended):
+
+```sh
+helm repo add percona https://percona.github.io/percona-helm-charts/
+helm install my-operator percona/psmdb-operator --version 1.17.1 --namespace my-namespace
+```
+
+The chart can be customized using the following configurable parameters:
+
+| Parameter | Description | Default |
+| ---------------------------- | --------------------------------------------------------------------------------------------------- | ----------------------------------------- |
+| `image.repository` | PSMDB Operator Container image name | `percona/percona-server-mongodb-operator` |
+| `image.tag` | PSMDB Operator Container image tag | `1.17.0` |
+| `image.pullPolicy` | PSMDB Operator Container pull policy | `Always` |
+| `image.pullSecrets` | PSMDB Operator Pod pull secret | `[]` |
+| `replicaCount` | PSMDB Operator Pod quantity | `1` |
+| `tolerations` | List of node taints to tolerate | `[]` |
+| `annotations` | PSMDB Operator Deployment annotations | `{}` |
+| `podAnnotations` | PSMDB Operator Pod annotations | `{}` |
+| `labels` | PSMDB Operator Deployment labels | `{}` |
+| `podLabels` | PSMDB Operator Pod labels | `{}` |
+| `resources` | Resource requests and limits | `{}` |
+| `nodeSelector` | Labels for Pod assignment | `{}` |
+| `podAnnotations` | Annotations for pod | `{}` |
+| `podSecurityContext` | Pod Security Context | `{}` |
+| `watchNamespace` | Set when a different from default namespace is needed to watch (comma separated if multiple needed) | `""` |
+| `createNamespace` | Set if you want to create watched namespaces with helm | `false` |
+| `rbac.create` | If false RBAC will not be created. RBAC resources will need to be created manually | `true` |
+| `securityContext` | Container Security Context | `{}` |
+| `serviceAccount.create` | If false the ServiceAccounts will not be created. The ServiceAccounts must be created manually | `true` |
+| `serviceAccount.annotations` | PSMDB Operator ServiceAccount annotations | `{}` |
+| `logStructured` | Force PSMDB operator to print JSON-wrapped log messages | `false` |
+| `logLevel` | PSMDB Operator logging level | `INFO` |
+| `disableTelemetry` | Disable sending PSMDB Operator telemetry data to Percona | `false` |
+
+Specify parameters using `--set key=value[,key=value]` argument to `helm install`
+
+Alternatively a YAML file that specifies the values for the parameters can be provided like this:
+
+```sh
+helm install psmdb-operator -f values.yaml percona/psmdb-operator
+```
+
+## Deploy the database
+
+To deploy Percona Server for MongoDB run the following command:
+
+```sh
+helm install my-db percona/psmdb-db
+```
+
+See more about Percona Server for MongoDB deployment in its chart [here](https://github.com/percona/percona-helm-charts/tree/main/charts/psmdb-db) or in the [Helm chart installation guide](https://www.percona.com/doc/kubernetes-operator-for-psmongodb/helm.html).
diff --git a/charts/percona/psmdb-operator/1.17.1/crds/crd.yaml b/charts/percona/psmdb-operator/1.17.1/crds/crd.yaml
new file mode 100644
index 000000000..6c2ee036b
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/crds/crd.yaml
@@ -0,0 +1,19190 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: perconaservermongodbbackups.psmdb.percona.com
+spec:
+ group: psmdb.percona.com
+ names:
+ kind: PerconaServerMongoDBBackup
+ listKind: PerconaServerMongoDBBackupList
+ plural: perconaservermongodbbackups
+ shortNames:
+ - psmdb-backup
+ singular: perconaservermongodbbackup
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Cluster name
+ jsonPath: .spec.clusterName
+ name: Cluster
+ type: string
+ - description: Storage name
+ jsonPath: .spec.storageName
+ name: Storage
+ type: string
+ - description: Backup destination
+ jsonPath: .status.destination
+ name: Destination
+ type: string
+ - description: Backup type
+ jsonPath: .status.type
+ name: Type
+ type: string
+ - description: Job status
+ jsonPath: .status.state
+ name: Status
+ type: string
+ - description: Completed time
+ jsonPath: .status.completed
+ name: Completed
+ type: date
+ - description: Created time
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ clusterName:
+ type: string
+ compressionLevel:
+ type: integer
+ compressionType:
+ type: string
+ psmdbCluster:
+ type: string
+ storageName:
+ type: string
+ type:
+ enum:
+ - logical
+ - physical
+ type: string
+ type: object
+ status:
+ properties:
+ azure:
+ properties:
+ container:
+ type: string
+ credentialsSecret:
+ type: string
+ endpointUrl:
+ type: string
+ prefix:
+ type: string
+ required:
+ - credentialsSecret
+ type: object
+ completed:
+ format: date-time
+ type: string
+ destination:
+ type: string
+ error:
+ type: string
+ lastTransition:
+ format: date-time
+ type: string
+ latestRestorableTime:
+ format: date-time
+ type: string
+ pbmName:
+ type: string
+ pbmPod:
+ type: string
+ pbmPods:
+ additionalProperties:
+ type: string
+ type: object
+ replsetNames:
+ items:
+ type: string
+ type: array
+ s3:
+ properties:
+ bucket:
+ type: string
+ credentialsSecret:
+ type: string
+ debugLogLevels:
+ type: string
+ endpointUrl:
+ type: string
+ forcePathStyle:
+ type: boolean
+ insecureSkipTLSVerify:
+ type: boolean
+ maxUploadParts:
+ type: integer
+ prefix:
+ type: string
+ region:
+ type: string
+ retryer:
+ properties:
+ maxRetryDelay:
+ type: string
+ minRetryDelay:
+ type: string
+ numMaxRetries:
+ type: integer
+ type: object
+ serverSideEncryption:
+ properties:
+ kmsKeyID:
+ type: string
+ sseAlgorithm:
+ type: string
+ sseCustomerAlgorithm:
+ type: string
+ sseCustomerKey:
+ type: string
+ type: object
+ storageClass:
+ type: string
+ uploadPartSize:
+ type: integer
+ required:
+ - bucket
+ type: object
+ start:
+ format: date-time
+ type: string
+ state:
+ type: string
+ storageName:
+ type: string
+ type:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: perconaservermongodbrestores.psmdb.percona.com
+spec:
+ group: psmdb.percona.com
+ names:
+ kind: PerconaServerMongoDBRestore
+ listKind: PerconaServerMongoDBRestoreList
+ plural: perconaservermongodbrestores
+ shortNames:
+ - psmdb-restore
+ singular: perconaservermongodbrestore
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - description: Cluster name
+ jsonPath: .spec.clusterName
+ name: Cluster
+ type: string
+ - description: Job status
+ jsonPath: .status.state
+ name: Status
+ type: string
+ - description: Created time
+ jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ backupName:
+ type: string
+ backupSource:
+ properties:
+ azure:
+ properties:
+ container:
+ type: string
+ credentialsSecret:
+ type: string
+ endpointUrl:
+ type: string
+ prefix:
+ type: string
+ required:
+ - credentialsSecret
+ type: object
+ completed:
+ format: date-time
+ type: string
+ destination:
+ type: string
+ error:
+ type: string
+ lastTransition:
+ format: date-time
+ type: string
+ latestRestorableTime:
+ format: date-time
+ type: string
+ pbmName:
+ type: string
+ pbmPod:
+ type: string
+ pbmPods:
+ additionalProperties:
+ type: string
+ type: object
+ replsetNames:
+ items:
+ type: string
+ type: array
+ s3:
+ properties:
+ bucket:
+ type: string
+ credentialsSecret:
+ type: string
+ debugLogLevels:
+ type: string
+ endpointUrl:
+ type: string
+ forcePathStyle:
+ type: boolean
+ insecureSkipTLSVerify:
+ type: boolean
+ maxUploadParts:
+ type: integer
+ prefix:
+ type: string
+ region:
+ type: string
+ retryer:
+ properties:
+ maxRetryDelay:
+ type: string
+ minRetryDelay:
+ type: string
+ numMaxRetries:
+ type: integer
+ type: object
+ serverSideEncryption:
+ properties:
+ kmsKeyID:
+ type: string
+ sseAlgorithm:
+ type: string
+ sseCustomerAlgorithm:
+ type: string
+ sseCustomerKey:
+ type: string
+ type: object
+ storageClass:
+ type: string
+ uploadPartSize:
+ type: integer
+ required:
+ - bucket
+ type: object
+ start:
+ format: date-time
+ type: string
+ state:
+ type: string
+ storageName:
+ type: string
+ type:
+ type: string
+ type: object
+ clusterName:
+ type: string
+ pitr:
+ properties:
+ date:
+ type: string
+ type:
+ type: string
+ type: object
+ replset:
+ type: string
+ storageName:
+ type: string
+ type: object
+ status:
+ properties:
+ completed:
+ format: date-time
+ type: string
+ error:
+ type: string
+ lastTransition:
+ format: date-time
+ type: string
+ pbmName:
+ type: string
+ pitrTarget:
+ type: string
+ state:
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ controller-gen.kubebuilder.io/version: v0.15.0
+ name: perconaservermongodbs.psmdb.percona.com
+spec:
+ group: psmdb.percona.com
+ names:
+ kind: PerconaServerMongoDB
+ listKind: PerconaServerMongoDBList
+ plural: perconaservermongodbs
+ shortNames:
+ - psmdb
+ singular: perconaservermongodb
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-2-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-2-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-3-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-3-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-4-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-4-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-5-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-5-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-6-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-6-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-7-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-7-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-8-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-8-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-9-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-9-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: false
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-10-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-10-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-11-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-11-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ deprecated: true
+ deprecationWarning: psmdb.percona.com/v1-12-0 PerconaServerMongoDB is deprecated
+ and will be removed in v1.17.0; see v1.13.0 release notes for instructions to
+ migrate to psmdb.percona.com/v1
+ name: v1-12-0
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ status:
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: false
+ subresources:
+ status: {}
+ - additionalPrinterColumns:
+ - jsonPath: .status.host
+ name: ENDPOINT
+ type: string
+ - jsonPath: .status.state
+ name: Status
+ type: string
+ - jsonPath: .metadata.creationTimestamp
+ name: Age
+ type: date
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ allowUnsafeConfigurations:
+ type: boolean
+ backup:
+ properties:
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ configuration:
+ properties:
+ backupOptions:
+ properties:
+ oplogSpanMin:
+ type: number
+ priority:
+ additionalProperties:
+ type: number
+ type: object
+ timeouts:
+ properties:
+ startingStatus:
+ format: int32
+ type: integer
+ type: object
+ required:
+ - oplogSpanMin
+ type: object
+ restoreOptions:
+ properties:
+ batchSize:
+ type: integer
+ downloadChunkMb:
+ type: integer
+ maxDownloadBufferMb:
+ type: integer
+ mongodLocation:
+ type: string
+ mongodLocationMap:
+ additionalProperties:
+ type: string
+ type: object
+ numDownloadWorkers:
+ type: integer
+ numInsertionWorkers:
+ type: integer
+ type: object
+ type: object
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ pitr:
+ properties:
+ compressionLevel:
+ type: integer
+ compressionType:
+ type: string
+ enabled:
+ type: boolean
+ oplogOnly:
+ type: boolean
+ oplogSpanMin:
+ type: number
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ storages:
+ additionalProperties:
+ properties:
+ azure:
+ properties:
+ container:
+ type: string
+ credentialsSecret:
+ type: string
+ endpointUrl:
+ type: string
+ prefix:
+ type: string
+ required:
+ - credentialsSecret
+ type: object
+ s3:
+ properties:
+ bucket:
+ type: string
+ credentialsSecret:
+ type: string
+ debugLogLevels:
+ type: string
+ endpointUrl:
+ type: string
+ forcePathStyle:
+ type: boolean
+ insecureSkipTLSVerify:
+ type: boolean
+ maxUploadParts:
+ type: integer
+ prefix:
+ type: string
+ region:
+ type: string
+ retryer:
+ properties:
+ maxRetryDelay:
+ type: string
+ minRetryDelay:
+ type: string
+ numMaxRetries:
+ type: integer
+ type: object
+ serverSideEncryption:
+ properties:
+ kmsKeyID:
+ type: string
+ sseAlgorithm:
+ type: string
+ sseCustomerAlgorithm:
+ type: string
+ sseCustomerKey:
+ type: string
+ type: object
+ storageClass:
+ type: string
+ uploadPartSize:
+ type: integer
+ required:
+ - bucket
+ type: object
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ type: object
+ tasks:
+ items:
+ properties:
+ compressionLevel:
+ type: integer
+ compressionType:
+ type: string
+ enabled:
+ type: boolean
+ keep:
+ type: integer
+ name:
+ type: string
+ schedule:
+ type: string
+ storageName:
+ type: string
+ type:
+ enum:
+ - logical
+ - physical
+ type: string
+ required:
+ - enabled
+ - name
+ type: object
+ type: array
+ required:
+ - enabled
+ - image
+ type: object
+ clusterServiceDNSMode:
+ type: string
+ clusterServiceDNSSuffix:
+ type: string
+ crVersion:
+ type: string
+ ignoreAnnotations:
+ items:
+ type: string
+ type: array
+ ignoreLabels:
+ items:
+ type: string
+ type: array
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ imagePullSecrets:
+ items:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ initContainerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ initImage:
+ type: string
+ multiCluster:
+ properties:
+ DNSSuffix:
+ type: string
+ enabled:
+ type: boolean
+ required:
+ - enabled
+ type: object
+ pause:
+ type: boolean
+ platform:
+ type: string
+ pmm:
+ properties:
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ enabled:
+ type: boolean
+ image:
+ type: string
+ mongodParams:
+ type: string
+ mongosParams:
+ type: string
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ serverHost:
+ type: string
+ required:
+ - image
+ type: object
+ replsets:
+ items:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ arbiter:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ priorityClassName:
+ type: string
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ required:
+ - enabled
+ - size
+ type: object
+ clusterRole:
+ type: string
+ configuration:
+ type: string
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ expose:
+ properties:
+ enabled:
+ type: boolean
+ exposeType:
+ type: string
+ loadBalancerSourceRanges:
+ items:
+ type: string
+ type: array
+ nodePort:
+ format: int32
+ type: integer
+ serviceAnnotations:
+ additionalProperties:
+ type: string
+ type: object
+ serviceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - enabled
+ type: object
+ externalNodes:
+ items:
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ priority:
+ type: integer
+ votes:
+ type: integer
+ required:
+ - host
+ - priority
+ - votes
+ type: object
+ type: array
+ hostAliases:
+ items:
+ properties:
+ hostnames:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ ip:
+ type: string
+ required:
+ - ip
+ type: object
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ startupDelaySeconds:
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ nonvoting:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ configuration:
+ type: string
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ enabled:
+ type: boolean
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ startupDelaySeconds:
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ priorityClassName:
+ type: string
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumeSpec:
+ properties:
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ persistentVolumeClaim:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ type: object
+ required:
+ - enabled
+ - size
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ priorityClassName:
+ type: string
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ splitHorizons:
+ additionalProperties:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ storage:
+ properties:
+ directoryPerDB:
+ type: boolean
+ engine:
+ type: string
+ inMemory:
+ properties:
+ engineConfig:
+ properties:
+ inMemorySizeRatio:
+ type: number
+ type: object
+ type: object
+ mmapv1:
+ properties:
+ nsSize:
+ type: integer
+ smallfiles:
+ type: boolean
+ type: object
+ syncPeriodSecs:
+ type: integer
+ wiredTiger:
+ properties:
+ collectionConfig:
+ properties:
+ blockCompressor:
+ type: string
+ type: object
+ engineConfig:
+ properties:
+ cacheSizeRatio:
+ type: number
+ directoryForIndexes:
+ type: boolean
+ journalCompressor:
+ type: string
+ type: object
+ indexConfig:
+ properties:
+ prefixCompression:
+ type: boolean
+ type: object
+ type: object
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumeSpec:
+ properties:
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ persistentVolumeClaim:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ type: object
+ required:
+ - size
+ type: object
+ type: array
+ schedulerName:
+ type: string
+ secrets:
+ properties:
+ encryptionKey:
+ type: string
+ ldapSecret:
+ type: string
+ sse:
+ type: string
+ ssl:
+ type: string
+ sslInternal:
+ type: string
+ users:
+ type: string
+ vault:
+ type: string
+ type: object
+ sharding:
+ properties:
+ balancer:
+ properties:
+ enabled:
+ type: boolean
+ type: object
+ configsvrReplSet:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ arbiter:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ enabled:
+ type: boolean
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ priorityClassName:
+ type: string
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ required:
+ - enabled
+ - size
+ type: object
+ clusterRole:
+ type: string
+ configuration:
+ type: string
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ expose:
+ properties:
+ enabled:
+ type: boolean
+ exposeType:
+ type: string
+ loadBalancerSourceRanges:
+ items:
+ type: string
+ type: array
+ nodePort:
+ format: int32
+ type: integer
+ serviceAnnotations:
+ additionalProperties:
+ type: string
+ type: object
+ serviceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - enabled
+ type: object
+ externalNodes:
+ items:
+ properties:
+ host:
+ type: string
+ port:
+ type: integer
+ priority:
+ type: integer
+ votes:
+ type: integer
+ required:
+ - host
+ - priority
+ - votes
+ type: object
+ type: array
+ hostAliases:
+ items:
+ properties:
+ hostnames:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ ip:
+ type: string
+ required:
+ - ip
+ type: object
+ type: array
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ startupDelaySeconds:
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ nonvoting:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ configuration:
+ type: string
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ enabled:
+ type: boolean
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ startupDelaySeconds:
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ priorityClassName:
+ type: string
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumeSpec:
+ properties:
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ persistentVolumeClaim:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ type: object
+ required:
+ - enabled
+ - size
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ priorityClassName:
+ type: string
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ splitHorizons:
+ additionalProperties:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ storage:
+ properties:
+ directoryPerDB:
+ type: boolean
+ engine:
+ type: string
+ inMemory:
+ properties:
+ engineConfig:
+ properties:
+ inMemorySizeRatio:
+ type: number
+ type: object
+ type: object
+ mmapv1:
+ properties:
+ nsSize:
+ type: integer
+ smallfiles:
+ type: boolean
+ type: object
+ syncPeriodSecs:
+ type: integer
+ wiredTiger:
+ properties:
+ collectionConfig:
+ properties:
+ blockCompressor:
+ type: string
+ type: object
+ engineConfig:
+ properties:
+ cacheSizeRatio:
+ type: number
+ directoryForIndexes:
+ type: boolean
+ journalCompressor:
+ type: string
+ type: object
+ indexConfig:
+ properties:
+ prefixCompression:
+ type: boolean
+ type: object
+ type: object
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ volumeSpec:
+ properties:
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ persistentVolumeClaim:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ type: object
+ required:
+ - size
+ type: object
+ enabled:
+ type: boolean
+ mongos:
+ properties:
+ affinity:
+ properties:
+ advanced:
+ properties:
+ nodeAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ preference:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ weight:
+ format: int32
+ type: integer
+ required:
+ - preference
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ properties:
+ nodeSelectorTerms:
+ items:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchFields:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ x-kubernetes-map-type: atomic
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - nodeSelectorTerms
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ podAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ podAntiAffinity:
+ properties:
+ preferredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ podAffinityTerm:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ weight:
+ format: int32
+ type: integer
+ required:
+ - podAffinityTerm
+ - weight
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ requiredDuringSchedulingIgnoredDuringExecution:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ mismatchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ namespaces:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ topologyKey:
+ type: string
+ required:
+ - topologyKey
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: object
+ antiAffinityTopologyKey:
+ type: string
+ type: object
+ annotations:
+ additionalProperties:
+ type: string
+ type: object
+ configuration:
+ type: string
+ containerSecurityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ expose:
+ properties:
+ exposeType:
+ type: string
+ loadBalancerSourceRanges:
+ items:
+ type: string
+ type: array
+ nodePort:
+ format: int32
+ type: integer
+ serviceAnnotations:
+ additionalProperties:
+ type: string
+ type: object
+ serviceLabels:
+ additionalProperties:
+ type: string
+ type: object
+ servicePerPod:
+ type: boolean
+ type: object
+ hostAliases:
+ items:
+ properties:
+ hostnames:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ ip:
+ type: string
+ required:
+ - ip
+ type: object
+ type: array
+ hostPort:
+ format: int32
+ type: integer
+ labels:
+ additionalProperties:
+ type: string
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ startupDelaySeconds:
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ nodeSelector:
+ additionalProperties:
+ type: string
+ type: object
+ podDisruptionBudget:
+ properties:
+ maxUnavailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ minAvailable:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ type: object
+ podSecurityContext:
+ properties:
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ fsGroup:
+ format: int64
+ type: integer
+ fsGroupChangePolicy:
+ type: string
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ supplementalGroups:
+ items:
+ format: int64
+ type: integer
+ type: array
+ x-kubernetes-list-type: atomic
+ sysctls:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ port:
+ format: int32
+ type: integer
+ priorityClassName:
+ type: string
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ runtimeClassName:
+ type: string
+ serviceAccountName:
+ type: string
+ setParameter:
+ properties:
+ cursorTimeoutMillis:
+ type: integer
+ type: object
+ sidecarPVCs:
+ items:
+ properties:
+ apiVersion:
+ type: string
+ kind:
+ type: string
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ status:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ allocatedResourceStatuses:
+ additionalProperties:
+ type: string
+ type: object
+ x-kubernetes-map-type: granular
+ allocatedResources:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ capacity:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ conditions:
+ items:
+ properties:
+ lastProbeTime:
+ format: date-time
+ type: string
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - type
+ x-kubernetes-list-type: map
+ currentVolumeAttributesClassName:
+ type: string
+ modifyVolumeStatus:
+ properties:
+ status:
+ type: string
+ targetVolumeAttributesClassName:
+ type: string
+ required:
+ - status
+ type: object
+ phase:
+ type: string
+ type: object
+ type: object
+ type: array
+ sidecarVolumes:
+ items:
+ properties:
+ awsElasticBlockStore:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ azureDisk:
+ properties:
+ cachingMode:
+ type: string
+ diskName:
+ type: string
+ diskURI:
+ type: string
+ fsType:
+ type: string
+ kind:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - diskName
+ - diskURI
+ type: object
+ azureFile:
+ properties:
+ readOnly:
+ type: boolean
+ secretName:
+ type: string
+ shareName:
+ type: string
+ required:
+ - secretName
+ - shareName
+ type: object
+ cephfs:
+ properties:
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ secretFile:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - monitors
+ type: object
+ cinder:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ configMap:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ csi:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ nodePublishSecretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ readOnly:
+ type: boolean
+ volumeAttributes:
+ additionalProperties:
+ type: string
+ type: object
+ required:
+ - driver
+ type: object
+ downwardAPI:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ emptyDir:
+ properties:
+ medium:
+ type: string
+ sizeLimit:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ ephemeral:
+ properties:
+ volumeClaimTemplate:
+ properties:
+ metadata:
+ type: object
+ spec:
+ properties:
+ accessModes:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ dataSource:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ x-kubernetes-map-type: atomic
+ dataSourceRef:
+ properties:
+ apiGroup:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ namespace:
+ type: string
+ required:
+ - kind
+ - name
+ type: object
+ resources:
+ properties:
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ selector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ storageClassName:
+ type: string
+ volumeAttributesClassName:
+ type: string
+ volumeMode:
+ type: string
+ volumeName:
+ type: string
+ type: object
+ required:
+ - spec
+ type: object
+ type: object
+ fc:
+ properties:
+ fsType:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ readOnly:
+ type: boolean
+ targetWWNs:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ wwids:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ flexVolume:
+ properties:
+ driver:
+ type: string
+ fsType:
+ type: string
+ options:
+ additionalProperties:
+ type: string
+ type: object
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - driver
+ type: object
+ flocker:
+ properties:
+ datasetName:
+ type: string
+ datasetUUID:
+ type: string
+ type: object
+ gcePersistentDisk:
+ properties:
+ fsType:
+ type: string
+ partition:
+ format: int32
+ type: integer
+ pdName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - pdName
+ type: object
+ gitRepo:
+ properties:
+ directory:
+ type: string
+ repository:
+ type: string
+ revision:
+ type: string
+ required:
+ - repository
+ type: object
+ glusterfs:
+ properties:
+ endpoints:
+ type: string
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - endpoints
+ - path
+ type: object
+ hostPath:
+ properties:
+ path:
+ type: string
+ type:
+ type: string
+ required:
+ - path
+ type: object
+ iscsi:
+ properties:
+ chapAuthDiscovery:
+ type: boolean
+ chapAuthSession:
+ type: boolean
+ fsType:
+ type: string
+ initiatorName:
+ type: string
+ iqn:
+ type: string
+ iscsiInterface:
+ type: string
+ lun:
+ format: int32
+ type: integer
+ portals:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ targetPortal:
+ type: string
+ required:
+ - iqn
+ - lun
+ - targetPortal
+ type: object
+ name:
+ type: string
+ nfs:
+ properties:
+ path:
+ type: string
+ readOnly:
+ type: boolean
+ server:
+ type: string
+ required:
+ - path
+ - server
+ type: object
+ persistentVolumeClaim:
+ properties:
+ claimName:
+ type: string
+ readOnly:
+ type: boolean
+ required:
+ - claimName
+ type: object
+ photonPersistentDisk:
+ properties:
+ fsType:
+ type: string
+ pdID:
+ type: string
+ required:
+ - pdID
+ type: object
+ portworxVolume:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ volumeID:
+ type: string
+ required:
+ - volumeID
+ type: object
+ projected:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ sources:
+ items:
+ properties:
+ clusterTrustBundle:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ name:
+ type: string
+ optional:
+ type: boolean
+ path:
+ type: string
+ signerName:
+ type: string
+ required:
+ - path
+ type: object
+ configMap:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ downwardAPI:
+ properties:
+ items:
+ items:
+ properties:
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ required:
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ secret:
+ properties:
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ serviceAccountToken:
+ properties:
+ audience:
+ type: string
+ expirationSeconds:
+ format: int64
+ type: integer
+ path:
+ type: string
+ required:
+ - path
+ type: object
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ quobyte:
+ properties:
+ group:
+ type: string
+ readOnly:
+ type: boolean
+ registry:
+ type: string
+ tenant:
+ type: string
+ user:
+ type: string
+ volume:
+ type: string
+ required:
+ - registry
+ - volume
+ type: object
+ rbd:
+ properties:
+ fsType:
+ type: string
+ image:
+ type: string
+ keyring:
+ type: string
+ monitors:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ pool:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ user:
+ type: string
+ required:
+ - image
+ - monitors
+ type: object
+ scaleIO:
+ properties:
+ fsType:
+ type: string
+ gateway:
+ type: string
+ protectionDomain:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ sslEnabled:
+ type: boolean
+ storageMode:
+ type: string
+ storagePool:
+ type: string
+ system:
+ type: string
+ volumeName:
+ type: string
+ required:
+ - gateway
+ - secretRef
+ - system
+ type: object
+ secret:
+ properties:
+ defaultMode:
+ format: int32
+ type: integer
+ items:
+ items:
+ properties:
+ key:
+ type: string
+ mode:
+ format: int32
+ type: integer
+ path:
+ type: string
+ required:
+ - key
+ - path
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ optional:
+ type: boolean
+ secretName:
+ type: string
+ type: object
+ storageos:
+ properties:
+ fsType:
+ type: string
+ readOnly:
+ type: boolean
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ type: object
+ x-kubernetes-map-type: atomic
+ volumeName:
+ type: string
+ volumeNamespace:
+ type: string
+ type: object
+ vsphereVolume:
+ properties:
+ fsType:
+ type: string
+ storagePolicyID:
+ type: string
+ storagePolicyName:
+ type: string
+ volumePath:
+ type: string
+ required:
+ - volumePath
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ sidecars:
+ items:
+ properties:
+ args:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ env:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ valueFrom:
+ properties:
+ configMapKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ fieldRef:
+ properties:
+ apiVersion:
+ type: string
+ fieldPath:
+ type: string
+ required:
+ - fieldPath
+ type: object
+ x-kubernetes-map-type: atomic
+ resourceFieldRef:
+ properties:
+ containerName:
+ type: string
+ divisor:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ resource:
+ type: string
+ required:
+ - resource
+ type: object
+ x-kubernetes-map-type: atomic
+ secretKeyRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ prefix:
+ type: string
+ secretRef:
+ properties:
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ image:
+ type: string
+ imagePullPolicy:
+ type: string
+ lifecycle:
+ properties:
+ postStart:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ preStop:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ sleep:
+ properties:
+ seconds:
+ format: int64
+ type: integer
+ required:
+ - seconds
+ type: object
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ type: object
+ type: object
+ livenessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ name:
+ type: string
+ ports:
+ items:
+ properties:
+ containerPort:
+ format: int32
+ type: integer
+ hostIP:
+ type: string
+ hostPort:
+ format: int32
+ type: integer
+ name:
+ type: string
+ protocol:
+ default: TCP
+ type: string
+ required:
+ - containerPort
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - containerPort
+ - protocol
+ x-kubernetes-list-type: map
+ readinessProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ resizePolicy:
+ items:
+ properties:
+ resourceName:
+ type: string
+ restartPolicy:
+ type: string
+ required:
+ - resourceName
+ - restartPolicy
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ resources:
+ properties:
+ claims:
+ items:
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ limits:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ requests:
+ additionalProperties:
+ anyOf:
+ - type: integer
+ - type: string
+ pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+ x-kubernetes-int-or-string: true
+ type: object
+ type: object
+ restartPolicy:
+ type: string
+ securityContext:
+ properties:
+ allowPrivilegeEscalation:
+ type: boolean
+ appArmorProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ capabilities:
+ properties:
+ add:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ drop:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ privileged:
+ type: boolean
+ procMount:
+ type: string
+ readOnlyRootFilesystem:
+ type: boolean
+ runAsGroup:
+ format: int64
+ type: integer
+ runAsNonRoot:
+ type: boolean
+ runAsUser:
+ format: int64
+ type: integer
+ seLinuxOptions:
+ properties:
+ level:
+ type: string
+ role:
+ type: string
+ type:
+ type: string
+ user:
+ type: string
+ type: object
+ seccompProfile:
+ properties:
+ localhostProfile:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ type: object
+ windowsOptions:
+ properties:
+ gmsaCredentialSpec:
+ type: string
+ gmsaCredentialSpecName:
+ type: string
+ hostProcess:
+ type: boolean
+ runAsUserName:
+ type: string
+ type: object
+ type: object
+ startupProbe:
+ properties:
+ exec:
+ properties:
+ command:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ failureThreshold:
+ format: int32
+ type: integer
+ grpc:
+ properties:
+ port:
+ format: int32
+ type: integer
+ service:
+ type: string
+ required:
+ - port
+ type: object
+ httpGet:
+ properties:
+ host:
+ type: string
+ httpHeaders:
+ items:
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ path:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ scheme:
+ type: string
+ required:
+ - port
+ type: object
+ initialDelaySeconds:
+ format: int32
+ type: integer
+ periodSeconds:
+ format: int32
+ type: integer
+ successThreshold:
+ format: int32
+ type: integer
+ tcpSocket:
+ properties:
+ host:
+ type: string
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ required:
+ - port
+ type: object
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ timeoutSeconds:
+ format: int32
+ type: integer
+ type: object
+ stdin:
+ type: boolean
+ stdinOnce:
+ type: boolean
+ terminationMessagePath:
+ type: string
+ terminationMessagePolicy:
+ type: string
+ tty:
+ type: boolean
+ volumeDevices:
+ items:
+ properties:
+ devicePath:
+ type: string
+ name:
+ type: string
+ required:
+ - devicePath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - devicePath
+ x-kubernetes-list-type: map
+ volumeMounts:
+ items:
+ properties:
+ mountPath:
+ type: string
+ mountPropagation:
+ type: string
+ name:
+ type: string
+ readOnly:
+ type: boolean
+ recursiveReadOnly:
+ type: string
+ subPath:
+ type: string
+ subPathExpr:
+ type: string
+ required:
+ - mountPath
+ - name
+ type: object
+ type: array
+ x-kubernetes-list-map-keys:
+ - mountPath
+ x-kubernetes-list-type: map
+ workingDir:
+ type: string
+ required:
+ - name
+ type: object
+ type: array
+ size:
+ format: int32
+ type: integer
+ terminationGracePeriodSeconds:
+ format: int64
+ type: integer
+ tolerations:
+ items:
+ properties:
+ effect:
+ type: string
+ key:
+ type: string
+ operator:
+ type: string
+ tolerationSeconds:
+ format: int64
+ type: integer
+ value:
+ type: string
+ type: object
+ type: array
+ topologySpreadConstraints:
+ items:
+ properties:
+ labelSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ matchLabelKeys:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ maxSkew:
+ format: int32
+ type: integer
+ minDomains:
+ format: int32
+ type: integer
+ nodeAffinityPolicy:
+ type: string
+ nodeTaintsPolicy:
+ type: string
+ topologyKey:
+ type: string
+ whenUnsatisfiable:
+ type: string
+ required:
+ - maxSkew
+ - topologyKey
+ - whenUnsatisfiable
+ type: object
+ type: array
+ type: object
+ required:
+ - enabled
+ type: object
+ tls:
+ properties:
+ allowInvalidCertificates:
+ type: boolean
+ certValidityDuration:
+ type: string
+ issuerConf:
+ properties:
+ group:
+ type: string
+ kind:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ type: object
+ mode:
+ type: string
+ type: object
+ unmanaged:
+ type: boolean
+ unsafeFlags:
+ properties:
+ backupIfUnhealthy:
+ type: boolean
+ mongosSize:
+ type: boolean
+ replsetSize:
+ type: boolean
+ terminationGracePeriod:
+ type: boolean
+ tls:
+ type: boolean
+ type: object
+ updateStrategy:
+ type: string
+ upgradeOptions:
+ properties:
+ apply:
+ type: string
+ schedule:
+ type: string
+ setFCV:
+ type: boolean
+ versionServiceEndpoint:
+ type: string
+ type: object
+ users:
+ items:
+ properties:
+ db:
+ type: string
+ name:
+ type: string
+ passwordSecretRef:
+ properties:
+ key:
+ type: string
+ name:
+ default: ""
+ type: string
+ optional:
+ type: boolean
+ required:
+ - key
+ type: object
+ x-kubernetes-map-type: atomic
+ roles:
+ items:
+ properties:
+ db:
+ type: string
+ name:
+ type: string
+ required:
+ - db
+ - name
+ type: object
+ type: array
+ required:
+ - db
+ - name
+ - passwordSecretRef
+ - roles
+ type: object
+ type: array
+ required:
+ - image
+ type: object
+ status:
+ properties:
+ backup:
+ type: string
+ backupVersion:
+ type: string
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ format: date-time
+ type: string
+ message:
+ type: string
+ reason:
+ type: string
+ status:
+ type: string
+ type:
+ type: string
+ required:
+ - status
+ - type
+ type: object
+ type: array
+ host:
+ type: string
+ message:
+ type: string
+ mongoImage:
+ type: string
+ mongoVersion:
+ type: string
+ mongos:
+ properties:
+ message:
+ type: string
+ ready:
+ type: integer
+ size:
+ type: integer
+ status:
+ type: string
+ required:
+ - ready
+ - size
+ type: object
+ observedGeneration:
+ format: int64
+ type: integer
+ pmmStatus:
+ type: string
+ pmmVersion:
+ type: string
+ ready:
+ format: int32
+ type: integer
+ replsets:
+ additionalProperties:
+ properties:
+ added_as_shard:
+ type: boolean
+ clusterRole:
+ type: string
+ initialized:
+ type: boolean
+ members:
+ items:
+ properties:
+ name:
+ type: string
+ version:
+ type: string
+ type: object
+ type: array
+ message:
+ type: string
+ ready:
+ format: int32
+ type: integer
+ size:
+ format: int32
+ type: integer
+ status:
+ type: string
+ required:
+ - ready
+ - size
+ type: object
+ type: object
+ size:
+ format: int32
+ type: integer
+ state:
+ type: string
+ required:
+ - ready
+ - size
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/NOTES.txt b/charts/percona/psmdb-operator/1.17.1/templates/NOTES.txt
new file mode 100644
index 000000000..f72a33c0d
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/NOTES.txt
@@ -0,0 +1,15 @@
+1. Percona Operator for MongoDB is deployed.
+ See if the operator Pod is running:
+
+ kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }}
+
+ Check the operator logs if the Pod is not starting:
+
+ export POD=$(kubectl get pods -l app.kubernetes.io/name=psmdb-operator --namespace {{ .Release.Namespace }} --output name)
+ kubectl logs $POD --namespace={{ .Release.Namespace }}
+
+2. Deploy the database cluster from psmdb-db chart:
+
+ helm install my-db percona/psmdb-db --namespace={{ .Release.Namespace }}
+
+Read more in our documentation: https://docs.percona.com/percona-operator-for-mongodb/
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/_helpers.tpl b/charts/percona/psmdb-operator/1.17.1/templates/_helpers.tpl
new file mode 100644
index 000000000..1bf81ed17
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/_helpers.tpl
@@ -0,0 +1,45 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "psmdb-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "psmdb-operator.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "psmdb-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "psmdb-operator.labels" -}}
+app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
+helm.sh/chart: {{ include "psmdb-operator.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/deployment.yaml b/charts/percona/psmdb-operator/1.17.1/templates/deployment.yaml
new file mode 100644
index 000000000..41f26c264
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/deployment.yaml
@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "psmdb-operator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ labels:
+ {{- include "psmdb-operator.labels" . | nindent 4 }}
+ {{- with .Values.labels }}
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+ {{- with .Values.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ app.kubernetes.io/name: {{ include "psmdb-operator.name" . }}
+ app.kubernetes.io/instance: {{ .Release.Name }}
+ {{- with .Values.podLabels }}
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ spec:
+ serviceAccountName: {{ include "psmdb-operator.fullname" . }}
+ securityContext:
+ {{- toYaml .Values.podSecurityContext | nindent 8 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ containers:
+ - name: {{ .Chart.Name }}
+ securityContext:
+ {{- toYaml .Values.securityContext | nindent 12 }}
+ image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+ imagePullPolicy: {{ .Values.image.pullPolicy }}
+ ports:
+ - containerPort: 8080
+ protocol: TCP
+ name: metrics
+ - containerPort: 8081
+ protocol: TCP
+ name: health
+ command:
+ - percona-server-mongodb-operator
+ {{- if .Values.securityContext.readOnlyRootFilesystem }}
+ volumeMounts:
+ - name: tmpdir
+ mountPath: /tmp
+ {{- end }}
+ env:
+ - name: LOG_STRUCTURED
+ value: "{{ .Values.logStructured }}"
+ - name: LOG_LEVEL
+ value: "{{ .Values.logLevel }}"
+ - name: WATCH_NAMESPACE
+ {{- if .Values.watchAllNamespaces }}
+ value: ""
+ {{- else }}
+ value: "{{ default .Release.Namespace .Values.watchNamespace }}"
+ {{- end }}
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: OPERATOR_NAME
+ value: {{ default "percona-server-mongodb-operator" .Values.operatorName }}
+ - name: RESYNC_PERIOD
+ value: "{{ .Values.env.resyncPeriod }}"
+ - name: DISABLE_TELEMETRY
+ value: "{{ .Values.disableTelemetry }}"
+ livenessProbe:
+ httpGet:
+ path: /healthz
+ port: health
+ readinessProbe:
+ httpGet:
+ path: /healthz
+ port: health
+ resources:
+ {{- toYaml .Values.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- if .Values.securityContext.readOnlyRootFilesystem }}
+ volumes:
+ - name: tmpdir
+ emptyDir: {}
+ {{- end }}
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/namespace.yaml b/charts/percona/psmdb-operator/1.17.1/templates/namespace.yaml
new file mode 100644
index 000000000..cfc96d4d9
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/namespace.yaml
@@ -0,0 +1,11 @@
+{{ if and .Values.watchNamespace .Values.createNamespace }}
+{{ range ( split "," .Values.watchNamespace ) }}
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: {{ trim . }}
+ annotations:
+ helm.sh/resource-policy: keep
+---
+{{ end }}
+{{ end }}
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/role-binding.yaml b/charts/percona/psmdb-operator/1.17.1/templates/role-binding.yaml
new file mode 100644
index 000000000..a815869d4
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/role-binding.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ include "psmdb-operator.fullname" . }}
+ namespace: {{ .Release.Namespace }}
+ {{- with .Values.serviceAccount.annotations }}
+ annotations:
+ {{- toYaml . | nindent 4 }}
+ {{- end }}
+---
+{{- end }}
+{{- if .Values.rbac.create }}
+{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
+kind: ClusterRoleBinding
+{{- else }}
+kind: RoleBinding
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: service-account-{{ include "psmdb-operator.fullname" . }}
+{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+ labels:
+{{ include "psmdb-operator.labels" . | indent 4 }}
+subjects:
+- kind: ServiceAccount
+ name: {{ include "psmdb-operator.fullname" . }}
+ {{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
+ namespace: {{ .Release.Namespace }}
+ {{- end }}
+roleRef:
+ {{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
+ kind: ClusterRole
+ {{- else }}
+ kind: Role
+ {{- end }}
+ name: {{ include "psmdb-operator.fullname" . }}
+ apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/percona/psmdb-operator/1.17.1/templates/role.yaml b/charts/percona/psmdb-operator/1.17.1/templates/role.yaml
new file mode 100644
index 000000000..537c1e86b
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/templates/role.yaml
@@ -0,0 +1,166 @@
+{{- if .Values.rbac.create }}
+{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
+kind: ClusterRole
+{{- else }}
+kind: Role
+{{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ include "psmdb-operator.fullname" . }}
+{{- if not (or .Values.watchNamespace .Values.watchAllNamespaces) }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+ labels:
+{{ include "psmdb-operator.labels" . | indent 4 }}
+rules:
+ - apiGroups:
+ - psmdb.percona.com
+ resources:
+ - perconaservermongodbs
+ - perconaservermongodbs/status
+ - perconaservermongodbs/finalizers
+ - perconaservermongodbbackups
+ - perconaservermongodbbackups/status
+ - perconaservermongodbbackups/finalizers
+ - perconaservermongodbrestores
+ - perconaservermongodbrestores/status
+ - perconaservermongodbrestores/finalizers
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+{{- if or .Values.watchNamespace .Values.watchAllNamespaces }}
+ - apiGroups:
+ - admissionregistration.k8s.io
+ resources:
+ - validatingwebhookconfigurations
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - nodes
+ verbs:
+ - get
+ - list
+ - watch
+{{- end }}
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - pods/exec
+ - services
+ - persistentvolumeclaims
+ - secrets
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - apps
+ resources:
+ - deployments
+ - replicasets
+ - statefulsets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - batch
+ resources:
+ - cronjobs
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - policy
+ resources:
+ - poddisruptionbudgets
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - events.k8s.io
+ - ""
+ resources:
+ - events
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - patch
+ - apiGroups:
+ - certmanager.k8s.io
+ - cert-manager.io
+ resources:
+ - issuers
+ - certificates
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - deletecollection
+ - apiGroups:
+ - net.gke.io
+ - multicluster.x-k8s.io
+ resources:
+ - serviceexports
+ - serviceimports
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - deletecollection
+{{- end }}
diff --git a/charts/percona/psmdb-operator/1.17.1/values.yaml b/charts/percona/psmdb-operator/1.17.1/values.yaml
new file mode 100644
index 000000000..5c9a00fb2
--- /dev/null
+++ b/charts/percona/psmdb-operator/1.17.1/values.yaml
@@ -0,0 +1,99 @@
+# Default values for psmdb-operator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+ repository: percona/percona-server-mongodb-operator
+ tag: 1.17.0
+ pullPolicy: IfNotPresent
+
+# disableTelemetry: according to
+# https://docs.percona.com/percona-operator-for-mongodb/telemetry.html
+# this is how you can disable telemetry collection
+# default is false which means telemetry will be collected
+disableTelemetry: false
+
+# set if you want to specify a namespace to watch
+# defaults to `.Release.namespace` if left blank
+# multiple namespaces can be specified and separated by comma
+# watchNamespace:
+# set if you want that watched namespaces are created by helm
+# createNamespace: false
+
+# set if operator should be deployed in cluster wide mode. defaults to false
+watchAllNamespaces: false
+
+# rbac: settings for deployer RBAC creation
+rbac:
+ # rbac.create: if false RBAC resources should be in place
+ create: true
+
+# serviceAccount: settings for Service Accounts used by the deployer
+serviceAccount:
+ # serviceAccount.create: Whether to create the Service Accounts or not
+ create: true
+ # annotations to add to the service account
+ annotations: {}
+
+# annotations to add to the operator deployment
+annotations: {}
+
+# labels to add to the operator deployment
+labels: {}
+
+# annotations to add to the operator pod
+podAnnotations: {}
+ # prometheus.io/scrape: "true"
+ # prometheus.io/port: "8080"
+
+# labels to the operator pod
+podLabels: {}
+
+podSecurityContext: {}
+ # runAsNonRoot: true
+ # runAsUser: 2
+ # runAsGroup: 2
+ # fsGroup: 2
+ # fsGroupChangePolicy: "OnRootMismatch"
+
+securityContext: {}
+ # allowPrivilegeEscalation: false
+ # capabilities:
+ # drop:
+ # - ALL
+ # seccompProfile:
+ # type: RuntimeDefault
+
+# set if you want to use a different operator name
+# defaults to `percona-server-mongodb-operator`
+# operatorName:
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+env:
+ resyncPeriod: 5s
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as Minikube. If you do want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+logStructured: false
+logLevel: "INFO"
diff --git a/charts/redpanda/redpanda/5.9.9/.helmignore b/charts/redpanda/redpanda/5.9.9/.helmignore
new file mode 100644
index 000000000..d5bb5e6ba
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/.helmignore
@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
diff --git a/charts/redpanda/redpanda/5.9.9/Chart.lock b/charts/redpanda/redpanda/5.9.9/Chart.lock
new file mode 100644
index 000000000..9b0e72b48
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: console
+ repository: https://charts.redpanda.com
+ version: 0.7.30
+- name: connectors
+ repository: https://charts.redpanda.com
+ version: 0.1.13
+digest: sha256:f40126de897d3ec8d707b28408763bfad218f7c688575371f6fa3cb371eb884c
+generated: "2024-10-16T12:27:15.358101+02:00"
diff --git a/charts/redpanda/redpanda/5.9.9/Chart.yaml b/charts/redpanda/redpanda/5.9.9/Chart.yaml
new file mode 100644
index 000000000..8849e517d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/Chart.yaml
@@ -0,0 +1,38 @@
+annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/redpanda:v24.2.7
+ - name: busybox
+ image: busybox:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.10.0)"
+ url: https://helm.sh/docs/intro/install/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Redpanda
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: redpanda
+apiVersion: v2
+appVersion: v24.2.7
+dependencies:
+- condition: console.enabled
+ name: console
+ repository: https://charts.redpanda.com
+ version: '>=0.5 <1.0'
+- condition: connectors.enabled
+ name: connectors
+ repository: https://charts.redpanda.com
+ version: '>=0.1.2 <1.0'
+description: Redpanda is the real-time engine for modern apps.
+icon: file://assets/icons/redpanda.svg
+kubeVersion: '>=1.21-0'
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: redpanda
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 5.9.9
diff --git a/charts/redpanda/redpanda/5.9.9/LICENSE b/charts/redpanda/redpanda/5.9.9/LICENSE
new file mode 100644
index 000000000..261eeb9e9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/charts/redpanda/redpanda/5.9.9/README.md b/charts/redpanda/redpanda/5.9.9/README.md
new file mode 100644
index 000000000..964be9a6d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/README.md
@@ -0,0 +1,1220 @@
+# Redpanda Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values.
+
+For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.25.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 |
+| https://charts.redpanda.com | console | >=0.5 <1.0 |
+
+## Settings
+
+### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity)
+
+Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging)
+
+Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0.
+
+**Default:**
+
+```
+{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null}
+```
+
+### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize)
+
+Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages.
+
+**Default:** `16777216`
+
+### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled)
+
+Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled.
+
+**Default:** `false`
+
+### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes)
+
+Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`].
+
+**Default:** `nil`
+
+### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals)
+
+List of principals to exclude from auditing, default is null.
+
+**Default:** `nil`
+
+### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics)
+
+List of topics to exclude from auditing, default is null.
+
+**Default:** `nil`
+
+### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener)
+
+Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`.
+
+**Default:** `"internal"`
+
+### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions)
+
+Integer value defining the number of partitions used by a newly created audit topic.
+
+**Default:** `12`
+
+### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs)
+
+In ms, frequency in which per shard audit logs are batched to client for write to audit log.
+
+**Default:** `500`
+
+### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard)
+
+Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard.
+
+**Default:** `1048576`
+
+### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor)
+
+Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null`
+
+**Default:** `nil`
+
+### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth)
+
+Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+
+**Default:**
+
+```
+{"sasl":{"bootstrapUser":{"mechanism":"SCRAM-SHA-256"},"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}}
+```
+
+### [auth.sasl.bootstrapUser](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser)
+
+Details about how to create the bootstrap user for the cluster. The secretKeyRef is optionally specified. If it is specified, the chart will use a password written to that secret when creating the "kubernetes-controller" bootstrap user. If it is unspecified, then the secret will be generated and stored in the secret "releasename"-bootstrap-user, with the key "password".
+
+**Default:**
+
+```
+{"mechanism":"SCRAM-SHA-256"}
+```
+
+### [auth.sasl.bootstrapUser.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.bootstrapUser.mechanism)
+
+The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+
+**Default:** `"SCRAM-SHA-256"`
+
+### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled)
+
+Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`.
+
+**Default:** `false`
+
+### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism)
+
+The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+
+**Default:** `"SCRAM-SHA-512"`
+
+### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef)
+
+A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets).
+
+**Default:** `"redpanda-users"`
+
+### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users)
+
+Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own.
+
+**Default:** `[]`
+
+### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain)
+
+Default Kubernetes cluster domain.
+
+**Default:** `"cluster.local"`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels)
+
+Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config)
+
+This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/).
+
+**Default:**
+
+```
+{"cluster":{},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}}
+```
+
+### [config.cluster](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.cluster)
+
+[Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/)
+
+**Default:** `{}`
+
+### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node)
+
+[Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/).
+
+**Default:** `{"crash_loop_limit":5}`
+
+### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit)
+
+Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit
+
+**Default:** `5`
+
+### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable)
+
+Tunable cluster properties. Deprecated: all settings here may be specified via `config.cluster`.
+
+**Default:**
+
+```
+{"compacted_log_segment_size":67108864,"kafka_connection_rate_limit":1000,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912}
+```
+
+### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size).
+
+**Default:** `67108864`
+
+### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit).
+
+**Default:** `1000`
+
+### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max).
+
+**Default:** `268435456`
+
+### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min).
+
+**Default:** `16777216`
+
+### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size)
+
+See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size).
+
+**Default:** `536870912`
+
+### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors)
+
+Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/).
+
+**Default:**
+
+```
+{"deployment":{"create":false},"enabled":false,"test":{"create":false}}
+```
+
+### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console)
+
+Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+
+**Default:**
+
+```
+{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}}
+```
+
+### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise)
+
+Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+
+**Default:**
+
+```
+{"license":"","licenseSecretRef":{}}
+```
+
+### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license)
+
+license (optional).
+
+**Default:** `""`
+
+### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef)
+
+Secret name and key where the license key is stored.
+
+**Default:** `{}`
+
+### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external)
+
+External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/).
+
+**Default:**
+
+```
+{"enabled":true,"service":{"enabled":true},"type":"NodePort"}
+```
+
+### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled)
+
+Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`.
+
+**Default:** `true`
+
+### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service)
+
+Service allows you to manage the creation of an external kubernetes service object
+
+**Default:** `{"enabled":true}`
+
+### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled)
+
+Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service.
+
+**Default:** `true`
+
+### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type)
+
+External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority.
+
+**Default:** `"NodePort"`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride)
+
+Override `redpanda.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image)
+
+Redpanda Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/redpanda"
+```
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag)
+
+The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+
+**Default:** `Chart.appVersion`.
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
+
+**Default:** `[]`
+
+### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key)
+
+DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+
+**Default:** `""`
+
+### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref)
+
+DEPRECATED Secret name and secret key where the license key is stored.
+
+**Default:** `{}`
+
+### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners)
+
+Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/).
+
+**Default:**
+
+```
+{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}}
+```
+
+### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin)
+
+Admin API listener (only one).
+
+**Default:**
+
+```
+{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external)
+
+Optional external access settings.
+
+**Default:**
+
+```
+{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}}
+```
+
+### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default)
+
+Name of the external listener.
+
+**Default:**
+
+```
+{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}
+```
+
+### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls)
+
+The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used.
+
+**Default:** `{"cert":"external"}`
+
+### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port)
+
+The port for both internal and external connections to the Admin API.
+
+**Default:** `9644`
+
+### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls)
+
+Optional TLS section (required if global TLS is enabled)
+
+**Default:**
+
+```
+{"cert":"default","requireClientAuth":false}
+```
+
+### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert)
+
+Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).
+
+**Default:** `"default"`
+
+### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth)
+
+If true, the truststore file for this listener is included in the ConfigMap.
+
+**Default:** `false`
+
+### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http)
+
+HTTP API listeners (aka PandaProxy).
+
+**Default:**
+
+```
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka)
+
+Kafka API listeners.
+
+**Default:**
+
+```
+{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts)
+
+If undefined, `listeners.kafka.external.default.port` is used.
+
+**Default:** `[31092]`
+
+### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port)
+
+The port used for external client connections.
+
+**Default:** `9094`
+
+### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port)
+
+The port for internal client connections.
+
+**Default:** `9093`
+
+### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc)
+
+RPC listener (this is never externally accessible).
+
+**Default:**
+
+```
+{"port":33145,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry)
+
+Schema registry listeners.
+
+**Default:**
+
+```
+{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}
+```
+
+### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging)
+
+Log-level settings.
+
+**Default:**
+
+```
+{"logLevel":"info","usageStats":{"enabled":true}}
+```
+
+### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel)
+
+Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`.
+
+**Default:** `"info"`
+
+### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats)
+
+Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting).
+
+**Default:** `{"enabled":true}`
+
+### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring)
+
+Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+
+**Default:**
+
+```
+{"enabled":false,"labels":{},"scrapeInterval":"30s"}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride)
+
+Override `redpanda.name` template.
+
+**Default:** `""`
+
+### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector)
+
+Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity)
+
+**Default:** `{}`
+
+### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled)
+
+**Default:** `true`
+
+### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations)
+
+Additional annotations to apply to the Pods of this Job.
+
+**Default:** `{}`
+
+### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels)
+
+Additional labels to apply to the Pods of this Job.
+
+**Default:** `{}`
+
+### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec)
+
+A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+
+**Default:**
+
+```
+{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}}
+```
+
+### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness)
+
+Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/).
+
+**Default:**
+
+```
+{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"}
+```
+
+### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled)
+
+When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`.
+
+**Default:** `false`
+
+### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation)
+
+The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation.
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac)
+
+Role Based Access Control.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":false}
+```
+
+### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations)
+
+Annotations to add to the `rbac` resources.
+
+**Default:** `{}`
+
+### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled)
+
+Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles.
+
+**Default:** `false`
+
+### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources)
+
+Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/).
+
+**Default:**
+
+```
+{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}}
+```
+
+### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu)
+
+CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources).
+
+**Default:** `{"cores":1}`
+
+### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores)
+
+Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy.
+
+**Default:** `1`
+
+### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory)
+
+Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources).
+
+**Default:**
+
+```
+{"container":{"max":"2.5Gi"}}
+```
+
+### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container)
+
+Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for the Seastar subsystem (reserveMemory) and other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request.
+
+**Default:** `{"max":"2.5Gi"}`
+
+### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max)
+
+Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater.
+
+**Default:** `"2.5Gi"`
+
+### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount)
+
+Service account management.
+
+**Default:**
+
+```
+{"annotations":{},"automountServiceAccountToken":false,"create":false,"name":""}
+```
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the service account.
+
+**Default:** `{}`
+
+### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.automountServiceAccountToken)
+
+Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
+
+**Default:** `false`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create)
+
+Specifies whether a service account should be created.
+
+**Default:** `false`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name)
+
+The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template.
+
+**Default:** `""`
+
+### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags)
+
+Additional flags to pass to redpanda,
+
+**Default:** `[]`
+
+### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels)
+
+Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations)
+
+DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation.
+
+**Default:** `{}`
+
+### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable)
+
+**Default:** `1`
+
+### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes)
+
+**Default:** `""`
+
+### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository)
+
+**Default:** `"busybox"`
+
+### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag)
+
+**Default:** `"latest"`
+
+### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers)
+
+**Default:** `""`
+
+### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled)
+
+**Default:** `false`
+
+### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS)
+
+**Default:** `"xfs"`
+
+### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled)
+
+In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration.
+
+**Default:** `false`
+
+### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request.
+
+**Default:** `{}`
+
+### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds)
+
+**Default:** `10`
+
+### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector)
+
+Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity)
+
+Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity)
+
+Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.
+
+**Default:**
+
+```
+{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100}
+```
+
+### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom)
+
+Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+
+**Default:** `{}`
+
+### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey)
+
+The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc.
+
+**Default:** `"kubernetes.io/hostname"`
+
+### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type)
+
+Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+
+**Default:** `"hard"`
+
+### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight)
+
+Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types.
+
+**Default:** `100`
+
+### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations)
+
+Additional annotations to apply to the Pods of the StatefulSet.
+
+**Default:** `{}`
+
+### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels)
+
+Additional labels to apply to the Pods of the StatefulSet.
+
+**Default:** `{}`
+
+### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec)
+
+A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+
+**Default:**
+
+```
+{"containers":[{"env":[],"name":"redpanda","securityContext":{}}],"securityContext":{}}
+```
+
+### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName)
+
+PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds)
+
+**Default:** `1`
+
+### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold)
+
+**Default:** `1`
+
+### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas)
+
+Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)
+
+**Default:** `3`
+
+### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext)
+
+DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext.
+
+**Default:**
+
+```
+{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101}
+```
+
+### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled)
+
+**Default:** `true`
+
+### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts)
+
+**Default:** `""`
+
+### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+
+**Default:** `{}`
+
+### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext)
+
+**Default:** `{}`
+
+### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC)
+
+**Default:** `true`
+
+### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled)
+
+**Default:** `false`
+
+### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress)
+
+**Default:** `":8085"`
+
+### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository)
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/redpanda-operator"
+```
+
+### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag)
+
+**Default:** `"v2.2.5-24.2.7"`
+
+### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress)
+
+**Default:** `":9082"`
+
+### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources)
+
+To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+
+**Default:** `{}`
+
+### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0])
+
+**Default:** `"all"`
+
+### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext)
+
+**Default:** `{}`
+
+### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe)
+
+Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+
+**Default:**
+
+```
+{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10}
+```
+
+### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds)
+
+Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination
+
+**Default:** `90`
+
+### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations)
+
+Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew)
+
+**Default:** `1`
+
+### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey)
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable)
+
+**Default:** `"ScheduleAnyway"`
+
+### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type)
+
+**Default:** `"RollingUpdate"`
+
+### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage)
+
+Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/).
+
+**Default:**
+
+```
+{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}}
+```
+
+### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath)
+
+Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect.
+
+**Default:** `""`
+
+### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume)
+
+If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""}
+```
+
+### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations)
+
+Additional annotations to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels)
+
+Additional labels to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite)
+
+Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume`
+
+**Default:** `""`
+
+### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass)
+
+To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
+
+**Default:** `""`
+
+### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config)
+
+Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/).
+
+**Default:**
+
+```
+{"cloud_storage_cache_size":5368709120,"cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false}
+```
+
+### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size)
+
+Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size).
+
+**Default:** `5368709120`
+
+### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read)
+
+Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read).
+
+**Default:** `true`
+
+### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write)
+
+Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write).
+
+**Default:** `true`
+
+### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled)
+
+Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled).
+
+**Default:** `false`
+
+### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath)
+
+Absolute path on the host to store Redpanda's Tiered Storage cache.
+
+**Default:** `""`
+
+### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations)
+
+Additional annotations to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels)
+
+Additional labels to apply to the created PersistentVolumeClaims.
+
+**Default:** `{}`
+
+### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass)
+
+To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack).
+
+**Default:** `""`
+
+### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled)
+
+**Default:** `true`
+
+### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls)
+
+TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/).
+
+**Default:**
+
+```
+{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true}
+```
+
+### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs)
+
+List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting.
+
+**Default:**
+
+```
+{"default":{"caEnabled":true},"external":{"caEnabled":true}}
+```
+
+### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default)
+
+This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`.
+
+**Default:** `{"caEnabled":true}`
+
+### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled)
+
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
+
+**Default:** `true`
+
+### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external)
+
+Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners.
+
+**Default:** `{"caEnabled":true}`
+
+### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled)
+
+Indicates whether or not the Secret holding this certificate includes a `ca.crt` key. When `true`, chart managed clients, such as rpk, will use `ca.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use `ca.crt` as their `truststore_file` for verification of client certificates. When `false`, chart managed clients will use `tls.crt` for certificate verification and listeners with `require_client_auth` and no explicit `truststore` will use the container's CA certificates.
+
+**Default:** `true`
+
+### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled)
+
+Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`.
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations)
+
+Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning)
+
+Redpanda tuning settings. Each is set to their default values in Redpanda.
+
+**Default:** `{"tune_aio_events":true}`
+
+### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events)
+
+Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/).
+
+**Default:** `true`
+
+## Merging Semantics
+
+The redpanda chart implements a form of object merging that's roughly a
+middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge
+Patch][k8s.smp]. This is done to aid end users in setting or overriding fields
+that are not directly exposed via the chart.
+
+- Directives are not supported.
+- List fields that are merged by a unique key in Kubernetes' SMP (e.g.
+ `containers`, `env`) will be merged in a similar awy.
+- Only fields explicitly allowed by the chart's JSON schema will be merged.
+- Additional containers that are not present in the original value will NOT be added.
+
+[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment
+[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.9/charts/connectors/.helmignore
new file mode 100644
index 000000000..2e271ea0f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/.helmignore
@@ -0,0 +1,29 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
+examples/
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/Chart.yaml
new file mode 100644
index 000000000..0dd2396e5
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/Chart.yaml
@@ -0,0 +1,25 @@
+annotations:
+ artifacthub.io/images: |
+ - name: connectors
+ image: docker.redpanda.com/redpandadata/connectors:v1.0.31
+ - name: rpk
+ image: docker.redpanda.com/redpandadata/redpanda:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.6.0)"
+ url: https://helm.sh/docs/intro/install/
+apiVersion: v2
+appVersion: v1.0.31
+description: Redpanda managed Connectors helm chart
+icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
+kubeVersion: ^1.21.0-0
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: connectors
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 0.1.13
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.9/charts/connectors/LICENSE
new file mode 100644
index 000000000..261eeb9e9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.9/charts/connectors/README.md
new file mode 100644
index 000000000..2cb143856
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/README.md
@@ -0,0 +1,574 @@
+# Redpanda Connectors Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values.
+
+For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `^1.21.0-0`
+
+## Settings
+
+### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth)
+
+Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster.
+
+**Default:**
+
+```
+{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}}
+```
+
+### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism)
+
+The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`.
+
+**Default:** `"scram-sha-512"`
+
+### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef)
+
+A Secret that contains your SASL user password.
+
+**Default:** `""`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels)
+
+Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`.
+
+**Default:** `{}`
+
+### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration)
+
+A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script.
+
+**Default:** `""`
+
+### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers)
+
+A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite)
+
+If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef)
+
+The name of the Secret where the ca.crt file content is located.
+
+**Default:** `""`
+
+### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite)
+
+If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt
+
+**Default:** `""`
+
+### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef)
+
+The name of the secret where client signed certificate is located
+
+**Default:** `""`
+
+### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled)
+
+**Default:** `false`
+
+### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite)
+
+If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key
+
+**Default:** `""`
+
+### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef)
+
+The name of the secret where client private key is located
+
+**Default:** `""`
+
+### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID)
+
+A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other.
+
+**Default:** `"connectors-cluster"`
+
+### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize)
+
+The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput.
+
+**Default:** `131072`
+
+### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS)
+
+The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput.
+
+**Default:** `1`
+
+### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort)
+
+The port on which the Kafka Connect REST API listens. The API is used for administrative tasks.
+
+**Default:** `8083`
+
+### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL)
+
+**Default:** `""`
+
+### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix)
+
+**Default:** `""`
+
+### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix)
+
+**Default:** `""`
+
+### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled)
+
+**Default:** `false`
+
+### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region)
+
+**Default:** `""`
+
+### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote)
+
+Indicates if read and write operations for the respective topics are allowed remotely.
+
+**Default:**
+
+```
+{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}}
+```
+
+### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor)
+
+The number of replicas for each of the internal topics that Kafka Connect uses.
+
+**Default:**
+
+```
+{"config":-1,"offset":-1,"status":-1}
+```
+
+### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config)
+
+Replication factor for the configuration topic.
+
+**Default:** `-1`
+
+### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset)
+
+Replication factor for the offset topic.
+
+**Default:** `-1`
+
+### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status)
+
+Replication factor for the status topic.
+
+**Default:** `-1`
+
+### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config)
+
+The name of the internal topic that Kafka Connect uses to store connector and task configurations.
+
+**Default:**
+
+```
+"_internal_connectors_configs"
+```
+
+### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset)
+
+The name of the internal topic that Kafka Connect uses to store source connector offsets.
+
+**Default:**
+
+```
+"_internal_connectors_offsets"
+```
+
+### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status)
+
+The name of the internal topic that Kafka Connect uses to store connector and task status updates.
+
+**Default:**
+
+```
+"_internal_connectors_status"
+```
+
+### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled)
+
+**Default:** `"false"`
+
+### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources)
+
+Pod resource management.
+
+**Default:**
+
+```
+{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}}
+```
+
+### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize)
+
+Java maximum heap size must not be greater than `container.resources.limits.memory`.
+
+**Default:** `"2G"`
+
+### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext)
+
+Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings.
+
+**Default:**
+
+```
+{"allowPrivilegeEscalation":false}
+```
+
+### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations)
+
+Additional annotations to apply to the Pods of this Deployment.
+
+**Default:** `{}`
+
+### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable)
+
+**Default:** `1`
+
+### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create)
+
+**Default:** `true`
+
+### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv)
+
+Additional environment variables for the Pods.
+
+**Default:** `[]`
+
+### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom)
+
+Configure extra environment variables from Secrets and ConfigMaps.
+
+**Default:** `[]`
+
+### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe)
+
+Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+
+**Default:**
+
+```
+{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}
+```
+
+### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity)
+
+Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+
+**Default:** `{}`
+
+### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector)
+
+Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+
+**Default:** `{}`
+
+### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity)
+
+Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+
+**Default:** `{}`
+
+### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity)
+
+Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults.
+
+**Default:**
+
+```
+{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100}
+```
+
+### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom)
+
+Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+
+**Default:** `{}`
+
+### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey)
+
+The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc.
+
+**Default:** `"kubernetes.io/hostname"`
+
+### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type)
+
+Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+
+**Default:** `"hard"`
+
+### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight)
+
+Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types.
+
+**Default:** `100`
+
+### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName)
+
+PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds)
+
+The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused.
+
+**Default:** `600`
+
+### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold)
+
+**Default:** `2`
+
+### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds)
+
+**Default:** `60`
+
+### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold)
+
+**Default:** `3`
+
+### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds)
+
+**Default:** `5`
+
+### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy)
+
+**Default:** `"Always"`
+
+### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit)
+
+The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified.
+
+**Default:** `10`
+
+### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName)
+
+**Default:** `""`
+
+### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup)
+
+**Default:** `101`
+
+### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy)
+
+**Default:** `"OnRootMismatch"`
+
+### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser)
+
+**Default:** `101`
+
+### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type)
+
+**Default:** `"RollingUpdate"`
+
+### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds)
+
+**Default:** `30`
+
+### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations)
+
+Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
+### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew)
+
+**Default:** `1`
+
+### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey)
+
+**Default:**
+
+```
+"topology.kubernetes.io/zone"
+```
+
+### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable)
+
+**Default:** `"ScheduleAnyway"`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride)
+
+Override `connectors.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image)
+
+Redpanda Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:**
+
+```
+"docker.redpanda.com/redpandadata/connectors"
+```
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag)
+
+The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+
+**Default:** `Chart.appVersion`.
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+**Default:** `[]`
+
+### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging)
+
+Log-level settings.
+
+**Default:** `{"level":"warn"}`
+
+### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level)
+
+Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`.
+
+**Default:** `"warn"`
+
+### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring)
+
+Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+
+**Default:**
+
+```
+{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride)
+
+Override `connectors.name` template.
+
+**Default:** `""`
+
+### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service)
+
+Service management.
+
+**Default:**
+
+```
+{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]}
+```
+
+### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations)
+
+Annotations to add to the Service.
+
+**Default:** `{}`
+
+### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name)
+
+The name of the service to use. If not set, a name is generated using the `connectors.fullname` template.
+
+**Default:** `""`
+
+### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount)
+
+ServiceAccount management.
+
+**Default:**
+
+```
+{"annotations":{},"create":false,"name":""}
+```
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the ServiceAccount.
+
+**Default:** `{}`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create)
+
+Specifies whether a ServiceAccount should be created.
+
+**Default:** `false`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name)
+
+The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template.
+
+**Default:** `""`
+
+### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath)
+
+**Default:** `"/tmp"`
+
+### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name)
+
+**Default:** `"rp-connect-tmp"`
+
+### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium)
+
+**Default:** `"Memory"`
+
+### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit)
+
+**Default:** `"5Mi"`
+
+### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name)
+
+**Default:** `"rp-connect-tmp"`
+
+### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create)
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations)
+
+Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+
+**Default:** `[]`
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_deployment.go.tpl
new file mode 100644
index 000000000..f785c1ad9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_deployment.go.tpl
@@ -0,0 +1,136 @@
+{{- /* Generated from "deployment.go" */ -}}
+
+{{- define "connectors.Deployment" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.deployment.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $topologySpreadConstraints := (coalesce nil) -}}
+{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}}
+{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}}
+{{- range $_, $port := $values.service.ports -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $podAntiAffinity := (coalesce nil) -}}
+{{- if (ne $values.deployment.podAntiAffinity (coalesce nil)) -}}
+{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}}
+{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}}
+{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}}
+{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}}
+{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}}
+{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.env" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}}
+{{- if (not (empty $values.connectors.schemaRegistryURL)) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}}
+{{- end -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}}
+{{- end -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}}
+{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.connectorConfiguration" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}}
+{{- if $values.connectors.secretManager.enabled -}}
+{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}}
+{{- end -}}
+{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (join "\n" $lines)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.volumes" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $volumes := (coalesce nil) -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.volumeMountss" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $mounts := (coalesce nil) -}}
+{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}}
+{{- end -}}
+{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.go.tpl
new file mode 100644
index 000000000..49b711538
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.go.tpl
@@ -0,0 +1,131 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "connectors.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.fullnameOverride)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- if (contains $name $dot.Release.Name) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.FullLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.PodLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Chart" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Semver" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.serviceAccount.create -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.ServiceName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.Tag" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}}
+{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}}
+{{- if (not (mustRegexMatch $matchString $tag)) -}}
+{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tag) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "connectors.trunc" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.tpl
new file mode 100644
index 000000000..89c888eee
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_helpers.tpl
@@ -0,0 +1,79 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "connectors.name" -}}
+{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "connectors.fullname" }}
+{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+full helm labels + common labels
+*/}}
+{{- define "full.labels" -}}
+{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+pod labels merged with common labels
+*/}}
+{{- define "connectors-pod-labels" -}}
+{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "connectors.chart" -}}
+{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Get the version of redpanda being used as an image
+*/}}
+{{- define "connectors.semver" -}}
+{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "connectors.serviceAccountName" -}}
+{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service to use
+*/}}
+{{- define "connectors.serviceName" -}}
+{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Use AppVersion if image.tag is not set
+*/}}
+{{- define "connectors.tag" -}}
+{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_pod-monitor.go.tpl
new file mode 100644
index 000000000..4e12b2008
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_pod-monitor.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "podmonitor.go" */ -}}
+
+{{- define "connectors.PodMonitor" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.monitoring.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_service.go.tpl
new file mode 100644
index 000000000..54a7ce8a0
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_service.go.tpl
@@ -0,0 +1,20 @@
+{{- /* Generated from "service.go" */ -}}
+
+{{- define "connectors.Service" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}}
+{{- range $_, $port := $values.service.ports -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_serviceaccount.go.tpl
new file mode 100644
index 000000000..31b5ac2ac
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_serviceaccount.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "connectors.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_shims.tpl
new file mode 100644
index 000000000..e3bb40e41
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_shims.tpl
@@ -0,0 +1,289 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.compact" -}}
+{{- $args := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $out := (dict ) -}}
+{{- range $i, $e := $args -}}
+{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $out) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq $ptr (coalesce nil)) -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq $m (coalesce nil)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne $ptr (coalesce nil)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $scale := ($tmp_tuple_1.T1 | float64) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_2.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_2.T1 | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_3.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_3.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_4.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_4.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne $manifest nil }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_values.go.tpl
new file mode 100644
index 000000000..9b304d4bf
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/_values.go.tpl
@@ -0,0 +1,15 @@
+{{- /* Generated from "values.go" */ -}}
+
+{{- define "connectors.Auth.SASLEnabled" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $saslEnabled := (not (empty $c.sasl.userName)) -}}
+{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}}
+{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $saslEnabled) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/deployment.yaml
new file mode 100644
index 000000000..ee78b69eb
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/deployment.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "connectors.Deployment" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/pod-monitor.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/pod-monitor.yaml
new file mode 100644
index 000000000..42c145754
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/pod-monitor.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "connectors.PodMonitor" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/service.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/service.yaml
new file mode 100644
index 000000000..0b8825bef
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/service.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "connectors.Service" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/serviceaccount.yaml
new file mode 100644
index 000000000..eda755fb1
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/serviceaccount.yaml
@@ -0,0 +1,17 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "connectors.ServiceAccount" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/tests/01-mm2-values.yaml
new file mode 100644
index 000000000..c369806c8
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/templates/tests/01-mm2-values.yaml
@@ -0,0 +1,176 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- define "curl-options" -}}
+{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}}
+{{- end -}}
+{{- if .Values.test.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "connectors.fullname" . }}-mm2-test
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: create-mm2
+ image: docker.redpanda.com/redpandadata/redpanda:latest
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -xe
+
+ trap connectorsState ERR
+
+ connectorsState () {
+ echo check connectors expand status
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status
+ echo check connectors expand info
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info
+ echo check connector configuration
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME
+ echo check connector topics
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics
+ }
+
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors
+
+ SASL_MECHANISM="PLAIN"
+ {{- if .Values.auth.sasl.enabled }}
+ set -e
+ set +x
+
+ IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print)
+ CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then
+ rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM
+ SASL_MECHANISM=$CONNECT_SASL_MECHANISM
+ JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\","
+ JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\","
+ fi
+
+ set -x
+ set +e
+ {{- end }}
+
+ rpk profile create test
+ rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }}
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }}
+ {{- end }}
+
+ {{- if .Values.connectors.brokerTLS.enabled }}
+ CONNECT_TLS_ENABLED=true
+ {{- else }}
+ CONNECT_TLS_ENABLED=false
+ {{- end }}
+ SECURITY_PROTOCOL=PLAINTEXT
+ if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SASL_SSL"
+ elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then
+ SECURITY_PROTOCOL="SASL_PLAINTEXT"
+ elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SSL"
+ fi
+
+ rpk topic list
+ rpk topic create test-topic
+ rpk topic list
+ echo "Test message!" | rpk topic produce test-topic
+
+ CONNECTOR_NAME=mm2-$RANDOM
+ cat << 'EOF' > /tmp/mm2-conf.json
+ {
+ "name": "CONNECTOR_NAME",
+ "config": {
+ "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector",
+ "topics": "test-topic",
+ "replication.factor": "1",
+ "tasks.max": "1",
+ "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }},
+ "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }},
+ "target.cluster.alias": "test-only",
+ "source.cluster.alias": "source",
+ "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "source->target.enabled": "true",
+ "target->source.enabled": "false",
+ "sync.topic.configs.interval.seconds": "5",
+ "sync.topics.configs.enabled": "true",
+ "source.cluster.ssl.truststore.type": "PEM",
+ "target.cluster.ssl.truststore.type": "PEM",
+ "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }},
+ "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }},
+ JAAS_CONFIG_SOURCE
+ JAAS_CONFIG_TARGET
+ "source.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "target.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "source.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "target.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "offset-syncs.topic.replication.factor": 1
+ }
+ }
+ EOF
+
+ sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json
+ sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json
+ sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json
+ set +x
+ sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json
+ sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json
+ set -x
+
+ curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json
+
+ # The rpk topic consume could fail for the first few times as kafka connect needs
+ # to spawn the task and copy one message from the source topic. To solve this race condition
+ # the retry should be implemented in bash for rpk topic consume or other mechanism that
+ # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added.
+ sleep 30
+
+ rpk topic consume source.test-topic -n 1 | grep "Test message!"
+
+ curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME
+
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors
+
+ rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal
+ volumeMounts:
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ - mountPath: /redpanda-certs
+ name: redpanda-ca
+ {{- end }}
+ {{- toYaml .Values.storage.volumeMounts | nindent 8 }}
+ volumes:
+ {{- if .Values.connectors.brokerTLS.ca.secretRef }}
+ - name: redpanda-ca
+ secret:
+ defaultMode: 0444
+ secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }}
+ {{- end }}
+ {{- toYaml .Values.storage.volume | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.9/charts/connectors/values.yaml
new file mode 100644
index 000000000..f230a84d3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/connectors/values.yaml
@@ -0,0 +1,311 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains values for variables referenced from yaml files in the templates directory.
+#
+# For further information on Helm templating see the documentation at:
+# https://helm.sh/docs/chart_template_guide/values_files/
+
+#
+# >>> This chart requires Helm version 3.6.0 or greater <<<
+#
+
+# Common settings
+#
+# -- Override `connectors.name` template.
+nameOverride: ""
+# -- Override `connectors.fullname` template.
+fullnameOverride: ""
+# -- Additional labels to add to all Kubernetes objects.
+# For example, `my.k8s.service: redpanda`.
+commonLabels: {}
+# -- Taints to be tolerated by Pods.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+tolerations: []
+
+# -- Redpanda Docker image settings.
+image:
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: docker.redpanda.com/redpandadata/connectors
+ # -- The Redpanda version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+ # @default -- `Chart.appVersion`.
+ tag: ""
+ # -- The imagePullPolicy.
+ # If `image.tag` is 'latest', the default is `Always`.
+ pullPolicy: IfNotPresent
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+
+test:
+ create: true
+
+connectors:
+ # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks.
+ restPort: 8083
+ # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster.
+ bootstrapServers: ""
+ # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers.
+ schemaRegistryURL: ""
+ # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script.
+ additionalConfiguration: ""
+ secretManager:
+ enabled: false
+ region: ""
+ consolePrefix: ""
+ connectorsPrefix: ""
+ # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput.
+ producerBatchSize: 131072
+ # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput.
+ producerLingerMS: 1
+ storage:
+ # -- The number of replicas for each of the internal topics that Kafka Connect uses.
+ replicationFactor:
+ # -- Replication factor for the offset topic.
+ offset: -1
+ # -- Replication factor for the configuration topic.
+ config: -1
+ # -- Replication factor for the status topic.
+ status: -1
+ # -- Indicates if read and write operations for the respective topics are allowed remotely.
+ remote:
+ read:
+ offset: false
+ config: false
+ status: false
+ write:
+ offset: false
+ config: false
+ status: false
+ topic:
+ # -- The name of the internal topic that Kafka Connect uses to store source connector offsets.
+ offset: _internal_connectors_offsets
+ # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations.
+ config: _internal_connectors_configs
+ # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates.
+ status: _internal_connectors_status
+ # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other.
+ groupID: connectors-cluster
+ brokerTLS:
+ enabled: false
+ ca:
+ # -- The name of the Secret where the ca.crt file content is located.
+ secretRef: ""
+ # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the
+ # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`.
+ secretNameOverwrite: ""
+ cert:
+ # -- The name of the secret where client signed certificate is located
+ secretRef: ""
+ # -- If secretRef points to secret where client signed certificate is not under
+ # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt
+ secretNameOverwrite: ""
+ key:
+ # -- The name of the secret where client private key is located
+ secretRef: ""
+ # -- If secretRef points to secret where client private key is not under
+ # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key
+ secretNameOverwrite: ""
+
+# -- Authentication settings.
+# For details,
+# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster.
+auth:
+ sasl:
+ enabled: false
+ # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`.
+ mechanism: scram-sha-512
+ # -- A Secret that contains your SASL user password.
+ secretRef: ""
+ userName: ""
+
+# -- Log-level settings.
+logging:
+ # -- Log level
+ # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`.
+ level: warn
+
+# -- Monitoring.
+# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+monitoring:
+ enabled: false
+ scrapeInterval: 30s
+ labels: {}
+ annotations: {}
+ namespaceSelector:
+ any: true
+
+container:
+ #
+ # -- Security context for the Redpanda Connectors container.
+ # See also `deployment.securityContext` for Pod-level settings.
+ securityContext:
+ allowPrivilegeEscalation: false
+ # -- Pod resource management.
+ resources:
+ request:
+ # Numeric values here are also acceptable.
+ cpu: "1"
+ memory: 2350Mi
+ limits:
+ cpu: "1"
+ memory: 2350Mi
+ # -- Java maximum heap size must not be greater than `container.resources.limits.memory`.
+ javaMaxHeapSize: 2G
+ javaGCLogEnabled: "false"
+
+deployment:
+ # Replicas can be used to scale Deployment
+ # replicas
+
+ create: true
+ # Customize the command to use as the entrypoint of the Deployment.
+ # command: []
+ strategy:
+ type: RollingUpdate
+ schedulerName: ""
+ budget:
+ maxUnavailable: 1
+ # -- Additional annotations to apply to the Pods of this Deployment.
+ annotations: {}
+ # -- Adjust the period for your probes to meet your needs.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+ livenessProbe:
+ initialDelaySeconds: 10
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ initialDelaySeconds: 60
+ failureThreshold: 2
+ periodSeconds: 10
+ successThreshold: 3
+ timeoutSeconds: 5
+
+ # -- Additional environment variables for the Pods.
+ extraEnv: []
+ # - name: RACK_ID
+ # value: "1"
+
+ # -- Configure extra environment variables from Secrets and ConfigMaps.
+ extraEnvFrom: []
+ # - secretRef:
+ # name: my-secret
+ # - configMapRef:
+ # name: my-configmap
+
+ # -- The maximum time in seconds for a deployment to make progress before it is
+ # considered to be failed. The deployment controller will continue to process
+ # failed deployments and a condition with a ProgressDeadlineExceeded reason
+ # will be surfaced in the deployment status. Note that progress will not be
+ # estimated during the time a deployment is paused.
+ progressDeadlineSeconds: 600
+
+ # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer
+ # to distinguish between explicit zero and not specified.
+ revisionHistoryLimit: 10
+
+ # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ podAffinity: {}
+ # -- Node Affinity rules for scheduling Pods of this Deployment.
+ # The suggestion would be to spread Pods according to topology zone.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity).
+ nodeAffinity: {}
+ # -- Anti-affinity rules for scheduling Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ # You may either edit the default settings for anti-affinity rules,
+ # or specify new anti-affinity rules to use instead of the defaults.
+ podAntiAffinity:
+ # -- The `topologyKey` to be used.
+ # Can be used to spread across different nodes, AZs, regions etc.
+ topologyKey: kubernetes.io/hostname
+ # -- Valid anti-affinity types are `soft`, `hard`, or `custom`.
+ # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+ type: hard
+ # -- Weight for `soft` anti-affinity rules.
+ # Does not apply for other anti-affinity types.
+ weight: 100
+ # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+ custom: {}
+ # -- Node selection constraints for scheduling Pods of this Deployment.
+ # These constraints override the global `nodeSelector` value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+ nodeSelector: {}
+ # -- PriorityClassName given to Pods of this Deployment.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+ priorityClassName: ""
+ # -- Taints to be tolerated by Pods of this Deployment.
+ # These tolerations override the global tolerations value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+ tolerations: []
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ securityContext:
+ fsGroup: 101
+ runAsUser: 101
+ fsGroupChangePolicy: OnRootMismatch
+ terminationGracePeriodSeconds: 30
+ restartPolicy: Always
+
+storage:
+ volume:
+ - emptyDir:
+ medium: Memory
+ sizeLimit: 5Mi
+ name: rp-connect-tmp
+ volumeMounts:
+ - mountPath: /tmp
+ name: rp-connect-tmp
+
+# -- ServiceAccount management.
+serviceAccount:
+ # -- Specifies whether a ServiceAccount should be created.
+ create: false
+ # -- Annotations to add to the ServiceAccount.
+ annotations: {}
+ # -- The name of the ServiceAccount to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `connectors.fullname` template.
+ name: ""
+
+# -- Service management.
+service:
+ # -- Annotations to add to the Service.
+ annotations: {}
+ # -- The name of the service to use.
+ # If not set, a name is generated using the `connectors.fullname` template.
+ name: ""
+ ports:
+ - name: prometheus
+ port: 9404
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.9/charts/console/.helmignore
new file mode 100644
index 000000000..d5bb5e6ba
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/.helmignore
@@ -0,0 +1,28 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+README.md.gotmpl
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+
+*.go
+testdata/
+ci/
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.9/charts/console/Chart.yaml
new file mode 100644
index 000000000..37a546db9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/Chart.yaml
@@ -0,0 +1,23 @@
+annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/console:v2.7.2
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.6.0)"
+ url: https://helm.sh/docs/intro/install/
+apiVersion: v2
+appVersion: v2.7.2
+description: Helm chart to deploy Redpanda Console.
+icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg
+kubeVersion: '>= 1.25.0-0'
+maintainers:
+- name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+name: console
+sources:
+- https://github.com/redpanda-data/helm-charts
+type: application
+version: 0.7.30
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/README.md b/charts/redpanda/redpanda/5.9.9/charts/console/README.md
new file mode 100644
index 000000000..9fb393273
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/README.md
@@ -0,0 +1,353 @@
+# Redpanda Console Helm Chart Specification
+---
+description: Find the default values and descriptions of settings in the Redpanda Console Helm chart.
+---
+
+  
+
+This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml).
+Each of the settings is listed and described on this page, along with any default values.
+
+The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together.
+For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/).
+For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console).
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+
+## Source Code
+
+*
+
+## Requirements
+
+Kubernetes: `>= 1.25.0-0`
+
+## Settings
+
+### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity)
+
+**Default:** `{}`
+
+### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations)
+
+Annotations to add to the deployment.
+
+**Default:** `{}`
+
+### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken)
+
+Automount API credentials for the Service Account into the pod.
+
+**Default:** `true`
+
+### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled)
+
+**Default:** `false`
+
+### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas)
+
+**Default:** `100`
+
+### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas)
+
+**Default:** `1`
+
+### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage)
+
+**Default:** `80`
+
+### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels)
+
+**Default:** `{}`
+
+### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create)
+
+**Default:** `true`
+
+### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config)
+
+Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+
+**Default:** `{}`
+
+### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create)
+
+**Default:** `true`
+
+### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise)
+
+Settings for license key, as an alternative to secret.enterprise when a license secret is available
+
+**Default:**
+
+```
+{"licenseSecretRef":{"key":"","name":""}}
+```
+
+### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers)
+
+Add additional containers, such as for oauth2-proxy.
+
+**Default:** `[]`
+
+### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv)
+
+Additional environment variables for the Redpanda Console Deployment.
+
+**Default:** `[]`
+
+### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom)
+
+Additional environment variables for Redpanda Console mapped from Secret or ConfigMap.
+
+**Default:** `[]`
+
+### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts)
+
+Add additional volume mounts, such as for TLS keys.
+
+**Default:** `[]`
+
+### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes)
+
+Add additional volumes, such as for TLS keys.
+
+**Default:** `[]`
+
+### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride)
+
+Override `console.fullname` template.
+
+**Default:** `""`
+
+### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image)
+
+Redpanda Console Docker image settings.
+
+**Default:**
+
+```
+{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""}
+```
+
+### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy)
+
+The imagePullPolicy.
+
+**Default:** `"IfNotPresent"`
+
+### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository)
+
+Docker repository from which to pull the Redpanda Docker image.
+
+**Default:** `"redpandadata/console"`
+
+### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag)
+
+The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags).
+
+**Default:** `Chart.appVersion`
+
+### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets)
+
+Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+**Default:** `[]`
+
+### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations)
+
+**Default:** `{}`
+
+### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className)
+
+**Default:** `nil`
+
+### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled)
+
+**Default:** `false`
+
+### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host)
+
+**Default:** `"chart-example.local"`
+
+### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path)
+
+**Default:** `"/"`
+
+### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType)
+
+**Default:** `"ImplementationSpecific"`
+
+### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls)
+
+**Default:** `[]`
+
+### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers)
+
+Any initContainers defined should be written here
+
+**Default:** `{"extraInitContainers":""}`
+
+### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers)
+
+Additional set of init containers
+
+**Default:** `""`
+
+### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe)
+
+Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes).
+
+**Default:**
+
+```
+{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1}
+```
+
+### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride)
+
+Override `console.name` template.
+
+**Default:** `""`
+
+### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector)
+
+**Default:** `{}`
+
+### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations)
+
+**Default:** `{}`
+
+### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels)
+
+**Default:** `{}`
+
+### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup)
+
+**Default:** `99`
+
+### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser)
+
+**Default:** `99`
+
+### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName)
+
+PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+
+**Default:** `""`
+
+### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold)
+
+**Default:** `3`
+
+### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds)
+
+Grant time to test connectivity to upstream services such as Kafka and Schema Registry.
+
+**Default:** `10`
+
+### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds)
+
+**Default:** `10`
+
+### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold)
+
+**Default:** `1`
+
+### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds)
+
+**Default:** `1`
+
+### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount)
+
+**Default:** `1`
+
+### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources)
+
+**Default:** `{}`
+
+### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret)
+
+Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets.
+
+**Default:**
+
+```
+{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}}
+```
+
+### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka)
+
+Kafka Secrets.
+
+**Default:** `{}`
+
+### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts)
+
+SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container.
+
+**Default:** `[]`
+
+### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot)
+
+**Default:** `true`
+
+### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations)
+
+**Default:** `{}`
+
+### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port)
+
+**Default:** `8080`
+
+### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort)
+
+Override the value in `console.config.server.listenPort` if not `nil`
+
+**Default:** `nil`
+
+### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type)
+
+**Default:** `"ClusterIP"`
+
+### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations)
+
+Annotations to add to the service account.
+
+**Default:** `{}`
+
+### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken)
+
+Specifies whether a service account should automount API-Credentials
+
+**Default:** `true`
+
+### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create)
+
+Specifies whether a service account should be created.
+
+**Default:** `true`
+
+### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name)
+
+The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template
+
+**Default:** `""`
+
+### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy)
+
+**Default:** `{}`
+
+### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled)
+
+**Default:** `true`
+
+### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations)
+
+**Default:** `[]`
+
+### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints)
+
+**Default:** `[]`
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.9/charts/console/examples/console-enterprise.yaml
new file mode 100644
index 000000000..dc3f29197
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/examples/console-enterprise.yaml
@@ -0,0 +1,94 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+image:
+ tag: master-8fcce39
+
+resources:
+ limits:
+ cpu: 1
+ memory: 2Gi
+ requests:
+ cpu: 100m
+ memory: 512Mi
+
+console:
+ config:
+ kafka:
+ brokers:
+ - bootstrap.mybrokers.com:9092
+ clientId: redpanda-console
+ sasl:
+ enabled: true
+ mechanism: SCRAM-SHA-256
+ username: console
+ # password: set via Helm secret / Env variable
+ tls:
+ enabled: false
+ login:
+ google:
+ enabled: true
+ clientId: redacted.apps.googleusercontent.com
+ # clientSecret: set via Helm secret / Env variable
+ directory:
+ # serviceAccountFilepath: set via Helm secret / Env variable
+ targetPrincipal: admin@mycompany.com
+ enterprise:
+ rbac:
+ enabled: true
+ roleBindingsFilepath: /etc/console/configs/role-bindings.yaml
+ roleBindings:
+ - roleName: viewer
+ metadata:
+ # Metadata properties will be shown in the UI. You can omit it if you want to
+ name: Developers
+ subjects:
+ # You can specify all groups or users from different providers here which shall be bound to the same role
+ - kind: group
+ provider: Google
+ name: engineering@mycompany.com
+ - kind: user
+ provider: Google
+ name: singleuser@mycompany.com
+ - roleName: admin
+ metadata:
+ name: Admin
+ subjects:
+ - kind: user
+ provider: Google
+ name: adminperson@mycompany.com
+
+secret:
+ create: true
+ kafka:
+ saslPassword: "redacted"
+ enterprise:
+ license: "redacted"
+ login:
+ google:
+ clientSecret: "redacted"
+ groupsServiceAccount: |
+ {
+ "type": "service_account",
+ "project_id": "redacted",
+ "private_key_id": "redacted",
+ "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
+ "client_email": "redacted@projectid.iam.gserviceaccount.com",
+ "client_id": "redacted",
+ "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+ "token_uri": "https://oauth2.googleapis.com/token",
+ "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+ "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com"
+ }
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.9/charts/console/templates/NOTES.txt
new file mode 100644
index 000000000..7541881fc
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/NOTES.txt
@@ -0,0 +1,20 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}}
+{{- range $_, $note := $notes }}
+{{ $note }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_chart.go.tpl
new file mode 100644
index 000000000..47f236d6f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_chart.go.tpl
@@ -0,0 +1,13 @@
+{{- /* Generated from "chart.go" */ -}}
+
+{{- define "console.render" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $manifests := (list (get (fromJson (include "console.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Secret" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Service" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Ingress" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $dot) ))) "r") (get (fromJson (include "console.HorizontalPodAutoscaler" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_configmap.go.tpl
new file mode 100644
index 000000000..14673b024
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_configmap.go.tpl
@@ -0,0 +1,25 @@
+{{- /* Generated from "configmap.go" */ -}}
+
+{{- define "console.ConfigMap" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.configmap.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_deployment.go.tpl
new file mode 100644
index 000000000..67aaf598f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_deployment.go.tpl
@@ -0,0 +1,133 @@
+{{- /* Generated from "deployment.go" */ -}}
+
+{{- define "console.ContainerPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $listenPort := ((8080 | int) | int) -}}
+{{- if (ne (toJson $values.service.targetPort) "null") -}}
+{{- $listenPort = $values.service.targetPort -}}
+{{- end -}}
+{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_1.T2 -}}
+{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}}
+{{- if $ok_2 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ($asInt_1 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $listenPort) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Deployment" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.deployment.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $replicas := (coalesce nil) -}}
+{{- if (not $values.autoscaling.enabled) -}}
+{{- $replicas = ($values.replicaCount | int) -}}
+{{- end -}}
+{{- $initContainers := (coalesce nil) -}}
+{{- if (not (empty $values.initContainers.extraInitContainers)) -}}
+{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}}
+{{- end -}}
+{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}}
+{{- if $values.secret.create -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}}
+{{- end -}}
+{{- range $_, $mount := $values.secretMounts -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.containerImage" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := $dot.Chart.AppVersion -}}
+{{- if (not (empty $values.image.tag)) -}}
+{{- $tag = $values.image.tag -}}
+{{- end -}}
+{{- $image := (printf "%s:%s" $values.image.repository $tag) -}}
+{{- if (not (empty $values.image.registry)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $image) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.consoleContainerEnv" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.secret.create) -}}
+{{- $vars := $values.extraEnv -}}
+{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}}
+{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $vars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.license "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}}
+{{- $vars := $values.extraEnv -}}
+{{- range $_, $possible := $possibleVars -}}
+{{- if (not (empty $possible.Value)) -}}
+{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $vars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.consolePodVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}}
+{{- if $values.secret.create -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}}
+{{- end -}}
+{{- range $_, $mount := $values.secretMounts -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.go.tpl
new file mode 100644
index 000000000..05ad60965
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.go.tpl
@@ -0,0 +1,82 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "console.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne $values.fullnameOverride "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $name := (default $dot.Chart.Name $values.nameOverride) -}}
+{{- if (contains $name $dot.Release.Name) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.ChartLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.Labels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}}
+{{- if (ne $dot.Chart.AppVersion "") -}}
+{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.SelectorLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.cleanForK8s" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.tpl
new file mode 100644
index 000000000..ee2ab5d9b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_helpers.tpl
@@ -0,0 +1,25 @@
+{{/*
+Expand the name of the chart.
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.name" -}}
+{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.fullname" -}}
+{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Common labels
+Used by tests/test-connection.yaml
+*/}}
+{{- define "console.labels" -}}
+{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_hpa.go.tpl
new file mode 100644
index 000000000..5c3b33bed
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_hpa.go.tpl
@@ -0,0 +1,25 @@
+{{- /* Generated from "hpa.go" */ -}}
+
+{{- define "console.HorizontalPodAutoscaler" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.autoscaling.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $metrics := (list ) -}}
+{{- if (ne (toJson $values.autoscaling.targetCPUUtilizationPercentage) "null") -}}
+{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}}
+{{- end -}}
+{{- if (ne (toJson $values.autoscaling.targetMemoryUtilizationPercentage) "null") -}}
+{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_ingress.go.tpl
new file mode 100644
index 000000000..0df05e870
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_ingress.go.tpl
@@ -0,0 +1,46 @@
+{{- /* Generated from "ingress.go" */ -}}
+
+{{- define "console.Ingress" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.ingress.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tls := (coalesce nil) -}}
+{{- range $_, $t := $values.ingress.tls -}}
+{{- $hosts := (coalesce nil) -}}
+{{- range $_, $host := $t.hosts -}}
+{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $rules := (coalesce nil) -}}
+{{- range $_, $host := $values.ingress.hosts -}}
+{{- $paths := (coalesce nil) -}}
+{{- range $_, $path := $host.paths -}}
+{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_notes.go.tpl
new file mode 100644
index 000000000..6b58b21ef
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_notes.go.tpl
@@ -0,0 +1,40 @@
+{{- /* Generated from "notes.go" */ -}}
+
+{{- define "console.Notes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $commands := (list `1. Get the application URL by running these commands:`) -}}
+{{- if $values.ingress.enabled -}}
+{{- $scheme := "http" -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}}
+{{- $scheme = "https" -}}
+{{- end -}}
+{{- range $_, $host := $values.ingress.hosts -}}
+{{- range $_, $path := $host.paths -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}}
+{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}}
+{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}}
+{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $commands) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_secret.go.tpl
new file mode 100644
index 000000000..6af16b1c8
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_secret.go.tpl
@@ -0,0 +1,22 @@
+{{- /* Generated from "secret.go" */ -}}
+
+{{- define "console.Secret" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.secret.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $jwtSecret := $values.secret.login.jwtSecret -}}
+{{- if (eq $jwtSecret "") -}}
+{{- $jwtSecret = (randAlphaNum (32 | int)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.license "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_service.go.tpl
new file mode 100644
index 000000000..8fac3d454
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_service.go.tpl
@@ -0,0 +1,20 @@
+{{- /* Generated from "service.go" */ -}}
+
+{{- define "console.Service" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}}
+{{- if (ne (toJson $values.service.targetPort) "null") -}}
+{{- $_ := (set $port "targetPort" $values.service.targetPort) -}}
+{{- end -}}
+{{- if (and (contains "NodePort" (toString $values.service.type)) (ne (toJson $values.service.nodePort) "null")) -}}
+{{- $_ := (set $port "nodePort" $values.service.nodePort) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_serviceaccount.go.tpl
new file mode 100644
index 000000000..5a49ba3fd
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_serviceaccount.go.tpl
@@ -0,0 +1,39 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "console.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.serviceAccount.create -}}
+{{- if (ne $values.serviceAccount.name "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "console.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_shims.tpl
new file mode 100644
index 000000000..1e6d0425c
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/_shims.tpl
@@ -0,0 +1,289 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.compact" -}}
+{{- $args := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $out := (dict ) -}}
+{{- range $i, $e := $args -}}
+{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $out) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $ptr) "null") -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $m) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $ptr) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $scale := ($tmp_tuple_1.T1 | float64) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_2.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_2.T1 | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_3.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_3.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_4.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_4.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne (toJson $manifest) "null" }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.9/charts/console/templates/entry-point.yaml
new file mode 100644
index 000000000..01fb6d68b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/entry-point.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "console.render" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.9/charts/console/templates/tests/test-connection.yaml
new file mode 100644
index 000000000..de17fb2b1
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/templates/tests/test-connection.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "console.fullname" . }}-test-connection"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- include "console.labels" . | nindent 4 }}
+ annotations:
+ "helm.sh/hook": test
+spec:
+{{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: wget
+ image: busybox
+ command: ['wget']
+ args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}']
+ restartPolicy: Never
+ priorityClassName: {{ .Values.priorityClassName }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.9/charts/console/values.schema.json
new file mode 100644
index 000000000..f4f369e98
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/values.schema.json
@@ -0,0 +1,323 @@
+{
+ "$schema": "http://json-schema.org/schema#",
+ "type": "object",
+ "required": [
+ "image"
+ ],
+ "properties": {
+ "affinity": {
+ "type": "object"
+ },
+ "autoscaling": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "maxReplicas": {
+ "type": "integer"
+ },
+ "minReplicas": {
+ "type": "integer"
+ },
+ "targetCPUUtilizationPercentage": {
+ "type": "integer"
+ }
+ }
+ },
+ "configmap": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ }
+ },
+ "console": {
+ "type": "object"
+ },
+ "deployment": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ }
+ },
+ "extraContainers": {
+ "type": "array"
+ },
+ "extraEnv": {
+ "type": "array"
+ },
+ "extraEnvFrom": {
+ "type": "array"
+ },
+ "extraVolumeMounts": {
+ "type": "array"
+ },
+ "extraVolumes": {
+ "type": "array"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "type": "object",
+ "required": [
+ "repository"
+ ],
+ "properties": {
+ "pullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string",
+ "minLength": 1
+ },
+ "tag": {
+ "type": "string"
+ }
+ }
+ },
+ "imagePullSecrets": {
+ "type": "array"
+ },
+ "ingress": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "className": {
+ "type": ["string", "null"]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "hosts": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "tls": {
+ "type": "array"
+ }
+ }
+ },
+ "livenessProbe": {
+ "type": "object",
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ }
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "type": "object"
+ },
+ "annotations": {
+ "type": "object"
+ },
+ "podAnnotations": {
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "type": "object",
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ }
+ },
+ "readinessProbe": {
+ "type": "object",
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ }
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "secret": {
+ "type": "object",
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "type": "object"
+ },
+ "kafka": {
+ "type": "object"
+ },
+ "login": {
+ "type": "object",
+ "properties": {
+ "jwtSecret": {
+ "type": "string"
+ },
+ "github": {
+ "type": "object"
+ },
+ "google": {
+ "type": "object"
+ },
+ "oidc": {
+ "type": "object"
+ },
+ "okta": {
+ "type": "object"
+ }
+ }
+ },
+ "redpanda": {
+ "type": "object",
+ "properties": {
+ "adminApi": {
+ "type": "object"
+ }
+ }
+ }
+ }
+ },
+ "secretMounts": {
+ "type": "array"
+ },
+ "securityContext": {
+ "type": "object",
+ "properties": {
+ "runAsNonRoot": {
+ "type": "boolean"
+ }
+ }
+ },
+ "service": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "targetPort": {
+ "anyOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "type": {
+ "type": "string"
+ }
+ }
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "serviceAccount": {
+ "type": "object",
+ "properties": {
+ "annotations": {
+ "type": "object"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ }
+ },
+ "tolerations": {
+ "type": "array"
+ },
+ "initContainers": {
+ "type": "object",
+ "properties": {
+ "extraInitContainers": {
+ "type": "string"
+ }
+ }
+ },
+ "strategy": {
+ "type": "object"
+ },
+ "tests": {
+ "type": "object",
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ }
+ }
+ }
+}
diff --git a/charts/redpanda/redpanda/5.9.9/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.9/charts/console/values.yaml
new file mode 100644
index 000000000..4825fc487
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/charts/console/values.yaml
@@ -0,0 +1,279 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Default values for console.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+# -- Redpanda Console Docker image settings.
+image:
+ registry: docker.redpanda.com
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: redpandadata/console
+ # -- The imagePullPolicy.
+ pullPolicy: IfNotPresent
+ # -- The Redpanda Console version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags).
+ # @default -- `Chart.appVersion`
+ tag: ""
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+
+# -- Override `console.name` template.
+nameOverride: ""
+# -- Override `console.fullname` template.
+fullnameOverride: ""
+
+# -- Automount API credentials for the Service Account into the pod.
+automountServiceAccountToken: true
+
+serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: true
+ # -- Specifies whether a service account should automount API-Credentials
+ automountServiceAccountToken: true
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- The name of the service account to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `console.fullname` template
+ name: ""
+
+# Common labels to add to all the pods
+commonLabels: {}
+
+# -- Annotations to add to the deployment.
+annotations: {}
+
+podAnnotations: {}
+
+podLabels: {}
+
+podSecurityContext:
+ runAsUser: 99
+ fsGroup: 99
+
+securityContext:
+ runAsNonRoot: true
+ # capabilities:
+ # drop:
+ # - ALL
+ # readOnlyRootFilesystem: true
+ # runAsNonRoot: true
+ # runAsUser: 1000
+
+service:
+ type: ClusterIP
+ port: 8080
+ # nodePort: 30001
+ # -- Override the value in `console.config.server.listenPort` if not `nil`
+ targetPort:
+ annotations: {}
+
+ingress:
+ enabled: false
+ className:
+ annotations: {}
+ # kubernetes.io/ingress.class: nginx
+ # kubernetes.io/tls-acme: "true"
+ hosts:
+ - host: chart-example.local
+ paths:
+ - path: /
+ pathType: ImplementationSpecific
+ tls: []
+ # - secretName: chart-example-tls
+ # hosts:
+ # - chart-example.local
+
+resources: {}
+ # We usually recommend not to specify default resources and to leave this as a conscious
+ # choice for the user. This also increases chances charts run on environments with little
+ # resources, such as minikube. If you want to specify resources, uncomment the following
+ # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+ # limits:
+ # cpu: 100m
+ # memory: 128Mi
+ # requests:
+ # cpu: 100m
+ # memory: 128Mi
+
+autoscaling:
+ enabled: false
+ minReplicas: 1
+ maxReplicas: 100
+ targetCPUUtilizationPercentage: 80
+ # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+topologySpreadConstraints: []
+
+# -- PriorityClassName given to Pods.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+priorityClassName: ""
+
+console:
+ # -- Settings for the `Config.yaml` (required).
+ # For a reference of configuration settings,
+ # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+ config: {}
+ # roles:
+ # roleBindings:
+
+# -- Additional environment variables for the Redpanda Console Deployment.
+extraEnv: []
+ # - name: KAFKA_RACKID
+ # value: "1"
+
+# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap.
+extraEnvFrom: []
+# - secretRef:
+# name: kowl-config-secret
+
+# -- Add additional volumes, such as for TLS keys.
+extraVolumes: []
+# - name: kafka-certs
+# secret:
+# secretName: kafka-certs
+# - name: config
+# configMap:
+# name: console-config
+
+# -- Add additional volume mounts, such as for TLS keys.
+extraVolumeMounts: []
+# - name: kafka-certs # Must match the volume name
+# mountPath: /etc/kafka/certs
+# readOnly: true
+
+# -- Add additional containers, such as for oauth2-proxy.
+extraContainers: []
+
+# -- Any initContainers defined should be written here
+initContainers:
+ # -- Additional set of init containers
+ extraInitContainers: |-
+# - name: "test-init-container"
+# image: "mintel/docker-alpine-bash-curl-jq:latest"
+# command: [ "/bin/bash", "-c" ]
+# args:
+# - |
+# set -xe
+# echo "Hello World!"
+
+# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem.
+# Under the hood it creates a volume and a volume mount for the Redpanda Console container.
+secretMounts: []
+# - name: kafka-certs
+# secretName: kafka-certs
+# path: /etc/console/certs
+# defaultMode: 0755
+
+# -- Create a new Kubernetes Secret for all sensitive configuration inputs.
+# Each provided Secret is mounted automatically and made available to the
+# Pod.
+# If you want to use one or more existing Secrets,
+# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets.
+secret:
+ create: true
+
+ # Secret values in case you want the chart to create a Secret. All Certificates are mounted
+ # as files and the path to those files are configured through environment variables so
+ # that Console can automatically pick them up.
+ # -- Kafka Secrets.
+ kafka: {}
+ # saslPassword:
+ # awsMskIamSecretKey:
+ # tlsCa:
+ # tlsCert:
+ # tlsKey:
+ # tlsPassphrase:
+ # schemaRegistryPassword:
+ # schemaRegistryTlsCa:
+ # schemaRegistryTlsCert:
+ # schemaRegistryTlsKey:
+ # protobufGitBasicAuthPassword
+ # Enterprise version secrets
+ # - SSO secrets (Enterprise version).
+ login:
+ # Configurable JWT value
+ jwtSecret: ""
+ google: {}
+ # clientSecret:
+ # groupsServiceAccount:
+ github: {}
+ # clientSecret:
+ # personalAccessToken:
+ okta: {}
+ # clientSecret:
+ # directoryApiToken:
+ oidc: {}
+ # clientSecret:
+
+ enterprise: {}
+ # license:
+
+ redpanda:
+ adminApi: {}
+ # password:
+ # tlsCa:
+ # tlsCert:
+ # tlsKey:
+
+# -- Settings for license key, as an alternative to secret.enterprise when
+# a license secret is available
+enterprise:
+ licenseSecretRef:
+ name: ""
+ key: ""
+
+# -- Settings for liveness and readiness probes.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes).
+livenessProbe:
+ # initialDelaySeconds: 0
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+
+readinessProbe:
+ # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry.
+ initialDelaySeconds: 10
+ periodSeconds: 10
+ timeoutSeconds: 1
+ successThreshold: 1
+ failureThreshold: 3
+
+configmap:
+ create: true
+deployment:
+ create: true
+
+strategy: {}
+
+tests:
+ enabled: true
diff --git a/charts/redpanda/redpanda/5.9.9/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.9/templates/NOTES.txt
new file mode 100644
index 000000000..6992f8e36
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/NOTES.txt
@@ -0,0 +1,26 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }}
+{{- range $_, $warning := $warnings }}
+{{ $warning }}
+{{- end }}
+
+{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }}
+{{- range $_, $note := $notes }}
+{{ $note }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_cert-issuers.go.tpl
new file mode 100644
index 000000000..acfd4c46c
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_cert-issuers.go.tpl
@@ -0,0 +1,57 @@
+{{- /* Generated from "cert_issuers.go" */ -}}
+
+{{- define "redpanda.CertIssuers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}}
+{{- $issuers := $tmp_tuple_1.T1 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $issuers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RootCAs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}}
+{{- $cas := $tmp_tuple_2.T2 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cas) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.certIssuersAndCAs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $issuers := (coalesce nil) -}}
+{{- $certs := (coalesce nil) -}}
+{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $issuers $certs)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $data := $values.tls.certs -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- if (eq (toJson $data.issuerRef) "null") -}}
+{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}}
+{{- end -}}
+{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}}
+{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list (default "43800h" $data.duration)) ))) "r")) ))) "r") "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $issuers $certs)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_certs.go.tpl
new file mode 100644
index 000000000..2d8937ceb
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_certs.go.tpl
@@ -0,0 +1,71 @@
+{{- /* Generated from "certs.go" */ -}}
+
+{{- define "redpanda.ClientCerts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}}
+{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}}
+{{- $ns := $dot.Release.Namespace -}}
+{{- $domain := (trimSuffix "." $values.clusterDomain) -}}
+{{- $certs := (coalesce nil) -}}
+{{- range $name, $data := $values.tls.certs -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $names := (coalesce nil) -}}
+{{- if (or (eq (toJson $data.issuerRef) "null") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}}
+{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}}
+{{- end -}}
+{{- if (ne (toJson $values.external.domain) "null") -}}
+{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}}
+{{- $names = (concat (default (list ) $names) (list (tpl (printf "*.%s" $values.external.domain) $dot))) -}}
+{{- end -}}
+{{- $duration := (default "43800h" $data.duration) -}}
+{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}}
+{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $name := $values.listeners.kafka.tls.cert -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $data := $tmp_tuple_1.T1 -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}}
+{{- end -}}
+{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $certs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}}
+{{- if (ne (toJson $data.issuerRef) "null") -}}
+{{- $issuerRef = $data.issuerRef -}}
+{{- $_ := (set $issuerRef "group" "cert-manager.io") -}}
+{{- end -}}
+{{- $duration := (default "43800h" $data.duration) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" (get (fromJson (include "_shims.time_Duration_String" (dict "a" (list (get (fromJson (include "_shims.time_ParseDuration" (dict "a" (list $duration) ))) "r")) ))) "r") "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_chart.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_chart.go.tpl
new file mode 100644
index 000000000..46f6423e1
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_chart.go.tpl
@@ -0,0 +1,62 @@
+{{- /* Generated from "chart.go" */ -}}
+
+{{- define "redpanda.render" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $manifests := (list (get (fromJson (include "redpanda.NodePortService" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PodDisruptionBudget" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceAccount" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceInternal" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.ServiceMonitor" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRole" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.SidecarControllersRoleBinding" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.StatefulSet" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.PostInstallUpgradeJob" (dict "a" (list $dot) ))) "r")) -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ConfigMaps" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.CertIssuers" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.RootCAs" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClientCerts" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoleBindings" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.ClusterRoles" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.LoadBalancerServices" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $obj := (get (fromJson (include "redpanda.Secrets" (dict "a" (list $dot) ))) "r") -}}
+{{- $manifests = (concat (default (list ) $manifests) (list $obj)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $manifests = (concat (default (list ) $manifests) (default (list ) (get (fromJson (include "redpanda.consoleChartIntegration" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_configmap.go.tpl
new file mode 100644
index 000000000..5425d6e8e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_configmap.go.tpl
@@ -0,0 +1,504 @@
+{{- /* Generated from "configmap.tpl.go" */ -}}
+
+{{- define "redpanda.ConfigMaps" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cms) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaConfigMap" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot true) ))) "r") ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapFile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TieredStorageConfig.Translate" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) $values.storage.tiered.credentialsSecretRef) ))) "r")) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_1 := $tmp_tuple_1.T2 -}}
+{{- if (and (not $ok_1) (ge ($values.statefulset.replicas | int) (3 | int))) -}}
+{{- $_ := (set $bootstrap "default_topic_replications" (3 | int)) -}}
+{{- end -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_2.T2 -}}
+{{- if (not $ok_2) -}}
+{{- $_ := (set $bootstrap "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (toYaml $bootstrap)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaConfigFile" -}}
+{{- $dot := (index .a 0) -}}
+{{- $includeSeedServer := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $redpanda := (dict "empty_seed_starts_cluster" false ) -}}
+{{- if $includeSeedServer -}}
+{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}}
+{{- end -}}
+{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}}
+{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}}
+{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkNodeConfig" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}}
+{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}}
+{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RPKProfile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.external.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkProfile" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminAdvertisedList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaTLS := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_3 := $tmp_tuple_3.T2 -}}
+{{- if $ok_3 -}}
+{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}}
+{{- end -}}
+{{- $adminTLS := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "ca_file" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_4 := $tmp_tuple_4.T2 -}}
+{{- if $ok_4 -}}
+{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}}
+{{- end -}}
+{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $ka "tls" $kafkaTLS) -}}
+{{- end -}}
+{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $aa "tls" $adminTLS) -}}
+{{- end -}}
+{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedKafkaPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}}
+{{- $listener := (index $values.listeners.kafka.external $externalKafkaListenerName) -}}
+{{- $port := (($values.listeners.kafka.port | int) | int) -}}
+{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}}
+{{- $port = (($listener.port | int) | int) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts $i) | int) -}}
+{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $port) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedAdminPort" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $keys := (keys $values.listeners.admin.external) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $externalAdminListenerName := (first $keys) -}}
+{{- $listener := (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) -}}
+{{- $port := (($values.listeners.admin.port | int) | int) -}}
+{{- if (gt (($listener.port | int) | int) (1 | int)) -}}
+{{- $port = (($listener.port | int) | int) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts $i) | int) -}}
+{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $port) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedHost" -}}
+{{- $dot := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}}
+{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}}
+{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}}
+{{- end -}}
+{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $address) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}}
+{{- $address = (index $values.external.addresses (0 | int)) -}}
+{{- else -}}
+{{- $address = (index $values.external.addresses $i) -}}
+{{- end -}}
+{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}}
+{{- $address = (printf "%s.%s" $address $values.external.domain) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $address) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.getFirstExternalKafkaListener" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $keys := (keys $values.listeners.kafka.external) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BrokerList" -}}
+{{- $dot := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $port := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $bl := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $bl) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkNodeConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}}
+{{- $adminTLS := (coalesce nil) -}}
+{{- $tls_5 := (get (fromJson (include "redpanda.rpkAdminAPIClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_5) ))) "r") | int) (0 | int)) -}}
+{{- $adminTLS = $tls_5 -}}
+{{- end -}}
+{{- $brokerTLS := (coalesce nil) -}}
+{{- $tls_6 := (get (fromJson (include "redpanda.rpkKafkaClientTLSConfiguration" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_6) ))) "r") | int) (0 | int)) -}}
+{{- $brokerTLS = $tls_6 -}}
+{{- end -}}
+{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) ) -}}
+{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}}
+{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkKafkaClientTLSConfiguration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tls := $values.listeners.kafka.tls -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
+{{- if $tls.requireClientAuth -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkAdminAPIClientTLSConfiguration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tls := $values.listeners.admin.tls -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict "ca_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $tls $values.tls) ))) "r") ) -}}
+{{- if $tls.requireClientAuth -}}
+{{- $_ := (set $result "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $result "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.kafkaClient" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $brokerList := (list ) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaTLS := $values.listeners.kafka.tls -}}
+{{- $brokerTLS := (coalesce nil) -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}}
+{{- $brokerTLS = (dict "enabled" true "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}}
+{{- if $kafkaTLS.requireClientAuth -}}
+{{- $_ := (set $brokerTLS "cert_file" (printf "%s/%s-client/tls.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $_ := (set $brokerTLS "key_file" (printf "%s/%s-client/tls.key" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}}
+{{- end -}}
+{{- end -}}
+{{- $cfg := (dict "brokers" $brokerList ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cfg) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.configureListeners" -}}
+{{- $redpanda := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}}
+{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}}
+{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}}
+{{- $tls_7 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "admin_api_tls" $tls_7) -}}
+{{- end -}}
+{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}}
+{{- $tls_8 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "kafka_api_tls" $tls_8) -}}
+{{- end -}}
+{{- $tls_9 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $redpanda "rpc_server_tls" $tls_9) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.pandaProxyListener" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $pandaProxy := (dict ) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}}
+{{- $tls_10 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_10) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pandaProxy) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.schemaRegistry" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $schemaReg := (dict ) -}}
+{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}}
+{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}}
+{{- $tls_11 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_11) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $schemaReg) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpcListenersTLS" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $r := $values.listeners.rpc -}}
+{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq (toJson $r.tls.enabled) "null") $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}}
+{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $certName := $r.tls.cert -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpcListeners" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.createInternalListenerTLSCfg" -}}
+{{- $tls := (index .a 0) -}}
+{{- $internal := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $internal.cert) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.createInternalListenerCfg" -}}
+{{- $port := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAdditionalStartFlags" -}}
+{{- $dot := (index .a 0) -}}
+{{- $smp := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}}
+{{- if (eq (index $values.config.node "developer_mode") true) -}}
+{{- $_ := (unset $chartFlags "reserve-memory") -}}
+{{- end -}}
+{{- range $flag, $_ := $chartFlags -}}
+{{- range $_, $userFlag := $values.statefulset.additionalRedpandaCmdFlags -}}
+{{- if (regexMatch (printf "^--%s" $flag) $userFlag) -}}
+{{- $_ := (unset $chartFlags $flag) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $keys := (keys $chartFlags) -}}
+{{- $_ := (sortAlpha $keys) -}}
+{{- $flags := (list ) -}}
+{{- range $_, $key := $keys -}}
+{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (index $chartFlags $key)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_console.go.tpl
new file mode 100644
index 000000000..c158b4ef9
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_console.go.tpl
@@ -0,0 +1,178 @@
+{{- /* Generated from "console.tpl.go" */ -}}
+
+{{- define "redpanda.consoleChartIntegration" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.enabled true) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $consoleDot := (index $dot.Subcharts "console") -}}
+{{- $loadedValues := $consoleDot.Values -}}
+{{- $consoleValue := $consoleDot.Values -}}
+{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}}
+{{- if (and (ne $license_1 "") (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.secret.create false) ))) "r"))) -}}
+{{- $_ := (set $consoleValue.secret "create" true) -}}
+{{- $_ := (set $consoleValue.secret "enterprise" (mustMergeOverwrite (dict ) (dict "license" $license_1 ))) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.configmap.create false) ))) "r")) -}}
+{{- $_ := (set $consoleValue.configmap "create" true) -}}
+{{- $_ := (set $consoleValue.console "config" (get (fromJson (include "redpanda.ConsoleConfig" (dict "a" (list $dot) ))) "r")) -}}
+{{- end -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.console.deployment.create false) ))) "r")) -}}
+{{- $_ := (set $consoleValue.deployment "create" true) -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $command := (list "sh" "-c" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" (printf "%s%s" "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print));" (printf " KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s};" (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) " export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;") " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;") " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;") " export REDPANDA_ADMINAPI_USERNAME=$KAFKA_SASL_USERNAME;") " export REDPANDA_ADMINAPI_PASSWORD=$KAFKA_SASL_PASSWORD;") " /app/console $@") " --") -}}
+{{- $_ := (set $consoleValue.deployment "command" $command) -}}
+{{- end -}}
+{{- $secret_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $secret_2) "null") -}}
+{{- $_ := (set $consoleValue "enterprise" (mustMergeOverwrite (dict "licenseSecretRef" (dict "name" "" "key" "" ) ) (dict "licenseSecretRef" (mustMergeOverwrite (dict "name" "" "key" "" ) (dict "name" $secret_2.name "key" $secret_2.key )) ))) -}}
+{{- end -}}
+{{- $_ := (set $consoleValue "extraVolumes" (get (fromJson (include "redpanda.consoleTLSVolumes" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $consoleValue "extraVolumeMounts" (get (fromJson (include "redpanda.consoleTLSVolumesMounts" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_ := (set $consoleDot "Values" $consoleValue) -}}
+{{- $cfg := (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") -}}
+{{- if (eq (toJson $consoleValue.podAnnotations) "null") -}}
+{{- $_ := (set $consoleValue "podAnnotations" (dict )) -}}
+{{- end -}}
+{{- $_ := (set $consoleValue.podAnnotations "checksum-redpanda-chart/config" (sha256sum (toYaml $cfg))) -}}
+{{- end -}}
+{{- $_ := (set $consoleDot "Values" $consoleValue) -}}
+{{- $manifests := (list (get (fromJson (include "console.Secret" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.ConfigMap" (dict "a" (list $consoleDot) ))) "r") (get (fromJson (include "console.Deployment" (dict "a" (list $consoleDot) ))) "r")) -}}
+{{- $_ := (set $consoleDot "Values" $loadedValues) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $manifests) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.consoleTLSVolumesMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts := (list ) -}}
+{{- $sasl_3 := $values.auth.sasl -}}
+{{- if (and $sasl_3.enabled (ne $sasl_3.secretRef "")) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/mnt/users" "readOnly" true )))) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}}
+{{- end -}}
+{{- $visitedCert := (dict ) -}}
+{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $visited := $tmp_tuple_1.T2 -}}
+{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $visitedCert $tlsCfg.cert true) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) "mountPath" (printf "%s/%s" "/etc/tls/certs" $tlsCfg.cert) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.console.extraVolumeMounts))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.consoleTLSVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes := (list ) -}}
+{{- $sasl_4 := $values.auth.sasl -}}
+{{- if (and $sasl_4.enabled (ne $sasl_4.secretRef "")) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $values.auth.sasl.secretRef )) )) (dict "name" (printf "%s-users" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
+{{- end -}}
+{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}}
+{{- if (ne (toJson $vol_5) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}}
+{{- end -}}
+{{- $visitedCert := (dict ) -}}
+{{- range $_, $tlsCfg := (list $values.listeners.kafka.tls $values.listeners.schemaRegistry.tls $values.listeners.admin.tls) -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $visitedCert $tlsCfg.cert (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $visited := $tmp_tuple_2.T2 -}}
+{{- if (or (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $tlsCfg $values.tls) ))) "r")) $visited) -}}
+{{- continue -}}
+{{- end -}}
+{{- $_ := (set $visitedCert $tlsCfg.cert true) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o420 | int) "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $tlsCfg.cert (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $tlsCfg.cert) ))) "r")) ))) "r") )) )) (dict "name" (printf "redpanda-%s-cert" $tlsCfg.cert) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.console.extraVolumes))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ConsoleConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $schemaURLs := (coalesce nil) -}}
+{{- if $values.listeners.schemaRegistry.enabled -}}
+{{- $schema := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}}
+{{- $schema = "https" -}}
+{{- end -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $schema := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $schema = "https" -}}
+{{- end -}}
+{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsoleTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}}
+{{- if $values.connectors.enabled -}}
+{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_3.T2 -}}
+{{- $p := ($tmp_tuple_3.T1 | int) -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $c) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.ConnectorsFullName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}}
+{{- $_ := (set $c "connect" (mustMergeOverwrite (dict "enabled" false "clusters" (coalesce nil) "connectTimeout" 0 "readTimeout" 0 "requestTimeout" 0 ) (dict "enabled" $values.connectors.enabled "clusters" (list (mustMergeOverwrite (dict "name" "" "url" "" "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" ) (dict "name" "connectors" "url" $connectorsURL "tls" (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false )) "username" "" "password" "" "token" "" ))) ))) -}}
+{{- end -}}
+{{- if (eq (toJson $values.console.console) "null") -}}
+{{- $_ := (set $values.console "console" (mustMergeOverwrite (dict ) (dict "config" (dict ) ))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ConnectorsFullName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne (dig "connectors" "connectors" "fullnameOverwrite" "" $dot.Values.AsMap) "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.connectors.connectors.fullnameOverwrite) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s-connectors" $dot.Release.Name)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.9/templates/_example-commands.tpl
new file mode 100644
index 000000000..9a5c695e3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_example-commands.tpl
@@ -0,0 +1,58 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+
+{{/*
+Any rpk command that's given to the user in NOTES.txt must be defined in this template file
+and tested in a test.
+*/}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-acl-user-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-acl-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-cluster-info" -}}
+{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-create" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-describe" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
+
+{{/* tested in tests/test-kafka-sasl-status.yaml */}}
+{{- define "rpk-topic-delete" -}}
+{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }}
+{{- $cmd }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_helpers.go.tpl
new file mode 100644
index 000000000..f7501789f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_helpers.go.tpl
@@ -0,0 +1,570 @@
+{{- /* Generated from "helpers.go" */ -}}
+
+{{- define "redpanda.ChartLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Name" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_1.T2 -}}
+{{- $override_1 := $tmp_tuple_1.T1 -}}
+{{- if (and $ok_2 (ne $override_1 "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Fullname" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r")) ))) "r") -}}
+{{- $ok_4 := $tmp_tuple_2.T2 -}}
+{{- $override_3 := $tmp_tuple_2.T1 -}}
+{{- if (and $ok_4 (ne $override_3 "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.FullLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $labels := (dict ) -}}
+{{- if (ne (toJson $values.commonLabels) "null") -}}
+{{- $labels = $values.commonLabels -}}
+{{- end -}}
+{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.ChartLabel" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceAccountName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $serviceAccount := $values.serviceAccount -}}
+{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if $serviceAccount.create -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (ne $serviceAccount.name "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $serviceAccount.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "default") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Tag" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tag := (toString $values.image.tag) -}}
+{{- if (eq $tag "") -}}
+{{- $tag = $dot.Chart.AppVersion -}}
+{{- end -}}
+{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}}
+{{- if (not (regexMatch $pattern $tag)) -}}
+{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tag) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceName" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.service) "null") (ne (toJson $values.service.name) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalDomain" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}}
+{{- $ns := $dot.Release.Namespace -}}
+{{- $domain := (trimSuffix "." $values.clusterDomain) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TLSEnabled" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if $values.tls.enabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}}
+{{- range $_, $listener := $listeners -}}
+{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}}
+{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}}
+{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}}
+{{- if (empty $external) -}}
+{{- continue -}}
+{{- end -}}
+{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}}
+{{- range $_, $key := $keys -}}
+{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}}
+{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}}
+{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}}
+{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClientAuthRequired" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}}
+{{- range $_, $listener := $listeners -}}
+{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}}
+{{- if (not (empty $required)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.DefaultMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CommonMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts := (list ) -}}
+{{- $sasl_5 := $values.auth.sasl -}}
+{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $certNames := (keys $values.tls.certs) -}}
+{{- $_ := (sortAlpha $certNames) -}}
+{{- range $_, $name := $certNames -}}
+{{- $cert := (index $values.tls.certs $name) -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "%s/%s" "/etc/tls/certs" $name) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminTLS := $values.listeners.admin.tls -}}
+{{- if $adminTLS.requireClientAuth -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $mounts) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.DefaultVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CommonVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $volumes := (list ) -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $certNames := (keys $values.tls.certs) -}}
+{{- $_ := (sortAlpha $certNames) -}}
+{{- range $_, $name := $certNames -}}
+{{- $cert := (index $values.tls.certs $name) -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $adminTLS := $values.listeners.admin.tls -}}
+{{- $cert := (index $values.tls.certs $adminTLS.cert) -}}
+{{- if $adminTLS.requireClientAuth -}}
+{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- if (ne (toJson $cert.clientSecretRef) "null") -}}
+{{- $secretName = $cert.clientSecretRef.name -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $sasl_6 := $values.auth.sasl -}}
+{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $volumes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.CertSecretName" -}}
+{{- $dot := (index .a 0) -}}
+{{- $certName := (index .a 1) -}}
+{{- $cert := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $cert.secretRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cert.secretRef.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PodSecurityContext" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ContainerSecurityContext" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_2_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_3_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_1_1" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_1_2" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_2_1" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaAtLeast_23_3_0" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.redpandaAtLeast" -}}
+{{- $dot := (index .a 0) -}}
+{{- $constraint := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (list (semverCompare $constraint $version) nil)) ))) "r") -}}
+{{- $err := $tmp_tuple_3.T2 -}}
+{{- $result := $tmp_tuple_3.T1 -}}
+{{- if (ne (toJson $err) "null") -}}
+{{- $_ := (fail $err) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.cleanForK8s" -}}
+{{- $in := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaSMP" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}}
+{{- if (lt $coresInMillies (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (1 | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.coalesce" -}}
+{{- $values := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- range $_, $v := $values -}}
+{{- if (ne (toJson $v) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $v) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StrategicMergePatch" -}}
+{{- $overrides := (index .a 0) -}}
+{{- $original := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $overrides.labels) "null") -}}
+{{- $_ := (set $original.metadata "labels" (merge (dict ) $overrides.labels (default (dict ) $original.metadata.labels))) -}}
+{{- end -}}
+{{- if (ne (toJson $overrides.annotations) "null") -}}
+{{- $_ := (set $original.metadata "annotations" (merge (dict ) $overrides.annotations (default (dict ) $original.metadata.annotations))) -}}
+{{- end -}}
+{{- if (ne (toJson $overrides.spec.securityContext) "null") -}}
+{{- $_ := (set $original.spec "securityContext" (merge (dict ) $overrides.spec.securityContext (default (mustMergeOverwrite (dict ) (dict )) $original.spec.securityContext))) -}}
+{{- end -}}
+{{- if (ne (toJson $overrides.spec.automountServiceAccountToken) "null") -}}
+{{- $_ := (set $original.spec "automountServiceAccountToken" $overrides.spec.automountServiceAccountToken) -}}
+{{- end -}}
+{{- $overrideContainers := (dict ) -}}
+{{- range $i, $_ := $overrides.spec.containers -}}
+{{- $container := (index $overrides.spec.containers $i) -}}
+{{- $_ := (set $overrideContainers (toString $container.name) $container) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (ne (toJson $overrides.spec.volumes) "null") (gt ((get (fromJson (include "_shims.len" (dict "a" (list $overrides.spec.volumes) ))) "r") | int) (0 | int))) -}}
+{{- $newVolumes := (list ) -}}
+{{- $overrideVolumes := (dict ) -}}
+{{- range $i, $_ := $overrides.spec.volumes -}}
+{{- $vol := (index $overrides.spec.volumes $i) -}}
+{{- $_ := (set $overrideVolumes $vol.name $vol) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $vol := $original.spec.volumes -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideVolumes $vol.name (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_8 := $tmp_tuple_4.T2 -}}
+{{- $overrideVol_7 := $tmp_tuple_4.T1 -}}
+{{- if $ok_8 -}}
+{{- $newVolumes = (concat (default (list ) $newVolumes) (list $overrideVol_7)) -}}
+{{- $_ := (unset $overrideVolumes $vol.name) -}}
+{{- continue -}}
+{{- end -}}
+{{- $newVolumes = (concat (default (list ) $newVolumes) (list $vol)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $vol := $overrideVolumes -}}
+{{- $newVolumes = (concat (default (list ) $newVolumes) (list $vol)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $original.spec "volumes" $newVolumes) -}}
+{{- end -}}
+{{- $merged := (coalesce nil) -}}
+{{- range $_, $container := $original.spec.containers -}}
+{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideContainers $container.name (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_10 := $tmp_tuple_5.T2 -}}
+{{- $override_9 := $tmp_tuple_5.T1 -}}
+{{- if $ok_10 -}}
+{{- $env := (concat (default (list ) $container.env) (default (list ) $override_9.env)) -}}
+{{- $container = (merge (dict ) $override_9 $container) -}}
+{{- $_ := (set $container "env" $env) -}}
+{{- end -}}
+{{- if (eq (toJson $container.env) "null") -}}
+{{- $_ := (set $container "env" (list )) -}}
+{{- end -}}
+{{- $merged = (concat (default (list ) $merged) (list $container)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $original.spec "containers" $merged) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $original) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.9/templates/_helpers.tpl
new file mode 100644
index 000000000..a885f9dcd
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_helpers.tpl
@@ -0,0 +1,368 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "redpanda.name" -}}
+{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "redpanda.fullname" -}}
+{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+Create a default service name
+*/}}
+{{- define "redpanda.servicename" -}}
+{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/*
+full helm labels + common labels
+*/}}
+{{- define "full.labels" -}}
+{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "redpanda.chart" -}}
+{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "redpanda.serviceAccountName" -}}
+{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }}
+{{- end }}
+
+{{/*
+Use AppVersion if image.tag is not set
+*/}}
+{{- define "redpanda.tag" -}}
+{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/* Generate internal fqdn */}}
+{{- define "redpanda.internal.domain" -}}
+{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }}
+{{- end -}}
+
+{{/* ConfigMap variables */}}
+{{- define "admin-internal-tls-enabled" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}}
+{{- end -}}
+
+{{- define "kafka-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.kafka -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "kafka-external-tls-cert" -}}
+{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}}
+{{- end -}}
+
+{{- define "http-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.http -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "schemaRegistry-internal-tls-enabled" -}}
+{{- $listener := .Values.listeners.schemaRegistry -}}
+{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}}
+{{- end -}}
+
+{{- define "tls-enabled" -}}
+{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }}
+{{- toJson (dict "bool" $tlsenabled) -}}
+{{- end -}}
+
+{{- define "sasl-enabled" -}}
+{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}}
+{{- end -}}
+
+{{- define "admin-api-urls" -}}
+{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }}
+{{- end -}}
+
+{{- define "admin-api-service-url" -}}
+{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }}
+{{- end -}}
+
+{{- define "sasl-mechanism" -}}
+{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}}
+{{- end -}}
+
+{{- define "fail-on-insecure-sasl-logging" -}}
+{{- if (include "sasl-enabled" .|fromJson).bool -}}
+ {{- $check := list
+ (include "redpanda-atleast-23-1-1" .|fromJson).bool
+ (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool
+ (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool
+ -}}
+ {{- if not (mustHas true $check) -}}
+ {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "fail-on-unsupported-helm-version" -}}
+ {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}}
+ {{- if semverCompare "<3.8.0-0" $helmVer -}}
+ {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}}
+ {{- end -}}
+{{- end -}}
+
+{{- define "redpanda-atleast-22-2-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-22-3-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-1-1" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-1-2" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-22-3-atleast-22-3-13" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-22-2-atleast-22-2-10" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-2-1" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+{{- define "redpanda-atleast-23-3-0" -}}
+{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }}
+{{- end -}}
+
+{{- define "redpanda-22-2-x-without-sasl" -}}
+{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}}
+{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}}
+{{- $result := false -}}
+{{- end -}}
+{{- toJson (dict "bool" $result) -}}
+{{- end -}}
+
+{{- define "pod-security-context" -}}
+{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }}
+{{- end -}}
+
+{{- define "container-security-context" -}}
+{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }}
+{{- end -}}
+
+{{- define "admin-tls-curl-flags" -}}
+ {{- $result := "" -}}
+ {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
+ {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}}
+ {{- $result = (printf "--cacert %s/tls.crt" $path) -}}
+ {{- if .Values.listeners.admin.tls.requireClientAuth -}}
+ {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}}
+ {{- end -}}
+ {{- end -}}
+ {{- $result -}}
+{{- end -}}
+
+{{- define "admin-http-protocol" -}}
+ {{- $result := "http" -}}
+ {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}}
+ {{- $result = "https" -}}
+ {{- end -}}
+ {{- $result -}}
+{{- end -}}
+
+{{- /*
+advertised-port returns either the only advertised port if only one is specified,
+or the port specified for this pod ordinal when there is a full list provided.
+
+This will return a string int or panic if there is more than one port provided,
+but not enough ports for the number of replicas requested.
+*/ -}}
+{{- define "advertised-port" -}}
+ {{- $port := dig "port" .listenerVals.port .externalVals -}}
+ {{- if .externalVals.advertisedPorts -}}
+ {{- if eq (len .externalVals.advertisedPorts) 1 -}}
+ {{- $port = mustFirst .externalVals.advertisedPorts -}}
+ {{- else -}}
+ {{- $port = index .externalVals.advertisedPorts .replicaIndex -}}
+ {{- end -}}
+ {{- end -}}
+ {{ $port }}
+{{- end -}}
+
+{{- /*
+advertised-host returns a json string with the data needed for configuring the advertised listener
+*/ -}}
+{{- define "advertised-host" -}}
+ {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}}
+ {{- if .values.external.addresses -}}
+ {{- $address := "" -}}
+ {{- if gt (len .values.external.addresses) 1 -}}
+ {{- $address = (index .values.external.addresses .replicaIndex) -}}
+ {{- else -}}
+ {{- $address = (index .values.external.addresses 0) -}}
+ {{- end -}}
+ {{- if ( .values.external.domain | default "" ) }}
+ {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}}
+ {{- else -}}
+ {{- $host = dict "name" .externalName "address" $address "port" .port -}}
+ {{- end -}}
+ {{- end -}}
+ {{- toJson $host -}}
+{{- end -}}
+
+{{- define "is-licensed" -}}
+{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}}
+{{- end -}}
+
+{{- define "seed-server-list" -}}
+ {{- $brokers := list -}}
+ {{- range $ordinal := until (.Values.statefulset.replicas | int) -}}
+ {{- $brokers = append $brokers (printf "%s-%d.%s"
+ (include "redpanda.fullname" $)
+ $ordinal
+ (include "redpanda.internal.domain" $))
+ -}}
+ {{- end -}}
+ {{- toJson $brokers -}}
+{{- end -}}
+
+{{/*
+return license checks deprecated values if current values is empty
+*/}}
+{{- define "enterprise-license" -}}
+{{- if dig "license" dict .Values.enterprise -}}
+ {{- .Values.enterprise.license -}}
+{{- else -}}
+ {{- .Values.license_key -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef.name checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret-name" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- dig "name" "" .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- dig "secret_name" "" .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+return licenseSecretRef.key checks deprecated values entry if current values empty
+*/}}
+{{- define "enterprise-secret-key" -}}
+{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}}
+ {{- dig "key" "" .Values.enterprise.licenseSecretRef -}}
+{{- else if not (empty .Values.license_secret_ref ) -}}
+ {{- dig "secret_key" "" .Values.license_secret_ref -}}
+{{- end -}}
+{{- end -}}
+
+{{/* mounts that are common to all containers */}}
+{{- define "common-mounts" -}}
+{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $mounts -}}
+{{- toYaml $mounts -}}
+{{- end -}}
+{{- end -}}
+
+{{/* mounts that are common to most containers */}}
+{{- define "default-mounts" -}}
+{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $mounts -}}
+{{- toYaml $mounts -}}
+{{- end -}}
+{{- end -}}
+
+{{/* volumes that are common to all pods */}}
+{{- define "common-volumes" -}}
+{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $volumes -}}
+{{- toYaml $volumes -}}
+{{- end -}}
+{{- end -}}
+
+{{/* the default set of volumes for most pods, except the sts pod */}}
+{{- define "default-volumes" -}}
+{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $volumes -}}
+{{- toYaml $volumes -}}
+{{- end -}}
+{{- end -}}
+
+{{/* support legacy storage.tieredConfig */}}
+{{- define "storage-tiered-config" -}}
+{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }}
+{{- if $cfg -}}
+{{- toYaml $cfg -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+ rpk sasl environment variables
+
+ this will return a string with the correct environment variables to use for SASL based on the
+ version of the redpada container being used
+*/}}
+{{- define "rpk-sasl-environment-variables" -}}
+{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}}
+RPK_USER RPK_PASS RPK_SASL_MECHANISM
+{{- else -}}
+REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM
+{{- end -}}
+{{- end -}}
+
+{{- define "curl-options" -}}
+{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}}
+{{- end -}}
+
+{{- define "advertised-address-template" -}}
+ {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}}
+ {{- if empty $prefixTemplate -}}
+ {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}}
+ {{- end -}}
+ {{ quote $prefixTemplate }}
+{{- end -}}
+
+{{/* check if client auth is enabled for any of the listeners */}}
+{{- define "client-auth-required" -}}
+{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }}
+{{- toJson (dict "bool" $requireClientAuth) -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_memory.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_memory.go.tpl
new file mode 100644
index 000000000..015a771b4
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_memory.go.tpl
@@ -0,0 +1,63 @@
+{{- /* Generated from "memory.go" */ -}}
+
+{{- define "redpanda.RedpandaReserveMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $rpMem_1 := $values.resources.memory.redpanda -}}
+{{- if (and (ne (toJson $rpMem_1) "null") (ne (toJson $rpMem_1.reserveMemory) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $memory := ((0 | int64) | int64) -}}
+{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}}
+{{- $rpMem_2 := $values.resources.memory.redpanda -}}
+{{- if (and (ne (toJson $rpMem_2) "null") (ne (toJson $rpMem_2.memory) "null")) -}}
+{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}}
+{{- else -}}
+{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}}
+{{- end -}}
+{{- if (eq $memory (0 | int64)) -}}
+{{- $_ := (fail "unable to get memory value redpanda-memory") -}}
+{{- end -}}
+{{- if (lt $memory (256 | int64)) -}}
+{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}}
+{{- end -}}
+{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}}
+{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $memory) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ContainerMemory" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne (toJson $values.resources.memory.container.min) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_notes.go.tpl
new file mode 100644
index 000000000..e547ce092
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_notes.go.tpl
@@ -0,0 +1,167 @@
+{{- /* Generated from "notes.go" */ -}}
+
+{{- define "redpanda.Warnings" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $warnings := (coalesce nil) -}}
+{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne $w_1 "") -}}
+{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $warnings) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.cpuWarning" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}}
+{{- if (lt $coresInMillis (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Notes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}}
+{{- $notes := (coalesce nil) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}}
+{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}}
+{{- end -}}
+{{- $profiles := (keys $values.listeners.kafka.external) -}}
+{{- $_ := (sortAlpha $profiles) -}}
+{{- $profileName := (index $profiles (0 | int)) -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}}
+{{- $profile := (index $values.listeners.kafka.external $profileName) -}}
+{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}}
+{{- $external := "" -}}
+{{- if (and (ne (toJson $profile.tls) "null") (ne (toJson $profile.tls.cert) "null")) -}}
+{{- $external = $profile.tls.cert -}}
+{{- else -}}
+{{- $external = $values.listeners.kafka.tls.cert -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}}
+{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}}
+{{- if $anySASL -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}}
+{{- if $anySASL -}}
+{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}}
+{{- end -}}
+{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $notes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkACLUserCreate" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SASLMechanism" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne (toJson $values.auth.sasl) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "SCRAM-SHA-512") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkACLCreate" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkClusterInfo" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk cluster info`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicCreate" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicDescribe" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk topic describe test-topic`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkTopicDelete" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `rpk topic delete test-topic`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RpkSASLEnvironmentVariables" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}}
+{{- break -}}
+{{- else -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_poddisruptionbudget.go.tpl
new file mode 100644
index 000000000..763b7b0bd
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_poddisruptionbudget.go.tpl
@@ -0,0 +1,21 @@
+{{- /* Generated from "poddisruptionbudget.go" */ -}}
+
+{{- define "redpanda.PodDisruptionBudget" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}}
+{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}}
+{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}}
+{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}}
+{{- end -}}
+{{- $maxUnavailable := ($budget | int) -}}
+{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_post-install-upgrade-job.go.tpl
new file mode 100644
index 000000000..617d6dbf3
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_post-install-upgrade-job.go.tpl
@@ -0,0 +1,123 @@
+{{- /* Generated from "post_install_upgrade_job.go" */ -}}
+
+{{- define "redpanda.bootstrapYamlTemplater" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $env := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $values.storage.tiered.credentialsSecretRef (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) ))) "r") -}}
+{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "bootstrap-yaml-envsubst" "image" $image "command" (list "/redpanda-operator" "envsubst" "/tmp/base-config/bootstrap.yaml" "--output" "/tmp/config/.bootstrap.yaml") "env" $env "resources" (mustMergeOverwrite (dict ) (dict "limits" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) "requests" (dict "cpu" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "100m") ))) "r") "memory" (get (fromJson (include "_shims.resource_MustParse" (dict "a" (list "125Mi") ))) "r") ) )) "securityContext" (mustMergeOverwrite (dict ) (dict "allowPrivilegeEscalation" false "readOnlyRootFilesystem" true "runAsNonRoot" true )) "volumeMounts" (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config/" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config/" ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostInstallUpgradeJob" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.post_install_job.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $image := (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) -}}
+{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (default (dict ) $values.post_install_job.labels)) "annotations" (merge (dict ) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" ) (default (dict ) $values.post_install_job.annotations)) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r")) "automountServiceAccountToken" false "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" $image "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "/redpanda-operator" "sync-cluster-config" "--users-directory" "/etc/secrets/users" "--redpanda-yaml" "/tmp/base-config/redpanda.yaml" "--bootstrap-yaml" "/tmp/config/.bootstrap.yaml") "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/tmp/config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )))) ))) "volumes" (concat (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )))) "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $job) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.postInstallJobAffinity" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.post_install_job.affinity)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.post_install_job.affinity) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.tolerations" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $t := $values.tolerations -}}
+{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $envars := (list ) -}}
+{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}}
+{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne $license_1 "") -}}
+{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}}
+{{- else -}}{{- if (ne (toJson $secretReference_2) "null") -}}
+{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot $envars) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.GetLicenseLiteral" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (ne $values.enterprise.license "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.enterprise.license) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $values.license_key) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.GetLicenseSecretReference" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (empty $values.enterprise.licenseSecretRef)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_post_upgrade_job.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_post_upgrade_job.go.tpl
new file mode 100644
index 000000000..6a95bb94e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_post_upgrade_job.go.tpl
@@ -0,0 +1,87 @@
+{{- /* Generated from "post_upgrade_job.go" */ -}}
+
+{{- define "redpanda.PostUpgrade" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.post_upgrade_job.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}}
+{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}}
+{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot $values.post_upgrade_job.extraEnv) ))) "r") "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.PostUpgradeJobScript" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $script := (list `set -e` ``) -}}
+{{- range $key, $value := $values.config.cluster -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}}
+{{- $isInt64 := $tmp_tuple_1.T2 -}}
+{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_2.T2 -}}
+{{- $asBool_1 := $tmp_tuple_2.T1 -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}}
+{{- $ok_4 := $tmp_tuple_3.T2 -}}
+{{- $asStr_3 := $tmp_tuple_3.T1 -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_6 := $tmp_tuple_4.T2 -}}
+{{- $asSlice_5 := $tmp_tuple_4.T1 -}}
+{{- if (and $ok_2 $asBool_1) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}}
+{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}}
+{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}}
+{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}}
+{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}}
+{{- else -}}{{- if (not (empty $value)) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "default_topic_replications" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_7 := $tmp_tuple_5.T2 -}}
+{{- if (and (not $ok_7) (ge ($values.statefulset.replicas | int) (3 | int))) -}}
+{{- $script = (concat (default (list ) $script) (list "rpk cluster config set default_topic_replications 3")) -}}
+{{- end -}}
+{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_8 := $tmp_tuple_6.T2 -}}
+{{- if (not $ok_8) -}}
+{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}}
+{{- $service := $values.listeners.admin -}}
+{{- $caCert := "" -}}
+{{- $scheme := "http" -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}}
+{{- $scheme = "https" -}}
+{{- $caCert = (printf "--cacert %q" (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $service.tls $values.tls) ))) "r")) -}}
+{{- end -}}
+{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}}
+{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}}
+{{- end -}}
+{{- $script = (concat (default (list ) $script) (list "")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (join "\n" $script)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_rbac.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_rbac.go.tpl
new file mode 100644
index 000000000..162092626
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_rbac.go.tpl
@@ -0,0 +1,116 @@
+{{- /* Generated from "rbac.go" */ -}}
+
+{{- define "redpanda.ClusterRoles" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $crs := (coalesce nil) -}}
+{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $cr_1) "null") -}}
+{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}}
+{{- end -}}
+{{- if (not $values.rbac.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClusterRoleBindings" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $crbs := (coalesce nil) -}}
+{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $crb_2) "null") -}}
+{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}}
+{{- end -}}
+{{- if (not $values.rbac.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crbs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $crbs) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersClusterRole" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersClusterRoleBinding" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersRole" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SidecarControllersRoleBinding" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_secrets.go.tpl
new file mode 100644
index 000000000..7baaa0d4a
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_secrets.go.tpl
@@ -0,0 +1,419 @@
+{{- /* Generated from "secrets.go" */ -}}
+
+{{- define "redpanda.Secrets" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $secrets := (coalesce nil) -}}
+{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $saslUsers_1) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}}
+{{- end -}}
+{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $configWatcher_2) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}}
+{{- end -}}
+{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $fsValidator_3) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}}
+{{- end -}}
+{{- $bootstrapUser_4 := (get (fromJson (include "redpanda.SecretBootstrapUser" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $bootstrapUser_4) "null") -}}
+{{- $secrets = (concat (default (list ) $secrets) (list $bootstrapUser_4)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secrets) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretSTSLifecycle" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}}
+{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done` `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`) -}}
+{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}}
+{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}}
+{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}}
+{{- else -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}}
+{{- end -}}
+{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}}
+{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretSASLUsers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $usersTxt := (list ) -}}
+{{- range $_, $user := $values.auth.sasl.users -}}
+{{- if (empty $user.mechanism) -}}
+{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}}
+{{- else -}}
+{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}}
+{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}}
+{{- else -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretBootstrapUser" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.auth.sasl.enabled) (ne (toJson $values.auth.sasl.bootstrapUser.secretKeyRef) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $secretName := (printf "%s-bootstrap-user" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "v1" "Secret" $dot.Release.Namespace $secretName) ))) "r")) ))) "r") -}}
+{{- $ok_6 := $tmp_tuple_1.T2 -}}
+{{- $existing_5 := $tmp_tuple_1.T1 -}}
+{{- if $ok_6 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_5) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $password := (randAlphaNum (32 | int)) -}}
+{{- $userPassword := $values.auth.sasl.bootstrapUser.password -}}
+{{- if (ne (toJson $userPassword) "null") -}}
+{{- $password = $userPassword -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $secretName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "password" $password ) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretConfigWatcher" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $bootstrapUser := (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $values.auth.sasl.bootstrapUser) ))) "r") -}}
+{{- $sasl := $values.auth.sasl -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $saslUserSh := (coalesce nil) -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}}
+{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` (printf ` USERS_LIST="%s"` $bootstrapUser) ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} -p ${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # before we do anything ensure we have the bootstrap user` ` echo "Ensuring bootstrap user ${RPK_USER}..."` ` creation_result=$(rpk acl user create ${RPK_USER} -p ${RPK_PASS} --mechanism ${RPK_SASL_MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Bootstrap user already created"` ` else` ` echo "error creating user ${RPK_USER}: ${creation_result}"` ` fi` ` fi` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}}
+{{- else -}}
+{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretFSValidator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-fs-validator" (substr 0 (49 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e
+EXPECTED_FS_TYPE=$1
+
+DATA_DIR="/var/lib/redpanda/data"
+TEST_FILE="testfile"
+
+echo "checking data directory exist..."
+if [ ! -d "${DATA_DIR}" ]; then
+ echo "data directory does not exists, exiting"
+ exit 1
+fi
+
+echo "checking filesystem type..."
+FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}')
+
+if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then
+ echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}"
+ exit 1
+fi
+
+echo "checking if able to create a test file..."
+
+touch ${DATA_DIR}/${TEST_FILE}
+result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?)
+if [ "${result}" != "0" ]; then
+ echo "could not write testfile, may not have write permission"
+ exit 1
+fi
+
+echo "checking if able to delete a test file..."
+
+result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?)
+if [ "${result}" != "0" ]; then
+ echo "could not delete testfile"
+ exit 1
+fi
+
+echo "passed"`) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretConfigurator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}}
+{{- $configuratorSh := (list ) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"`)) -}}
+{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}}
+{{- end -}}
+{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}}
+{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}}
+{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}}
+{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}}
+{{- end -}}
+{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $secret) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.secretConfiguratorKafkaConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $snippet := (coalesce nil) -}}
+{{- $listenerName := "kafka" -}}
+{{- $listenerAdvertisedName := $listenerName -}}
+{{- $redpandaConfigPart := "redpanda" -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}}
+{{- $externalCounter := (0 | int) -}}
+{{- range $externalName, $externalVals := $values.listeners.kafka.external -}}
+{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}}
+{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}}
+{{- $port := ($externalVals.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}}
+{{- else -}}
+{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}}
+{{- end -}}
+{{- end -}}
+{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}}
+{{- $address := (toJson $host) -}}
+{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}}
+{{- if (eq $prefixTemplate "") -}}
+{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $snippet) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.secretConfiguratorHTTPConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $snippet := (coalesce nil) -}}
+{{- $listenerName := "http" -}}
+{{- $listenerAdvertisedName := "pandaproxy" -}}
+{{- $redpandaConfigPart := "pandaproxy" -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}}
+{{- $externalCounter := (0 | int) -}}
+{{- range $externalName, $externalVals := $values.listeners.http.external -}}
+{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}}
+{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}}
+{{- $port := ($externalVals.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}}
+{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}}
+{{- else -}}
+{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}}
+{{- end -}}
+{{- end -}}
+{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}}
+{{- $address := (toJson $host) -}}
+{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}}
+{{- if (eq $prefixTemplate "") -}}
+{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $snippet) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminTLSCurlFlags" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if $values.listeners.admin.tls.requireClientAuth -}}
+{{- $path := (printf "%s/%s-client" "/etc/tls/certs" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $path := (get (fromJson (include "redpanda.InternalTLS.ServerCAPath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "--cacert %s" $path)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.externalAdvertiseAddress" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $eaa := "${SERVICE_NAME}" -}}
+{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}}
+{{- $expanded := (tpl $externalDomainTemplate $dot) -}}
+{{- if (not (empty $expanded)) -}}
+{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $eaa) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.advertisedHostJSON" -}}
+{{- $dot := (index .a 0) -}}
+{{- $externalName := (index .a 1) -}}
+{{- $port := (index .a 2) -}}
+{{- $replicaIndex := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}}
+{{- $address := "" -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}}
+{{- $address = (index $values.external.addresses $replicaIndex) -}}
+{{- else -}}
+{{- $address = (index $values.external.addresses (0 | int)) -}}
+{{- end -}}
+{{- $domain_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}}
+{{- if (ne $domain_7 "") -}}
+{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address $domain_7) "port" $port ) -}}
+{{- else -}}
+{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $host) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminInternalHTTPProtocol" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "https") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "http") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminInternalURL" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_service.internal.go.tpl
new file mode 100644
index 000000000..0719ec5fa
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_service.internal.go.tpl
@@ -0,0 +1,38 @@
+{{- /* Generated from "service_internal.go" */ -}}
+
+{{- define "redpanda.MonitoringEnabledLabel" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServiceInternal" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $ports := (list ) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}}
+{{- if $values.listeners.http.enabled -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}}
+{{- if $values.listeners.schemaRegistry.enabled -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}}
+{{- end -}}
+{{- $annotations := (dict ) -}}
+{{- if (ne (toJson $values.service) "null") -}}
+{{- $annotations = $values.service.internal.annotations -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_service.loadbalancer.go.tpl
new file mode 100644
index 000000000..dbc754750
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_service.loadbalancer.go.tpl
@@ -0,0 +1,101 @@
+{{- /* Generated from "service.loadbalancer.go" */ -}}
+
+{{- define "redpanda.LoadBalancerServices" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne $values.external.type "LoadBalancer") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}}
+{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}}
+{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}}
+{{- $services := (coalesce nil) -}}
+{{- $replicas := ($values.statefulset.replicas | int) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}}
+{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}}
+{{- $annotations := (dict ) -}}
+{{- range $k, $v := $values.external.annotations -}}
+{{- $_ := (set $annotations $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if $externalDNS.enabled -}}
+{{- $prefix := $podname -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) ($i | int)) -}}
+{{- $prefix = (index $values.external.addresses $i) -}}
+{{- end -}}
+{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}}
+{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}}
+{{- end -}}
+{{- $podSelector := (dict ) -}}
+{{- range $k, $v := $selector -}}
+{{- $_ := (set $podSelector $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}}
+{{- $ports := (coalesce nil) -}}
+{{- range $name, $listener := $values.listeners.admin.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.kafka.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.http.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.schemaRegistry.external -}}
+{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}}
+{{- $services = (concat (default (list ) $services) (list $svc)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $services) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_service.nodeport.go.tpl
new file mode 100644
index 000000000..bc199951d
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_service.nodeport.go.tpl
@@ -0,0 +1,80 @@
+{{- /* Generated from "service.nodeport.go" */ -}}
+
+{{- define "redpanda.NodePortService" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne $values.external.type "NodePort") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $ports := (coalesce nil) -}}
+{{- range $name, $listener := $values.listeners.admin.external -}}
+{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.kafka.external -}}
+{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.http.external -}}
+{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $name, $listener := $values.listeners.schemaRegistry.external -}}
+{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $nodePort := ($listener.port | int) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}}
+{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}}
+{{- end -}}
+{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $annotations := $values.external.annotations -}}
+{{- if (eq (toJson $annotations) "null") -}}
+{{- $annotations = (dict ) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_serviceaccount.go.tpl
new file mode 100644
index 000000000..82ec5be75
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_serviceaccount.go.tpl
@@ -0,0 +1,18 @@
+{{- /* Generated from "serviceaccount.go" */ -}}
+
+{{- define "redpanda.ServiceAccount" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.serviceAccount.create) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_servicemonitor.go.tpl
new file mode 100644
index 000000000..7f5a62130
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_servicemonitor.go.tpl
@@ -0,0 +1,26 @@
+{{- /* Generated from "servicemonitor.go" */ -}}
+
+{{- define "redpanda.ServiceMonitor" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.monitoring.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}}
+{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne (toJson $values.monitoring.tlsConfig) "null")) -}}
+{{- $_ := (set $endpoint "scheme" "https") -}}
+{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}}
+{{- if (eq (toJson $endpoint.tlsConfig) "null") -}}
+{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.9/templates/_shims.tpl
new file mode 100644
index 000000000..c16b6d178
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_shims.tpl
@@ -0,0 +1,339 @@
+{{- /* Generated from "bootstrap.go" */ -}}
+
+{{- define "_shims.typetest" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs $typ $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.typeassertion" -}}
+{{- $typ := (index .a 0) -}}
+{{- $value := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not (typeIs $typ $value)) -}}
+{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.dicttest" -}}
+{{- $m := (index .a 0) -}}
+{{- $key := (index .a 1) -}}
+{{- $zero := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (hasKey $m $key) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (index $m $key) true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $zero false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.compact" -}}
+{{- $args := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $out := (dict ) -}}
+{{- range $i, $e := $args -}}
+{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $out) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $ptr) "null") -}}
+{{- $_ := (fail "nil dereference") -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.len" -}}
+{{- $m := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $m) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (len $m)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Deref" -}}
+{{- $ptr := (index .a 0) -}}
+{{- $def := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $ptr) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ptr) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $def) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.ptr_Equal" -}}
+{{- $a := (index .a 0) -}}
+{{- $b := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (eq (toJson $a) "null") (eq (toJson $b) "null")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (eq $a $b)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.lookup" -}}
+{{- $apiVersion := (index .a 0) -}}
+{{- $kind := (index .a 1) -}}
+{{- $namespace := (index .a 2) -}}
+{{- $name := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (lookup $apiVersion $kind $namespace $name) -}}
+{{- if (empty $result) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (coalesce nil) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $result true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asnumeric" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int64" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (typeIs "int" $value) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.asintegral" -}}
+{{- $value := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $value true)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (0 | int) false)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.parseResource" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (typeIs "float64" $repr) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (typeIs "string" $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}}
+{{- end -}}
+{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}}
+{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}}
+{{- end -}}
+{{- $reprStr := (toString $repr) -}}
+{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}}
+{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_1.T2 -}}
+{{- $scale := ($tmp_tuple_1.T1 | float64) -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $numeric $scale)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MustParse" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_2.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_2.T1 | float64) -}}
+{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}}
+{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}}
+{{- $idx := -1 -}}
+{{- range $i, $s := $scales -}}
+{{- if (eq ($s | float64) ($scale | float64)) -}}
+{{- $idx = $i -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $idx -1) -}}
+{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_Value" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_3.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_3.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.resource_MilliValue" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}}
+{{- $scale := ($tmp_tuple_4.T2 | float64) -}}
+{{- $numeric := ($tmp_tuple_4.T1 | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_ParseDuration" -}}
+{{- $repr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $unitMap := (dict "s" (1000000000 | int64) "m" (60000000000 | int64) "h" (3600000000000 | int64) ) -}}
+{{- $original := $repr -}}
+{{- $value := ((0 | int64) | int64) -}}
+{{- if (eq $repr "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- if (eq $repr "0") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (0 | int64)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $_ := (list (0 | int) (0 | int) (0 | int)) -}}
+{{- if (eq $repr "") -}}
+{{- break -}}
+{{- end -}}
+{{- $n := (regexFind `^\d+` $repr) -}}
+{{- if (eq $n "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $n) ))) "r") | int) -1 $repr) -}}
+{{- $unit := (regexFind `^(h|m|s)` $repr) -}}
+{{- if (eq $unit "") -}}
+{{- $_ := (fail (printf "invalid Duration: %q" $original)) -}}
+{{- end -}}
+{{- $repr = (substr ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int) -1 $repr) -}}
+{{- $value = ((add $value (((mul (int64 $n) (index $unitMap $unit)) | int64))) | int64) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.time_Duration_String" -}}
+{{- $dur := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (duration ((div $dur (1000000000 | int64)) | int64))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "_shims.render-manifest" -}}
+{{- $tpl := (index . 0) -}}
+{{- $dot := (index . 1) -}}
+{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}}
+{{- if not (typeIs "[]interface {}" $manifests) -}}
+{{- $manifests = (list $manifests) -}}
+{{- end -}}
+{{- range $_, $manifest := $manifests -}}
+{{- if ne (toJson $manifest) "null" }}
+---
+{{toYaml (unset (unset $manifest "status") "creationTimestamp")}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_statefulset.go.tpl
new file mode 100644
index 000000000..6c1f9bbaf
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_statefulset.go.tpl
@@ -0,0 +1,777 @@
+{{- /* Generated from "statefulset.go" */ -}}
+
+{{- define "redpanda.statefulSetRedpandaEnv" -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodLabelsSelector" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}}
+{{- $ok_2 := $tmp_tuple_1.T2 -}}
+{{- $existing_1 := $tmp_tuple_1.T1 -}}
+{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $additionalSelectorLabels := (dict ) -}}
+{{- if (ne (toJson $values.statefulset.additionalSelectorLabels) "null") -}}
+{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}}
+{{- end -}}
+{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}}
+{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodLabels" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if $dot.Release.IsUpgrade -}}
+{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}}
+{{- $ok_4 := $tmp_tuple_2.T2 -}}
+{{- $existing_3 := $tmp_tuple_2.T1 -}}
+{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $statefulSetLabels := (dict ) -}}
+{{- if (ne (toJson $values.statefulset.podTemplate.labels) "null") -}}
+{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}}
+{{- end -}}
+{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetPodAnnotations" -}}
+{{- $dot := (index .a 0) -}}
+{{- $configMapChecksum := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}}
+{{- if (ne (toJson $values.statefulset.podTemplate.annotations) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}}
+{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" "base-config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}}
+{{- if $values.statefulset.initContainers.fsValidator.enabled -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}}
+{{- end -}}
+{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}}
+{{- if (ne (toJson $vol_5) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}}
+{{- end -}}
+{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $v_6) "null") -}}
+{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}}
+{{- end -}}
+{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) ((or ((and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC)) $values.rackAwareness.enabled))) -}}
+{{- $foundK8STokenVolume := false -}}
+{{- range $_, $v := $volumes -}}
+{{- if (hasPrefix $v.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $foundK8STokenVolume = true -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (not $foundK8STokenVolume) -}}
+{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.kubeTokenAPIVolume" (dict "a" (list "kube-api-access") ))) "r"))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $volumes) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.kubeTokenAPIVolume" -}}
+{{- $name := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "defaultMode" (420 | int) "sources" (list (mustMergeOverwrite (dict ) (dict "serviceAccountToken" (mustMergeOverwrite (dict "path" "" ) (dict "path" "token" "expirationSeconds" ((3607 | int) | int64) )) )) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" "kube-root-ca.crt" )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" "ca.crt" "path" "ca.crt" ))) )) )) (mustMergeOverwrite (dict ) (dict "downwardAPI" (mustMergeOverwrite (dict ) (dict "items" (list (mustMergeOverwrite (dict "path" "" ) (dict "path" "namespace" "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "metadata.namespace" )) ))) )) ))) )) )) (dict "name" $name ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetVolumeDataDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}}
+{{- if $values.storage.persistentVolume.enabled -}}
+{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}}
+{{- else -}}{{- if (ne $values.storage.hostPath "") -}}
+{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}}
+{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (eq $tieredType "hostPath") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r"))) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetVolumeMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $mounts) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetInitContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $containers := (coalesce nil) -}}
+{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_7) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}}
+{{- end -}}
+{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_8) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}}
+{{- end -}}
+{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_9) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}}
+{{- end -}}
+{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_10) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}}
+{{- end -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.bootstrapYamlTemplater" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $containers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerTuning" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.tuning.tune_aio_events) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r")) ))) "r") -}}
+{{- $gid := ($tmp_tuple_3.T2 | int64) -}}
+{{- $uid := ($tmp_tuple_3.T1 | int64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.securityContextUidGid" -}}
+{{- $dot := (index .a 0) -}}
+{{- $containerName := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $uid := $values.statefulset.securityContext.runAsUser -}}
+{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.runAsUser) "null")) -}}
+{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}}
+{{- end -}}
+{{- if (eq (toJson $uid) "null") -}}
+{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}}
+{{- end -}}
+{{- $gid := $values.statefulset.securityContext.fsGroup -}}
+{{- if (and (ne (toJson $values.statefulset.podSecurityContext) "null") (ne (toJson $values.statefulset.podSecurityContext.fsGroup) "null")) -}}
+{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}}
+{{- end -}}
+{{- if (eq (toJson $gid) "null") -}}
+{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list $uid $gid)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerFSValidator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r")) ))) "r") -}}
+{{- $gid := ($tmp_tuple_4.T2 | int64) -}}
+{{- $uid := ($tmp_tuple_4.T1 | int64) -}}
+{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}}
+{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}}
+{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}}
+{{- $name := "tiered-storage-dir" -}}
+{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}}
+{{- $name = $values.storage.persistentVolume.nameOverwrite -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}}
+{{- end -}}
+{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetInitContainerConfigurator" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $volMounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r"))) -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "base-config" "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) -}}
+{{- if (and (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r")) $values.rackAwareness.enabled) -}}
+{{- $mountName := "kube-api-access" -}}
+{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $mountName = $vol.name -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volMounts = (concat (default (list ) $volMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) )))) ))) "r") "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" $volMounts "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSetContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $containers := (coalesce nil) -}}
+{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}}
+{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_11) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}}
+{{- end -}}
+{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $c_12) "null") -}}
+{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $containers) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.wrapLifecycleHook" -}}
+{{- $hook := (index .a 0) -}}
+{{- $timeoutSeconds := (index .a 1) -}}
+{{- $cmd := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $wrapped := (join " " $cmd) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list "bash" "-c" (printf "timeout -v %d %s 2>&1 | sed \"s/^/lifecycle-hook %s $(date): /\" | tee /proc/1/fd/1; true" $timeoutSeconds $wrapped $hook))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerRedpanda" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}}
+{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.bootstrapEnvVars" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r")) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "post-start" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/postStart.sh")) ))) "r") )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (get (fromJson (include "redpanda.wrapLifecycleHook" (dict "a" (list "pre-stop" ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64) (list "bash" "-x" "/var/lifecycle/preStop.sh")) ))) "r") )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (mustMergeOverwrite (dict ) (dict )) )) -}}
+{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}}
+{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.admin.external -}}
+{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.http.external -}}
+{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.kafka.external -}}
+{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}}
+{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}}
+{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}}
+{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}}
+{{- $name := "tiered-storage-dir" -}}
+{{- if (and (ne (toJson $values.storage.persistentVolume) "null") (ne $values.storage.persistentVolume.nameOverwrite "")) -}}
+{{- $name = $values.storage.persistentVolume.nameOverwrite -}}
+{{- end -}}
+{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}}
+{{- end -}}
+{{- $_ := (set $container.resources "limits" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.max )) -}}
+{{- if (ne (toJson $values.resources.memory.container.min) "null") -}}
+{{- $_ := (set $container.resources "requests" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.min )) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $container) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.adminApiURLs" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerConfigWatcher" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "env" (get (fromJson (include "redpanda.rpkEnvVars" (dict "a" (list $dot (coalesce nil)) ))) "r") "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetContainerControllers" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts := (list ) -}}
+{{- if (and (and (and $values.rbac.enabled $values.statefulset.sideCars.controllers.enabled) $values.statefulset.sideCars.controllers.createRBAC) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.serviceAccount.automountServiceAccountToken false) ))) "r"))) -}}
+{{- $mountName := "kube-api-access" -}}
+{{- range $_, $vol := (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") -}}
+{{- if (hasPrefix $vol.name (printf "%s%s" "kube-api-access" "-")) -}}
+{{- $mountName = $vol.name -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mountName "readOnly" true "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" )))) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext "volumeMounts" $volumeMounts ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.rpkEnvVars" -}}
+{{- $dot := (index .a 0) -}}
+{{- $envVars := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envVars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.bootstrapEnvVars" -}}
+{{- $dot := (index .a 0) -}}
+{{- $envVars := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (ne (toJson $values.auth.sasl) "null") $values.auth.sasl.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) $envVars) (default (list ) (get (fromJson (include "redpanda.BootstrapUser.BootstrapEnvironment" (dict "a" (list $values.auth.sasl.bootstrapUser (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envVars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToVolumeMounts" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToVolumes" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.templateToContainers" -}}
+{{- $dot := (index .a 0) -}}
+{{- $template := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (tpl $template $dot) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (fromYamlArray $result)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StatefulSet" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}}
+{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}}
+{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}}
+{{- end -}}
+{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "automountServiceAccountToken" false "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}}
+{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}}
+{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $t_13) "null") -}}
+{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}}
+{{- end -}}
+{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}}
+{{- if (ne (toJson $t_14) "null") -}}
+{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $ss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.semver" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetChecksumAnnotation" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $dependencies := (coalesce nil) -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot false) ))) "r"))) -}}
+{{- if $values.external.enabled -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}}
+{{- if (empty $values.external.addresses) -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}}
+{{- else -}}
+{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetTolerations" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetNodeSelectors" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetAffinity" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}}
+{{- if (not (empty $values.statefulset.nodeAffinity)) -}}
+{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}}
+{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}}
+{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- if (not (empty $values.statefulset.podAffinity)) -}}
+{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}}
+{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}}
+{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- if (not (empty $values.statefulset.podAntiAffinity)) -}}
+{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}}
+{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}}
+{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}}
+{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}}
+{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}}
+{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}}
+{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}}
+{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $affinity) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.volumeClaimTemplateDatadir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (not $values.storage.persistentVolume.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}}
+{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}}
+{{- if (eq $values.storage.persistentVolume.storageClass "-") -}}
+{{- $_ := (set $pvc.spec "storageClassName" "") -}}
+{{- else -}}
+{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pvc) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}}
+{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}}
+{{- if (eq $sc_15 "-") -}}
+{{- $_ := (set $pvc.spec "storageClassName" "") -}}
+{{- else -}}{{- if (not (empty $sc_15)) -}}
+{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pvc) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.statefulSetTopologySpreadConstraints" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $result := (coalesce nil) -}}
+{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}}
+{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}}
+{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.StorageTieredConfig" -}}
+{{- $dot := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.9/templates/_values.go.tpl
new file mode 100644
index 000000000..386b647f6
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/_values.go.tpl
@@ -0,0 +1,1338 @@
+{{- /* Generated from "values.go" */ -}}
+
+{{- define "redpanda.AuditLogging.Translate" -}}
+{{- $a := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- $isSASLEnabled := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $enabled := (and $a.enabled $isSASLEnabled) -}}
+{{- $_ := (set $result "audit_enabled" $enabled) -}}
+{{- if (not $enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}}
+{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}}
+{{- end -}}
+{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}}
+{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}}
+{{- end -}}
+{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}}
+{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}}
+{{- end -}}
+{{- if (ne (($a.partitions | int) | int) (12 | int)) -}}
+{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}}
+{{- end -}}
+{{- if (ne ($a.replicationFactor | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}}
+{{- end -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}}
+{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Auth.IsSASLEnabled" -}}
+{{- $a := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $a.sasl) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $a.sasl.enabled) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Auth.Translate" -}}
+{{- $a := (index .a 0) -}}
+{{- $isSASLEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (not $isSASLEnabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $users := (list (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $a.sasl.bootstrapUser) ))) "r")) -}}
+{{- range $_, $u := $a.sasl.users -}}
+{{- $users = (concat (default (list ) $users) (list $u.name)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict "superusers" $users )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Logging.Translate" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}}
+{{- if (ne $clusterID_1 "") -}}
+{{- $_ := (set $result "cluster_id" $clusterID_1) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}}
+{{- $rr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" true) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.IsTieredStorageEnabled" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}}
+{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_3.T2 -}}
+{{- $b := $tmp_tuple_3.T1 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.GetTieredStorageConfig" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredConfig) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.config) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.GetTieredStorageHostPath" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $hp := $s.tieredStorageHostPath -}}
+{{- if (empty $hp) -}}
+{{- $hp = $s.tiered.hostPath -}}
+{{- end -}}
+{{- if (empty $hp) -}}
+{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $hp) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredCacheDirectory" -}}
+{{- $s := (index .a 0) -}}
+{{- $dot := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $values := $dot.Values.AsMap -}}
+{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $values.config.node "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}}
+{{- $ok_3 := $tmp_tuple_4.T2 -}}
+{{- $dir_2 := $tmp_tuple_4.T1 -}}
+{{- if $ok_3 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $dir_2) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $tieredConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}}
+{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $tieredConfig "cloud_storage_cache_directory") "") ))) "r")) ))) "r") -}}
+{{- $ok_5 := $tmp_tuple_5.T2 -}}
+{{- $dir_4 := $tmp_tuple_5.T1 -}}
+{{- if $ok_5 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $dir_4) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredMountType" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (ne (toJson $s.tieredStoragePersistentVolume) "null") $s.tieredStoragePersistentVolume.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "persistentVolume") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (not (empty $s.tieredStorageHostPath)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "hostPath") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.mountType) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $s.tieredStoragePersistentVolume) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Storage.StorageMinFreeBytes" -}}
+{{- $s := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (and (ne (toJson $s.persistentVolume) "null") (not $s.persistentVolume.enabled)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (5368709120 | int)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Tuning.Translate" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- $s := (toJson $t) -}}
+{{- $tune := (fromJson $s) -}}
+{{- $tmp_tuple_7 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_7.T2 -}}
+{{- $m := $tmp_tuple_7.T1 -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (dict )) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- range $k, $v := $m -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.CreateSeedServers" -}}
+{{- $l := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.AdminList" -}}
+{{- $l := (index .a 0) -}}
+{{- $replicas := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ServerList" -}}
+{{- $replicas := (index .a 0) -}}
+{{- $prefix := (index .a 1) -}}
+{{- $fullname := (index .a 2) -}}
+{{- $internalDomain := (index .a 3) -}}
+{{- $port := (index .a 4) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (coalesce nil) -}}
+{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}}
+{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.TrustStoreVolume" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $cmSources := (dict ) -}}
+{{- $secretSources := (dict ) -}}
+{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}}
+{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}}
+{{- if (ne (toJson $projection.secret) "null") -}}
+{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}}
+{{- else -}}
+{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $sources := (coalesce nil) -}}
+{{- range $_, $name := (sortAlpha (keys $cmSources)) -}}
+{{- $keys := (index $cmSources $name) -}}
+{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- range $_, $name := (sortAlpha (keys $secretSources)) -}}
+{{- $keys := (index $secretSources $name) -}}
+{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.dedupKeyToPaths" -}}
+{{- $items := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $seen := (dict ) -}}
+{{- $deduped := (coalesce nil) -}}
+{{- range $_, $item := $items -}}
+{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok_6 := $tmp_tuple_8.T2 -}}
+{{- if $ok_6 -}}
+{{- continue -}}
+{{- end -}}
+{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}}
+{{- $_ := (set $seen $item.key true) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $deduped) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Listeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}}
+{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.Config.CreateRPKConfiguration" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c.rpk -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TLSCertMap.MustGet" -}}
+{{- $m := (index .a 0) -}}
+{{- $name := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_9 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_9.T2 -}}
+{{- $cert := $tmp_tuple_9.T1 -}}
+{{- if (not $ok) -}}
+{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $cert) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.BootstrapEnvironment" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (concat (default (list ) (get (fromJson (include "redpanda.BootstrapUser.RpkEnvironment" (dict "a" (list $b $fullname) ))) "r")) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RP_BOOTSTRAP_USER" "value" "$(RPK_USER):$(RPK_PASS):$(RPK_SASL_MECHANISM)" ))))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.Username" -}}
+{{- $b := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $b.name) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.name) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "kubernetes-controller") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.RpkEnvironment" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_PASS" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (get (fromJson (include "redpanda.BootstrapUser.SecretKeySelector" (dict "a" (list $b $fullname) ))) "r") )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_USER" "value" (get (fromJson (include "redpanda.BootstrapUser.Username" (dict "a" (list $b) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_SASL_MECHANISM" "value" (get (fromJson (include "redpanda.BootstrapUser.GetMechanism" (dict "a" (list $b) ))) "r") )))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.GetMechanism" -}}
+{{- $b := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq $b.mechanism "") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "SCRAM-SHA-256") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.mechanism) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.BootstrapUser.SecretKeySelector" -}}
+{{- $b := (index .a 0) -}}
+{{- $fullname := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $b.secretKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $b.secretKeyRef) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (printf "%s-bootstrap-user" $fullname) )) (dict "key" "password" ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.RelativePath" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.configMapKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TrustStore.VolumeProjection" -}}
+{{- $t := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.configMapKeyRef) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.IsEnabled" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.trustStore) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.InternalTLS.ServerCAPath" -}}
+{{- $t := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/tls.crt" "/etc/tls/certs" $t.cert)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.GetCert" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.GetCertName" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (ne (toJson $t.trustStore) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (printf "%s/%s/ca.crt" "/etc/tls/certs" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ExternalTLS.IsEnabled" -}}
+{{- $t := (index .a 0) -}}
+{{- $i := (index .a 1) -}}
+{{- $tls := (index .a 2) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $t) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" false) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.ConsoleTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $adminAPIPrefix := (printf "%s/%s" "/etc/tls/certs" $l.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $l.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $adminAPIPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}}
+{{- end -}}
+{{- if (not $l.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $adminAPIPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $adminAPIPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $admin) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $admin := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $admin = (concat (default (list ) $admin) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $admin) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (list ) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (index $l.external $key) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.AdminExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- $saslEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $internal "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_7 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_7 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_7) -}}
+{{- end -}}
+{{- $result := (list $internal) -}}
+{{- range $k, $l := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $listener "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_8 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_8 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_8) -}}
+{{- end -}}
+{{- $result = (concat (default (list ) $result) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $pp := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $pp = (concat (default (list ) $pp) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $pp) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (index $l.external $key) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.HTTPExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.Listeners" -}}
+{{- $l := (index .a 0) -}}
+{{- $auth := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}}
+{{- $_ := (set $internal "authentication_method" "sasl") -}}
+{{- end -}}
+{{- $am_9 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_9 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_9) -}}
+{{- end -}}
+{{- $kafka := (list $internal) -}}
+{{- range $k, $l := $l.external -}}
+{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}}
+{{- $_ := (set $listener "authentication_method" "sasl") -}}
+{{- end -}}
+{{- $am_10 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_10 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_10) -}}
+{{- end -}}
+{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $kafka) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $kafka := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $kafka) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (index $l.external $key) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaListeners.ConsoleTLS" -}}
+{{- $k := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $kafkaPathPrefix := (printf "%s/%s" "/etc/tls/certs" $k.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $k.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $kafkaPathPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}}
+{{- end -}}
+{{- if (not $k.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $kafkaPathPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $kafkaPathPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.KafkaExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.Listeners" -}}
+{{- $sr := (index .a 0) -}}
+{{- $saslEnabled := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $internal "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_11 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_11 "") -}}
+{{- $_ := (set $internal "authentication_method" $am_11) -}}
+{{- end -}}
+{{- $result := (list $internal) -}}
+{{- range $k, $l := $sr.external -}}
+{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}}
+{{- if $saslEnabled -}}
+{{- $_ := (set $listener "authentication_method" "http_basic") -}}
+{{- end -}}
+{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}}
+{{- if (ne $am_12 "") -}}
+{{- $_ := (set $listener "authentication_method" $am_12) -}}
+{{- end -}}
+{{- $result = (concat (default (list ) $result) (list $listener)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $listeners := (list ) -}}
+{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}}
+{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}}
+{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}}
+{{- end -}}
+{{- range $k, $lis := $l.external -}}
+{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}}
+{{- continue -}}
+{{- end -}}
+{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}}
+{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "%s/%s/tls.crt" "/etc/tls/certs" $certName) "key_file" (printf "%s/%s/tls.key" "/etc/tls/certs" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $listeners) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}}
+{{- $l := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tss := (coalesce nil) -}}
+{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne (toJson $l.tls.trustStore) "null")) -}}
+{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}}
+{{- end -}}
+{{- range $_, $key := (sortAlpha (keys $l.external)) -}}
+{{- $lis := (index $l.external $key) -}}
+{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq (toJson $lis.tls.trustStore) "null")) -}}
+{{- continue -}}
+{{- end -}}
+{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $tss) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}}
+{{- $sr := (index .a 0) -}}
+{{- $tls := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $sr.tls $tls) ))) "r") )) -}}
+{{- if (not $t.enabled) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $schemaRegistryPrefix := (printf "%s/%s" "/etc/tls/certs" $sr.tls.cert) -}}
+{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $sr.tls.cert) ))) "r").caEnabled -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/ca.crt" $schemaRegistryPrefix)) -}}
+{{- else -}}
+{{- $_ := (set $t "caFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}}
+{{- end -}}
+{{- if (not $sr.tls.requireClientAuth) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_ := (set $t "certFilepath" (printf "%s/tls.crt" $schemaRegistryPrefix)) -}}
+{{- $_ := (set $t "keyFilepath" (printf "%s/tls.key" $schemaRegistryPrefix)) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $t) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}}
+{{- $l := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TunableConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- if (eq (toJson $c) "null") -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- if (not (empty $v)) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.NodeConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- if (not (empty $v)) -}}
+{{- $tmp_tuple_12 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}}
+{{- $ok_13 := $tmp_tuple_12.T2 -}}
+{{- if $ok_13 -}}
+{{- $_ := (set $result $k $v) -}}
+{{- else -}}{{- if (kindIs "bool" $v) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- else -}}
+{{- $_ := (set $result $k (toYaml $v)) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.ClusterConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $result := (dict ) -}}
+{{- range $k, $v := $c -}}
+{{- $tmp_tuple_13 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}}
+{{- $ok_15 := $tmp_tuple_13.T2 -}}
+{{- $b_14 := $tmp_tuple_13.T1 -}}
+{{- if $ok_15 -}}
+{{- $_ := (set $result $k $b_14) -}}
+{{- continue -}}
+{{- end -}}
+{{- if (not (empty $v)) -}}
+{{- $_ := (set $result $k $v) -}}
+{{- end -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $result) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretRef.AsSource" -}}
+{{- $sr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sr.name )) (dict "key" $sr.key )) ))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.SecretRef.IsValid" -}}
+{{- $sr := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and (and (ne (toJson $sr) "null") (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageCredentials.AsEnvVars" -}}
+{{- $tsc := (index .a 0) -}}
+{{- $config := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_14 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $hasAccessKey := $tmp_tuple_14.T2 -}}
+{{- $tmp_tuple_15 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $hasSecretKey := $tmp_tuple_15.T2 -}}
+{{- $tmp_tuple_16 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $config "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $hasSharedKey := $tmp_tuple_16.T2 -}}
+{{- $envvars := (coalesce nil) -}}
+{{- if (and (not $hasAccessKey) (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.accessKey) ))) "r")) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.accessKey) ))) "r") )))) -}}
+{{- end -}}
+{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $tsc.secretKey) ))) "r") -}}
+{{- if (and (not $hasSecretKey) (not (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r"))) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}}
+{{- else -}}{{- if (and (not $hasSharedKey) (get (fromJson (include "redpanda.TieredStorageConfig.HasAzureCanaries" (dict "a" (list (deepCopy $config)) ))) "r")) -}}
+{{- $envvars = (concat (default (list ) $envvars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (get (fromJson (include "redpanda.SecretRef.AsSource" (dict "a" (list $tsc.secretKey) ))) "r") )))) -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $envvars) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.HasAzureCanaries" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_17 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_container" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $containerExists := $tmp_tuple_17.T2 -}}
+{{- $tmp_tuple_18 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $accountExists := $tmp_tuple_18.T2 -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (and $containerExists $accountExists)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.CloudStorageCacheSize" -}}
+{{- $c := (index .a 0) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $tmp_tuple_19 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $c `cloud_storage_cache_size` (coalesce nil)) ))) "r")) ))) "r") -}}
+{{- $ok := $tmp_tuple_19.T2 -}}
+{{- $value := $tmp_tuple_19.T1 -}}
+{{- if (not $ok) -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" (coalesce nil)) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $value) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "redpanda.TieredStorageConfig.Translate" -}}
+{{- $c := (index .a 0) -}}
+{{- $creds := (index .a 1) -}}
+{{- range $_ := (list 1) -}}
+{{- $_is_returning := false -}}
+{{- $config := (merge (dict ) (dict ) $c) -}}
+{{- range $_, $envvar := (get (fromJson (include "redpanda.TieredStorageCredentials.AsEnvVars" (dict "a" (list $creds $c) ))) "r") -}}
+{{- $key := (lower (substr ((get (fromJson (include "_shims.len" (dict "a" (list "REDPANDA_") ))) "r") | int) -1 $envvar.name)) -}}
+{{- $_ := (set $config $key (printf "$%s" $envvar.name)) -}}
+{{- end -}}
+{{- if $_is_returning -}}
+{{- break -}}
+{{- end -}}
+{{- $size_16 := (get (fromJson (include "redpanda.TieredStorageConfig.CloudStorageCacheSize" (dict "a" (list (deepCopy $c)) ))) "r") -}}
+{{- if (ne (toJson $size_16) "null") -}}
+{{- $_ := (set $config "cloud_storage_cache_size" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $size_16) ))) "r") | int64)) -}}
+{{- end -}}
+{{- $_is_returning = true -}}
+{{- (dict "r" $config) | toJson -}}
+{{- break -}}
+{{- end -}}
+{{- end -}}
+
diff --git a/charts/redpanda/redpanda/5.9.9/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/5.9.9/templates/connectors/connectors.yaml
new file mode 100644
index 000000000..25343f584
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/connectors/connectors.yaml
@@ -0,0 +1,109 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{ if and .Values.connectors.enabled (not .Values.connectors.deployment.create) }}
+
+{{ $values := .Values }}
+
+{{/* brokers */}}
+{{ $kafkaBrokers := list }}
+{{ range (include "seed-server-list" . | mustFromJson) }}
+ {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }}
+{{ end }}
+
+{{ $connectorsValues := dict
+ "Values" (dict
+ "connectors" (dict
+ "bootstrapServers" (join "," $kafkaBrokers)
+ "brokerTLS" (dict
+ "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool
+ "ca" (dict
+ "secretRef" (ternary (printf "%s-default-cert" (include "redpanda.fullname" .)) "" (include "kafka-internal-tls-enabled" . | fromJson).bool)
+ )
+ )
+ )
+ )
+}}
+
+{{ $extraVolumes := list }}
+{{ $extraVolumeMounts := list }}
+{{ $extraEnv := .Values.connectors.deployment.extraEnv }}
+{{ $command := list }}
+{{ if (include "sasl-enabled" . | fromJson).bool }}
+ {{ $command = concat $command (list "bash" "-c") }}
+ {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;" ( include "sasl-mechanism" . | lower )) }}
+ {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }}
+ {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }}
+ {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }}
+ {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }}
+ {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }}
+ {{ $command = append $command $consoleSASLConfig }}
+
+ {{ $extraVolumes = concat $extraVolumes .Values.connectors.storage.volume }}
+
+ {{ $extraVolumes = append $extraVolumes (dict
+ "name" (printf "%s-users" (include "redpanda.fullname" .))
+ "secret" (dict
+ "secretName" .Values.auth.sasl.secretRef
+ )
+ )}}
+
+ {{ $extraVolumeMounts = concat $extraVolumeMounts .Values.connectors.storage.volumeMounts }}
+
+ {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+ "name" (printf "%s-users" (include "redpanda.fullname" .))
+ "mountPath" "/mnt/users"
+ "readOnly" true
+ )}}
+ {{ $extraVolumes = append $extraVolumes (dict
+ "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49)
+ "emptyDir" (dict)
+ )}}
+ {{ $extraVolumeMounts = append $extraVolumeMounts (dict
+ "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49)
+ "mountPath" "/opt/kafka/connect-password/rc-credentials"
+ )}}
+ {{ $extraEnv = append $extraEnv (dict
+ "name" "CONNECT_SASL_PASSWORD_FILE"
+ "value" "rc-credentials/password"
+ )}}
+ {{ $connectorsValues := merge $connectorsValues (dict
+ "Values" (dict
+ "storage" (dict
+ "volumeMounts" $extraVolumeMounts
+ "volume" $extraVolumes
+ )
+ "auth" (dict
+ "sasl" (dict
+ "enabled" .Values.auth.sasl.enabled
+ )
+ )
+ "deployment" (dict
+ "command" $command
+ "extraEnv" $extraEnv
+ )
+ )
+ )}}
+{{ end }}
+
+{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "deployment" (dict "create" (not .Values.connectors.deployment.create)))) }}
+{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "test" (dict "create" (not .Values.connectors.test.create)))) }}
+{{ $helmVars := merge $connectorsValues .Subcharts.connectors }}
+{{ $helmVars = (dict "Chart" .Subcharts.connectors.Chart "Release" .Release "Values" (merge (dict "AsMap" $helmVars.Values) $helmVars.Values)) }}
+{{ include (print .Subcharts.connectors.Template.BasePath "/deployment.yaml") $helmVars }}
+---
+{{ include (print .Subcharts.connectors.Template.BasePath "/tests/01-mm2-values.yaml") $helmVars }}
+{{ end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/entry-point.yaml b/charts/redpanda/redpanda/5.9.9/templates/entry-point.yaml
new file mode 100644
index 000000000..6cdf646ad
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/entry-point.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- include "_shims.render-manifest" (list "redpanda.render" .) -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-api-status.yaml
new file mode 100644
index 000000000..330a2c4a4
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-api-status.yaml
@@ -0,0 +1,52 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-api-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ until rpk cluster info \
+ --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }}
+ do sleep 2
+ done
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-auditLogging.yaml
new file mode 100644
index 000000000..fea34776f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-auditLogging.yaml
@@ -0,0 +1,86 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/}}
+{{/*
+ This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met
+ as part of setting auditLogging being enabled.
+*/}}
+{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-audit-logging"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: { { - toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -xe
+ old_setting=${-//[^x]/}
+ audit_topic_name="_redpanda.audit_log"
+ expected_partitions={{ .Values.auditLogging.partitions }}
+
+ # sasl configurations
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+
+ # now run the to determine if we have the right results
+ # should describe topic without error
+ rpk topic describe ${audit_topic_name}
+ # should get the expected values
+ result=$(rpk topic list | grep ${audit_topic_name})
+ name=$(echo $result | awk '{print $1}')
+ partitions=$(echo $result | awk '{print $2}')
+ if [ "${name}" != "${audit_topic_name}" ]; then
+ echo "expected topic name does not match"
+ exit 1
+ fi
+ if [ ${partitions} != ${expected_partitions} ]; then
+ echo "expected partition size did not match"
+ exit 1
+ fi
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-connector-via-console.yaml
new file mode 100644
index 000000000..67619a829
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-connector-via-console.yaml
@@ -0,0 +1,166 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }}
+{{- $sasl := .Values.auth.sasl }}
+{{- $values := .Values }}
+{{- $consoleValues := (merge (dict) .Values.console .Subcharts.console.Values) -}}
+{{- $consoleDot := dict "Values" (dict "AsMap" $consoleValues) "Release" .Release "Chart" .Subcharts.console.Chart -}}
+{{- $connectorsDot := dict "Values" (merge (dict) .Values.connectors .Subcharts.connectors.Values) "Release" .Release "Chart" .Subcharts.connectors.Chart -}}
+{{/* brokers */}}
+{{- $kafkaBrokers := list }}
+{{- range (include "seed-server-list" . | mustFromJson) }}
+ {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }}
+{{- end }}
+{{- $brokersString := join "," $kafkaBrokers}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ test-name: test-connectors-via-console
+ annotations:
+ test-name: test-connectors-via-console
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: TLS_ENABLED
+ value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -xe
+
+ trap connectorsState ERR
+
+ connectorsState () {
+ echo check connectors expand status
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status
+ echo check connectors expand info
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info
+ echo check connector configuration
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME
+ echo check connector topics
+ curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsDot }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics
+ }
+
+ {{- if .Values.auth.sasl.enabled }}
+ set -e
+ set +x
+
+ echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)"
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ RPK_USER="${REDPANDA_SASL_USERNAME}"
+ RPK_PASS="${REDPANDA_SASL_PASSWORD}"
+ RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}"
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+
+ JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\","
+ JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\","
+ set -x
+ set +e
+ {{- end }}
+
+ {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }}
+ rpk topic create {{ $testTopic }}
+ rpk topic list
+ echo "Test message!" | rpk topic produce {{ $testTopic }}
+
+ SECURITY_PROTOCOL=PLAINTEXT
+ if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SASL_SSL"
+ elif [[ -n "$RPK_SASL_MECHANISM" ]]; then
+ SECURITY_PROTOCOL="SASL_PLAINTEXT"
+ elif [[ $TLS_ENABLED == "true" ]]; then
+ SECURITY_PROTOCOL="SSL"
+ fi
+
+ CONNECTOR_NAME=mm2-$RANDOM
+ cat << 'EOF' > /tmp/mm2-conf.json
+ {
+ "connectorName": "CONNECTOR_NAME",
+ "config": {
+ "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector",
+ "topics": "{{ $testTopic }}",
+ "replication.factor": "1",
+ "tasks.max": "1",
+ "source.cluster.bootstrap.servers": {{ $brokersString | quote }},
+ "target.cluster.bootstrap.servers": {{ $brokersString | quote }},
+ "target.cluster.alias": "test-only-redpanda",
+ "source.cluster.alias": "source",
+ "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter",
+ "source->target.enabled": "true",
+ "target->source.enabled": "false",
+ "sync.topic.configs.interval.seconds": "5",
+ "sync.topics.configs.enabled": "true",
+ "source.cluster.ssl.truststore.type": "PEM",
+ "target.cluster.ssl.truststore.type": "PEM",
+ "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt",
+ "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt",
+ JAAS_CONFIG_SOURCE
+ JAAS_CONFIG_TARGET
+ "source.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "target.cluster.security.protocol": "SECURITY_PROTOCOL",
+ "source.cluster.sasl.mechanism": "SASL_MECHANISM",
+ "target.cluster.sasl.mechanism": "SASL_MECHANISM"
+ }
+ }
+ EOF
+
+ sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json
+ sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json
+ sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json
+ set +x
+ sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json
+ sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json
+ set -x
+
+ URL=http://{{ get ((include "console.Fullname" (dict "a" (list $consoleDot))) | fromJson) "r" }}:{{ get (fromJson (include "console.ContainerPort" (dict "a" (list $consoleDot) ))) "r" }}/api/kafka-connect/clusters/connectors/connectors
+ {{/* outputting to /dev/null because the output contains the user password */}}
+ echo "Creating mm2 connector"
+ curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json
+
+ rpk topic consume source.{{ $testTopic }} -n 1
+
+ echo "Destroying mm2 connector"
+ curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}"
+
+ rpk topic list
+ rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-console.yaml
new file mode 100644
index 000000000..aeef1117a
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-console.yaml
@@ -0,0 +1,49 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled .Values.console.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-console"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-internal-external-tls-secrets.yaml
new file mode 100644
index 000000000..53d75bb1b
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-internal-external-tls-secrets.yaml
@@ -0,0 +1,122 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+
+ retry() {
+ local retries="$1"
+ local command="$2"
+
+ # Run the command, and save the exit code
+ bash -c $command
+ local exit_code=$?
+
+ # If the exit code is non-zero (i.e. command failed), and we have not
+ # reached the maximum number of retries, run the command again
+ if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then
+ retry $(($retries - 1)) "$command"
+ else
+ # Return the exit code from the command
+ return $exit_code
+ fi
+ }
+
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ echo testing cert: {{ $name | quote }}
+
+ {{- if eq $cert.secretRef.name "internal-tls-secret" }}
+ echo "---> testing internal tls"
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ include "admin-api-urls" $ }}'
+ {{- end }}
+
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ retry 5 'openssl s_client -verify_return_error -prexit
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key
+ -connect {{ $values.external.domain }}:{{ $port }}'
+ {{- end }}
+
+ {{- end }}
+ echo "----"
+
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-internal-tls-status.yaml
new file mode 100644
index 000000000..dcfc02cbd
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-internal-tls-status.yaml
@@ -0,0 +1,62 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}}
+ {{- $service := .Values.listeners.kafka -}}
+ {{- $cert := get .Values.tls.certs $service.tls.cert -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ until rpk cluster info \
+ --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \
+ --tls-enabled \
+ {{- if $cert.caEnabled }}
+ --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt
+ {{- else }}
+ {{- /* This is a required field so we use the default in the redpanda debian container */}}
+ --tls-truststore /etc/ssl/certs/ca-certificates.crt
+ {{- end }}
+ do sleep 2
+ done
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-nodelete.yaml
new file mode 100644
index 000000000..9b5fe4237
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-nodelete.yaml
@@ -0,0 +1,100 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }}
+{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: REDPANDA_BROKERS
+ value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+{{- $cloudStorageFlags := "" }}
+{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }}
+ {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}}
+{{- end }}
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+
+ exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}')
+ if [[ "$exists" != "my_sample_topic" ]]; then
+ until rpk topic create my_sample_topic {{ $cloudStorageFlags }}
+ do sleep 2
+ done
+ fi
+
+ {{- range $i := until 100 }}
+ echo "Pandas are awesome!" | rpk topic produce my_sample_topic
+ {{- end }}
+ sleep 2
+ rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!"
+
+ # now check if we can delete the topic (we should not)
+ rpk topic delete my_sample_topic
+
+ {{- if has "my_sample_topic" $noDeleteTopics }}
+ result=$(rpk topic list | grep my_sample_topic | awk '{print $1}')
+ if [[ "$result" != "my_sample_topic" ]]; then
+ echo "topic should not have been deleted"
+ exit 1
+ fi
+ {{- end }}
+
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-produce-consume.yaml
new file mode 100644
index 000000000..d8f0ee751
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-produce-consume.yaml
@@ -0,0 +1,83 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: REDPANDA_BROKERS
+ value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}"
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+{{- $cloudStorageFlags := "" }}
+{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }}
+ {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}}
+{{- end }}
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+ until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }}
+ do sleep 2
+ done
+ {{- range $i := until 100 }}
+ echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME
+ {{- end }}
+ sleep 2
+ rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!"
+ rpk topic delete produce.consume.test.$POD_NAME
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-sasl-status.yaml
new file mode 100644
index 000000000..0519c44bb
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-kafka-sasl-status.yaml
@@ -0,0 +1,79 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }}
+{{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -xe
+
+{{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+{{- end }}
+
+ until rpk acl user delete myuser
+ do sleep 2
+ done
+ sleep 3
+
+ {{ include "rpk-cluster-info" $ }}
+ {{ include "rpk-acl-user-create" $ }}
+ {{ include "rpk-acl-create" $ }}
+ sleep 3
+ {{ include "rpk-topic-create" $ }}
+ {{ include "rpk-topic-describe" $ }}
+ {{ include "rpk-topic-delete" $ }}
+ rpk acl user delete myuser
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-license-with-console.yaml
new file mode 100644
index 000000000..1edf7a350
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-license-with-console.yaml
@@ -0,0 +1,61 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }}
+{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-license-with-console"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext:
+ runAsUser: 65535
+ runAsGroup: 65535
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ echo "testing that we do NOT have an open source license"
+ set -xe
+
+ max_iteration=10
+ curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq .
+ type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type)
+ while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do
+ max_iteration=$(( max_iteration - 1 ))
+ type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type)
+ done
+ if [[ "$type" == "open_source" || "$type" == "" ]]; then
+ curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq .
+ exit 1
+ fi
+ set +x
+ echo "license test passed."
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-lifecycle-scripts.yaml
new file mode 100644
index 000000000..5c72e1d9f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-lifecycle-scripts.yaml
@@ -0,0 +1,66 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-lifecycle"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ env:
+ - name: SERVICE_NAME
+ value: {{ include "redpanda.fullname" . }}-0
+ command:
+ - /bin/timeout
+ - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}"
+ - bash
+ - -xec
+ - |
+ /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh
+ ls -l /tmp/preStop*
+ test -f /tmp/preStopHookStarted
+ test -f /tmp/preStopHookFinished
+
+ /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh
+ ls -l /tmp/postStart*
+ test -f /tmp/postStartHookStarted
+ test -f /tmp/postStartHookFinished
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: lifecycle-scripts
+ mountPath: /var/lifecycle
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+ - name: lifecycle-scripts
+ secret:
+ secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle
+ defaultMode: 0o775
+ {{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-loadbalancer-tls.yaml
new file mode 100644
index 000000000..4db3523d2
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-loadbalancer-tls.yaml
@@ -0,0 +1,173 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ serviceAccountName: test-loadbalancer-tls-redpanda
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+ export APISERVER=https://kubernetes.default.svc
+ export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+ export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+ export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+ export CACERT=${SERVICEACCOUNT}/ca.crt
+
+ ip_list=""
+
+ replicas={{ .Values.statefulset.replicas }}
+ if [ "${replicas}" -lt "1" ]; then
+ echo "replicas cannot be less than 1"
+ exit 1
+ fi
+
+ range=$(expr $replicas - 1)
+ ordinal_list=$(seq 0 $range)
+
+ set -e
+
+ for i in $ordinal_list
+ do
+ POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+ -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i)
+ ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip )
+ ip_list="$ip $ip_list"
+ done
+
+ echo test will be run against $ip_list
+ echo testing LoadBalancer connectivity
+
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if eq $values.listeners.http.external.default.tls.cert $name }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled -}}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end -}}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }}
+ done
+ {{- end }}
+ {{- end }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test-loadbalancer-tls-redpanda
+subjects:
+ - kind: ServiceAccount
+ name: test-loadbalancer-tls-redpanda
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test-loadbalancer-tls-redpanda
+ annotations:
+ helm.sh/hook-weight: "-100"
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ verbs:
+ - get
+
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-nodeport-tls.yaml
new file mode 100644
index 000000000..4310eaf3a
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-nodeport-tls.yaml
@@ -0,0 +1,173 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}}
+ {{- $values := .Values }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-nodeport-tls
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+spec:
+ serviceAccountName: test-nodeport-tls-redpanda-no-a-test
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: mintel/docker-alpine-bash-curl-jq:latest
+ command:
+ - bash
+ - -c
+ - |
+ set -x
+ export APISERVER=https://kubernetes.default.svc
+ export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+ export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
+ export TOKEN=$(cat ${SERVICEACCOUNT}/token)
+ export CACERT=${SERVICEACCOUNT}/ca.crt
+
+ ip_list=""
+
+ replicas={{ .Values.statefulset.replicas }}
+ if [ "${replicas}" -lt "1" ]; then
+ echo "replicas cannot be less than 1"
+ exit 1
+ fi
+
+ range=$(expr $replicas - 1)
+ ordinal_list=$(seq 0 $range)
+
+ set -e
+
+ for i in $ordinal_list
+ do
+ POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \
+ -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i)
+ ip=$(echo $POD_DESC | jq -r .status.hostIP )
+ ip_list="$ip $ip_list"
+ done
+
+ echo test will be run against $ip_list
+ echo testing NodePort connectivity
+ {{- range $name, $cert := $values.tls.certs }}
+ {{- if $cert.secretRef }}
+ {{- if eq $cert.secretRef.name "external-tls-secret" }}
+ echo "---> testing external tls"
+
+ {{- if eq $values.listeners.kafka.external.default.tls.cert $name }}
+ echo "-----> testing external tls: kafka api"
+ {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }}
+ {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }}
+ echo "-----> testing external tls: schema registry"
+ {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+
+ {{- if eq $values.listeners.http.external.default.tls.cert $name }}
+ echo "-----> testing external tls: http api"
+ {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }}
+ for ip in $ip_list
+ do
+ openssl s_client -verify_return_error -prexit \
+ {{- if $cert.caEnabled }}
+ -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \
+ {{- end }}
+ -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \
+ -connect ${ip}:{{ $port }}
+ done
+ {{- end }}
+ {{- end }}
+
+ {{- end }}
+ {{- end }}
+ {{- end }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: test-nodeport-tls-redpanda-no-a-test
+subjects:
+ - kind: ServiceAccount
+ name: test-nodeport-tls-redpanda-no-a-test
+ namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: test-nodeport-tls-redpanda-no-a-test
+ annotations:
+ helm.sh/hook: test
+ helm.sh/hook-delete-policy: before-hook-creation
+ helm.sh/hook-weight: "-100"
+rules:
+ - apiGroups:
+ - ""
+ resources:
+ - pods
+ - services
+ verbs:
+ - get
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-internal-tls-status.yaml
new file mode 100644
index 000000000..4cb6aaa0f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-internal-tls-status.yaml
@@ -0,0 +1,81 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}}
+ {{- $service := .Values.listeners.http -}}
+ {{- $cert := get .Values.tls.certs $service.tls.cert -}}
+ {{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}"
+ RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}"
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+
+ curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ {{- if $cert.caEnabled }}
+ --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers
+
+ curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ {{- if $cert.caEnabled }}
+ --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources: {{ toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end -}}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-status.yaml
new file mode 100644
index 000000000..4f5ee6bb7
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-pandaproxy-status.yaml
@@ -0,0 +1,72 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}}
+ {{- $sasl := .Values.auth.sasl }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}"
+ RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}"
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+
+ curl {{ template "curl-options" . }} \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers
+
+ curl {{ template "curl-options" . }} \
+ {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }}
+ -u ${RPK_USER}:${RPK_PASS} \
+ {{- end }}
+ http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-prometheus-targets.yaml
new file mode 100644
index 000000000..81f83a34e
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-prometheus-targets.yaml
@@ -0,0 +1,84 @@
+{{/*
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */}}
+
+{{- if and .Values.tests.enabled .Values.monitoring.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+ {{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+ {{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest
+ command: [ "/bin/bash", "-c" ]
+ args:
+ - |
+ set -xe
+
+ HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy)
+ if [ $HEALTHY != 200 ]; then
+ echo "prometheus is not healthy, exiting"
+ exit 1
+ fi
+
+ echo "prometheus is healthy, checking if ready..."
+
+ READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready)
+ if [ $READY != 200 ]; then
+ echo "prometheus is not ready, exiting"
+ exit 1
+ fi
+
+ echo "prometheus is ready, requesting target information..."
+
+
+ curl_prometheus() {
+
+ # Run the command, and save the exit code
+ # from: https://prometheus.io/docs/prometheus/latest/querying/api/
+ local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l )
+
+ echo $RESULT
+ }
+ for d in $(seq 1 30); do
+ RESULT=$(curl_prometheus)
+ if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then
+ break
+ fi
+ sleep 15
+ done
+
+ set +x
+ if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then
+ curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq .
+ echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}"
+ exit 1
+ fi
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-rack-awareness.yaml
new file mode 100644
index 000000000..82a31937f
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-rack-awareness.yaml
@@ -0,0 +1,61 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.tests.enabled }}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-rack-awareness
+ namespace: {{ .Release.Namespace | quote }}
+{{- with include "full.labels" . }}
+ labels: {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+{{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+{{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -e
+{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }}
+ curl {{ template "curl-options" . }} \
+ {{- if (include "tls-enabled" . | fromJson).bool }}
+ {{- if (dig "default" "caEnabled" false .Values.tls.certs) }}
+ --cacert "/etc/tls/certs/default/ca.crt" \
+ {{- end }}
+ https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"'
+ {{- else }}
+ http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"'
+ {{- end }}
+{{- end }}
+
+ rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}'
+
+ rpk cluster config get enable_rack_awareness
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-rpk-debug-bundle.yaml
new file mode 100644
index 000000000..3230f0881
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-rpk-debug-bundle.yaml
@@ -0,0 +1,104 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{/*
+
+This test currently fails because of a bug where when multiple containers exist
+The api returns an error. We should be requesting logs from each container.
+
+
+{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}}
+ {{- $sasl := .Values.auth.sasl }}
+ {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }}
+
+
+apiVersion: v1
+kind: Pod
+metadata:
+ name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ affinity:
+ podAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchLabels:
+ statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0
+ topologyKey: kubernetes.io/hostname
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ initContainers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: shared-data
+ mountPath: /usr/share/redpanda/test
+ - name: datadir
+ mountPath: /var/lib/redpanda/data
+ command:
+ - /bin/bash
+ - -c
+ - |
+ set -e
+ {{- if .Values.auth.sasl.enabled }}
+ old_setting=${-//[^x]/}
+ set +x
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+ if [[ -n "$old_setting" ]]; then set -x; fi
+ {{- end }}
+ rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }}
+ containers:
+ - name: {{ template "redpanda.name" . }}-tester
+ image: busybox:latest
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ - name: shared-data
+ mountPath: /test
+ command:
+ - /bin/ash
+ - -c
+ - |
+ set -e
+ unzip /test/debug-test.zip -d /tmp/bundle
+
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt
+ test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt
+
+ test -d /tmp/bundle/controller
+
+ test -f /tmp/bundle/k8s/pods.json
+ test -f /tmp/bundle/k8s/configmaps.json
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end -}}
+*/}}
\ No newline at end of file
diff --git a/charts/redpanda/redpanda/5.9.9/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.9/templates/tests/test-sasl-updated.yaml
new file mode 100644
index 000000000..5f61be552
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/templates/tests/test-sasl-updated.yaml
@@ -0,0 +1,71 @@
+{{/*
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users"
+ namespace: {{ .Release.Namespace | quote }}
+ labels:
+{{- with include "full.labels" . }}
+ {{- . | nindent 4 }}
+{{- end }}
+ annotations:
+ "helm.sh/hook": test
+ "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+ restartPolicy: Never
+ securityContext: {{ include "pod-security-context" . | nindent 4 }}
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets: {{- toYaml . | nindent 4 }}
+ {{- end }}
+ containers:
+ - name: {{ template "redpanda.name" . }}
+ image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }}
+ command:
+ - /usr/bin/timeout
+ - "120"
+ - bash
+ - -c
+ - |
+ set -e
+ IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print))
+ {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }}
+ RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- else }}
+ REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}}
+ {{- end }}
+ export {{ include "rpk-sasl-environment-variables" . }}
+
+ set -x
+
+ # check that the users list did update
+ ready_result_exit_code=1
+ while [[ ${ready_result_exit_code} -ne 0 ]]; do
+ ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$?
+ sleep 2
+ done
+
+ # check that sasl is not broken
+ {{ include "rpk-cluster-info" $ }}
+ volumeMounts: {{ include "default-mounts" . | nindent 8 }}
+ resources:
+{{- toYaml .Values.statefulset.resources | nindent 12 }}
+ securityContext: {{ include "container-security-context" . | nindent 8 }}
+ volumes: {{ include "default-volumes" . | nindent 4 }}
+{{- end }}
diff --git a/charts/redpanda/redpanda/5.9.9/values.schema.json b/charts/redpanda/redpanda/5.9.9/values.schema.json
new file mode 100644
index 000000000..99155f8f0
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/values.schema.json
@@ -0,0 +1,12882 @@
+{
+ "$id": "https://github.com/redpanda-data/helm-charts/charts/redpanda/values",
+ "$schema": "https://json-schema.org/draft/2020-12/schema",
+ "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go",
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "auditLogging": {
+ "properties": {
+ "clientMaxBufferSize": {
+ "type": "integer"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "enabledEventTypes": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "excludedPrincipals": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "excludedTopics": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "listener": {
+ "type": "string"
+ },
+ "partitions": {
+ "type": "integer"
+ },
+ "queueDrainIntervalMs": {
+ "type": "integer"
+ },
+ "queueMaxBufferSizePerShard": {
+ "type": "integer"
+ },
+ "replicationFactor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "auth": {
+ "properties": {
+ "sasl": {
+ "properties": {
+ "bootstrapUser": {
+ "properties": {
+ "mechanism": {
+ "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$",
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "password": {
+ "type": "string"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "mechanism": {
+ "type": "string"
+ },
+ "secretRef": {
+ "type": "string"
+ },
+ "users": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "mechanism": {
+ "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$",
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "password": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "sasl"
+ ],
+ "type": "object"
+ },
+ "clusterDomain": {
+ "type": "string"
+ },
+ "commonLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "config": {
+ "properties": {
+ "cluster": {
+ "type": "object"
+ },
+ "node": {
+ "type": "object"
+ },
+ "pandaproxy_client": {
+ "properties": {
+ "consumer_heartbeat_interval_ms": {
+ "type": "integer"
+ },
+ "consumer_rebalance_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_request_max_bytes": {
+ "type": "integer"
+ },
+ "consumer_request_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_session_timeout_ms": {
+ "type": "integer"
+ },
+ "produce_batch_delay_ms": {
+ "type": "integer"
+ },
+ "produce_batch_record_count": {
+ "type": "integer"
+ },
+ "produce_batch_size_bytes": {
+ "type": "integer"
+ },
+ "retries": {
+ "type": "integer"
+ },
+ "retry_base_backoff_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "rpk": {
+ "type": "object"
+ },
+ "schema_registry_client": {
+ "properties": {
+ "consumer_heartbeat_interval_ms": {
+ "type": "integer"
+ },
+ "consumer_rebalance_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_request_max_bytes": {
+ "type": "integer"
+ },
+ "consumer_request_timeout_ms": {
+ "type": "integer"
+ },
+ "consumer_session_timeout_ms": {
+ "type": "integer"
+ },
+ "produce_batch_delay_ms": {
+ "type": "integer"
+ },
+ "produce_batch_record_count": {
+ "type": "integer"
+ },
+ "produce_batch_size_bytes": {
+ "type": "integer"
+ },
+ "retries": {
+ "type": "integer"
+ },
+ "retry_base_backoff_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tunable": {
+ "additionalProperties": true,
+ "properties": {
+ "group_initial_rebalance_delay": {
+ "type": "integer"
+ },
+ "log_retention_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cluster",
+ "node",
+ "tunable"
+ ],
+ "type": "object"
+ },
+ "connectors": {
+ "properties": {
+ "connectors": {
+ "properties": {
+ "fullnameOverwrite": {
+ "type": "string"
+ },
+ "restPort": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "console": {
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "autoscaling": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "maxReplicas": {
+ "type": "integer"
+ },
+ "minReplicas": {
+ "type": "integer"
+ },
+ "targetCPUUtilizationPercentage": {
+ "type": "integer"
+ },
+ "targetMemoryUtilizationPercentage": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "commonLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "configmap": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "console": {
+ "properties": {
+ "config": {
+ "type": "object"
+ },
+ "roleBindings": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "roles": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "deployment": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "extraArgs": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "properties": {
+ "licenseSecretRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "extraContainers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "args": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "envFrom": {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "image": {
+ "type": "string"
+ },
+ "imagePullPolicy": {
+ "type": "string"
+ },
+ "lifecycle": {
+ "properties": {
+ "postStart": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "preStop": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sleep": {
+ "properties": {
+ "seconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "ports": {
+ "items": {
+ "properties": {
+ "containerPort": {
+ "type": "integer"
+ },
+ "hostIP": {
+ "type": "string"
+ },
+ "hostPort": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "protocol": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "resizePolicy": {
+ "items": {
+ "properties": {
+ "resourceName": {
+ "type": "string"
+ },
+ "restartPolicy": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "restartPolicy": {
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "stdin": {
+ "type": "boolean"
+ },
+ "stdinOnce": {
+ "type": "boolean"
+ },
+ "terminationMessagePath": {
+ "type": "string"
+ },
+ "terminationMessagePolicy": {
+ "type": "string"
+ },
+ "tty": {
+ "type": "boolean"
+ },
+ "volumeDevices": {
+ "items": {
+ "properties": {
+ "devicePath": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "workingDir": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnv": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnvFrom": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraVolumeMounts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraVolumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "properties": {
+ "pullPolicy": {
+ "type": "string"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "ingress": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "className": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "hosts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "paths": {
+ "items": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "pathType": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "tls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "hosts": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "initContainers": {
+ "properties": {
+ "extraInitContainers": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podAnnotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessProbe": {
+ "properties": {
+ "exec": {
+ "properties": {
+ "command": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "grpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "service": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "httpGet": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "httpHeaders": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "path": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "scheme": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "tcpSocket": {
+ "properties": {
+ "host": {
+ "type": "string"
+ },
+ "port": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "replicaCount": {
+ "type": "integer"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "create": {
+ "type": "boolean"
+ },
+ "enterprise": {
+ "properties": {
+ "license": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "kafka": {
+ "properties": {
+ "awsMskIamSecretKey": {
+ "type": "string"
+ },
+ "protobufGitBasicAuthPassword": {
+ "type": "string"
+ },
+ "saslPassword": {
+ "type": "string"
+ },
+ "schemaRegistryPassword": {
+ "type": "string"
+ },
+ "schemaRegistryTlsCa": {
+ "type": "string"
+ },
+ "schemaRegistryTlsCert": {
+ "type": "string"
+ },
+ "schemaRegistryTlsKey": {
+ "type": "string"
+ },
+ "tlsCa": {
+ "type": "string"
+ },
+ "tlsCert": {
+ "type": "string"
+ },
+ "tlsKey": {
+ "type": "string"
+ },
+ "tlsPassphrase": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "login": {
+ "properties": {
+ "github": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "personalAccessToken": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "google": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "groupsServiceAccount": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "jwtSecret": {
+ "type": "string"
+ },
+ "oidc": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "okta": {
+ "properties": {
+ "clientSecret": {
+ "type": "string"
+ },
+ "directoryApiToken": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "redpanda": {
+ "properties": {
+ "adminApi": {
+ "properties": {
+ "password": {
+ "type": "string"
+ },
+ "tlsCa": {
+ "type": "string"
+ },
+ "tlsCert": {
+ "type": "string"
+ },
+ "tlsKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "secretMounts": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "name": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "subPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "targetPort": {
+ "type": "integer"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "strategy": {
+ "properties": {
+ "rollingUpdate": {
+ "properties": {
+ "maxSurge": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ },
+ "maxUnavailable": {
+ "oneOf": [
+ {
+ "type": "string"
+ },
+ {
+ "type": "number"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "tests": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "maxSkew": {
+ "type": "integer"
+ },
+ "minDomains": {
+ "type": "integer"
+ },
+ "nodeAffinityPolicy": {
+ "type": "string"
+ },
+ "nodeTaintsPolicy": {
+ "type": "string"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "enterprise": {
+ "properties": {
+ "license": {
+ "type": "string"
+ },
+ "licenseSecretRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "external": {
+ "properties": {
+ "addresses": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "domain": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "externalDns": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "service": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "sourceRanges": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "type": {
+ "pattern": "^(LoadBalancer|NodePort)$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ },
+ "force": {
+ "type": "boolean"
+ },
+ "fullnameOverride": {
+ "type": "string"
+ },
+ "image": {
+ "description": "Values used to define the container image to be used for Redpanda",
+ "properties": {
+ "pullPolicy": {
+ "description": "The Kubernetes Pod image pull policy.",
+ "pattern": "^(Always|Never|IfNotPresent)$",
+ "type": "string"
+ },
+ "repository": {
+ "default": "docker.redpanda.com/redpandadata/redpanda",
+ "description": "container image repository",
+ "type": "string"
+ },
+ "tag": {
+ "default": "Chart.appVersion",
+ "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.",
+ "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "repository",
+ "pullPolicy"
+ ],
+ "type": "object"
+ },
+ "imagePullSecrets": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "license_key": {
+ "deprecated": true,
+ "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$",
+ "type": "string"
+ },
+ "license_secret_ref": {
+ "deprecated": true,
+ "properties": {
+ "secret_key": {
+ "type": "string"
+ },
+ "secret_name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "listeners": {
+ "properties": {
+ "admin": {
+ "properties": {
+ "appProtocol": {
+ "type": "string"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ },
+ "http": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "kafkaEndpoint": {
+ "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$",
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "tls",
+ "kafkaEndpoint",
+ "port"
+ ],
+ "type": "object"
+ },
+ "kafka": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "sasl",
+ "none",
+ "mtls_identity"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "sasl",
+ "none",
+ "mtls_identity"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "prefixTemplate": {
+ "type": "string"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "port"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "tls",
+ "port"
+ ],
+ "type": "object"
+ },
+ "rpc": {
+ "properties": {
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ },
+ "schemaRegistry": {
+ "properties": {
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "external": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "advertisedPorts": {
+ "items": {
+ "type": "integer"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ "authenticationMethod": {
+ "oneOf": [
+ {
+ "enum": [
+ "none",
+ "http_basic"
+ ],
+ "type": "string"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodePort": {
+ "type": "integer"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "kafkaEndpoint": {
+ "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$",
+ "type": "string"
+ },
+ "port": {
+ "type": "integer"
+ },
+ "tls": {
+ "properties": {
+ "cert": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "requireClientAuth": {
+ "type": "boolean"
+ },
+ "trustStore": {
+ "maxProperties": 1,
+ "minProperties": 1,
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "cert",
+ "requireClientAuth"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "kafkaEndpoint",
+ "port",
+ "tls"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "admin",
+ "http",
+ "kafka",
+ "schemaRegistry",
+ "rpc"
+ ],
+ "type": "object"
+ },
+ "logging": {
+ "properties": {
+ "logLevel": {
+ "pattern": "^(error|warn|info|debug|trace)$",
+ "type": "string"
+ },
+ "usageStats": {
+ "properties": {
+ "clusterId": {
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "logLevel",
+ "usageStats"
+ ],
+ "type": "object"
+ },
+ "monitoring": {
+ "properties": {
+ "enableHttp2": {
+ "type": "boolean"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "scrapeInterval": {
+ "type": "string"
+ },
+ "tlsConfig": {
+ "properties": {
+ "ca": {
+ "properties": {
+ "configMap": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "caFile": {
+ "type": "string"
+ },
+ "cert": {
+ "properties": {
+ "configMap": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "certFile": {
+ "type": "string"
+ },
+ "insecureSkipVerify": {
+ "type": "boolean"
+ },
+ "keyFile": {
+ "type": "string"
+ },
+ "keySecret": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serverName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "enabled",
+ "scrapeInterval"
+ ],
+ "type": "object"
+ },
+ "nameOverride": {
+ "type": "string"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "post_install_job": {
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podTemplate": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "containers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "enum": [
+ "redpanda",
+ "post-install",
+ "post-upgrade",
+ "redpanda-controllers"
+ ],
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "name",
+ "env"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "required": [
+ "containers"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "labels",
+ "annotations",
+ "spec"
+ ],
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "post_upgrade_job": {
+ "properties": {
+ "affinity": {
+ "properties": {
+ "nodeAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "preference": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "properties": {
+ "nodeSelectorTerms": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchFields": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "preferredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "podAffinityTerm": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "requiredDuringSchedulingIgnoredDuringExecution": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "matchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "mismatchLabelKeys": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "namespaceSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "namespaces": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "topologyKey": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "backoffLimit": {
+ "type": "integer"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "extraEnv": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "extraEnvFrom": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "configMapRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "prefix": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podTemplate": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "containers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "enum": [
+ "redpanda",
+ "post-install",
+ "post-upgrade",
+ "redpanda-controllers"
+ ],
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "name",
+ "env"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "required": [
+ "containers"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "labels",
+ "annotations",
+ "spec"
+ ],
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "claims": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "rackAwareness": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "nodeAnnotation": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "enabled",
+ "nodeAnnotation"
+ ],
+ "type": "object"
+ },
+ "rbac": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled",
+ "annotations"
+ ],
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "cpu": {
+ "properties": {
+ "cores": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "overprovisioned": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "cores"
+ ],
+ "type": "object"
+ },
+ "memory": {
+ "properties": {
+ "container": {
+ "properties": {
+ "max": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "min": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "required": [
+ "max"
+ ],
+ "type": "object"
+ },
+ "enable_memory_locking": {
+ "type": "boolean"
+ },
+ "redpanda": {
+ "properties": {
+ "memory": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "reserveMemory": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "container"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "cpu",
+ "memory"
+ ],
+ "type": "object"
+ },
+ "service": {
+ "properties": {
+ "internal": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccount": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "create": {
+ "type": "boolean"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "create",
+ "name"
+ ],
+ "type": "object"
+ },
+ "statefulset": {
+ "properties": {
+ "additionalRedpandaCmdFlags": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "additionalSelectorLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "budget": {
+ "properties": {
+ "maxUnavailable": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "maxUnavailable"
+ ],
+ "type": "object"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "extraVolumes": {
+ "type": "string"
+ },
+ "initContainerImage": {
+ "properties": {
+ "repository": {
+ "type": "string"
+ },
+ "tag": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "initContainers": {
+ "properties": {
+ "configurator": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "extraInitContainers": {
+ "type": "string"
+ },
+ "fsValidator": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "expectedFS": {
+ "type": "string"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "setDataDirOwnership": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "setTieredStorageCacheDirOwnership": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "tuning": {
+ "properties": {
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "livenessProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "nodeAffinity": {
+ "type": "object"
+ },
+ "nodeSelector": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "podAffinity": {
+ "type": "object"
+ },
+ "podAntiAffinity": {
+ "properties": {
+ "custom": {
+ "type": "object"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "type": {
+ "pattern": "^(hard|soft|custom)$",
+ "type": "string"
+ },
+ "weight": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "topologyKey",
+ "type",
+ "weight"
+ ],
+ "type": "object"
+ },
+ "podSecurityContext": {
+ "deprecated": true,
+ "properties": {
+ "allowPriviledgeEscalation": {
+ "type": "boolean"
+ },
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "podTemplate": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "automountServiceAccountToken": {
+ "type": "boolean"
+ },
+ "containers": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "env": {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ },
+ "valueFrom": {
+ "properties": {
+ "configMapKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKeyRef": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "enum": [
+ "redpanda",
+ "post-install",
+ "post-upgrade",
+ "redpanda-controllers"
+ ],
+ "type": "string"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumeMounts": {
+ "items": {
+ "properties": {
+ "mountPath": {
+ "type": "string"
+ },
+ "mountPropagation": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "subPath": {
+ "type": "string"
+ },
+ "subPathExpr": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "required": [
+ "name",
+ "env"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "supplementalGroups": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "integer"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "sysctls": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "name": {
+ "type": "string"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "volumes": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "awsElasticBlockStore": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "azureDisk": {
+ "properties": {
+ "cachingMode": {
+ "type": "string"
+ },
+ "diskName": {
+ "type": "string"
+ },
+ "diskURI": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "azureFile": {
+ "properties": {
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ },
+ "shareName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cephfs": {
+ "properties": {
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretFile": {
+ "type": "string"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "cinder": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "csi": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "nodePublishSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeAttributes": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "emptyDir": {
+ "properties": {
+ "medium": {
+ "type": "string"
+ },
+ "sizeLimit": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "ephemeral": {
+ "properties": {
+ "volumeClaimTemplate": {
+ "properties": {
+ "metadata": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "creationTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "deletionGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "deletionTimestamp": {
+ "properties": {},
+ "type": "object"
+ },
+ "finalizers": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "generateName": {
+ "type": "string"
+ },
+ "generation": {
+ "type": "integer"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "managedFields": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldsType": {
+ "type": "string"
+ },
+ "fieldsV1": {
+ "properties": {},
+ "type": "object"
+ },
+ "manager": {
+ "type": "string"
+ },
+ "operation": {
+ "type": "string"
+ },
+ "subresource": {
+ "type": "string"
+ },
+ "time": {
+ "properties": {},
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ },
+ "ownerReferences": {
+ "items": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "blockOwnerDeletion": {
+ "type": "boolean"
+ },
+ "controller": {
+ "type": "boolean"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "resourceVersion": {
+ "type": "string"
+ },
+ "selfLink": {
+ "type": "string"
+ },
+ "uid": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "spec": {
+ "properties": {
+ "accessModes": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "dataSource": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "dataSourceRef": {
+ "properties": {
+ "apiGroup": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "namespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ },
+ "requests": {
+ "additionalProperties": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "selector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClassName": {
+ "type": "string"
+ },
+ "volumeAttributesClassName": {
+ "type": "string"
+ },
+ "volumeMode": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "fc": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "targetWWNs": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "wwids": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "flexVolume": {
+ "properties": {
+ "driver": {
+ "type": "string"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "options": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "flocker": {
+ "properties": {
+ "datasetName": {
+ "type": "string"
+ },
+ "datasetUUID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "gcePersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "partition": {
+ "type": "integer"
+ },
+ "pdName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "gitRepo": {
+ "properties": {
+ "directory": {
+ "type": "string"
+ },
+ "repository": {
+ "type": "string"
+ },
+ "revision": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "glusterfs": {
+ "properties": {
+ "endpoints": {
+ "type": "string"
+ },
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "iscsi": {
+ "properties": {
+ "chapAuthDiscovery": {
+ "type": "boolean"
+ },
+ "chapAuthSession": {
+ "type": "boolean"
+ },
+ "fsType": {
+ "type": "string"
+ },
+ "initiatorName": {
+ "type": "string"
+ },
+ "iqn": {
+ "type": "string"
+ },
+ "iscsiInterface": {
+ "type": "string"
+ },
+ "lun": {
+ "type": "integer"
+ },
+ "portals": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "targetPortal": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "nfs": {
+ "properties": {
+ "path": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "server": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "persistentVolumeClaim": {
+ "properties": {
+ "claimName": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "photonPersistentDisk": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "pdID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "portworxVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "volumeID": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "projected": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "sources": {
+ "items": {
+ "properties": {
+ "clusterTrustBundle": {
+ "properties": {
+ "labelSelector": {
+ "properties": {
+ "matchExpressions": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "values": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "matchLabels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "path": {
+ "type": "string"
+ },
+ "signerName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "configMap": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "downwardAPI": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "fieldRef": {
+ "properties": {
+ "apiVersion": {
+ "type": "string"
+ },
+ "fieldPath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ },
+ "resourceFieldRef": {
+ "properties": {
+ "containerName": {
+ "type": "string"
+ },
+ "divisor": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "resource": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "name": {
+ "type": "string"
+ },
+ "optional": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "serviceAccountToken": {
+ "properties": {
+ "audience": {
+ "type": "string"
+ },
+ "expirationSeconds": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "quobyte": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "registry": {
+ "type": "string"
+ },
+ "tenant": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ },
+ "volume": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "rbd": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "image": {
+ "type": "string"
+ },
+ "keyring": {
+ "type": "string"
+ },
+ "monitors": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ "pool": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "scaleIO": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "gateway": {
+ "type": "string"
+ },
+ "protectionDomain": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "sslEnabled": {
+ "type": "boolean"
+ },
+ "storageMode": {
+ "type": "string"
+ },
+ "storagePool": {
+ "type": "string"
+ },
+ "system": {
+ "type": "string"
+ },
+ "volumeName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secret": {
+ "properties": {
+ "defaultMode": {
+ "type": "integer"
+ },
+ "items": {
+ "items": {
+ "properties": {
+ "key": {
+ "type": "string"
+ },
+ "mode": {
+ "type": "integer"
+ },
+ "path": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ "optional": {
+ "type": "boolean"
+ },
+ "secretName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "storageos": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "readOnly": {
+ "type": "boolean"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "volumeName": {
+ "type": "string"
+ },
+ "volumeNamespace": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "vsphereVolume": {
+ "properties": {
+ "fsType": {
+ "type": "string"
+ },
+ "storagePolicyID": {
+ "type": "string"
+ },
+ "storagePolicyName": {
+ "type": "string"
+ },
+ "volumePath": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "required": [
+ "containers"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "labels",
+ "annotations",
+ "spec"
+ ],
+ "type": "object"
+ },
+ "priorityClassName": {
+ "type": "string"
+ },
+ "readinessProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ },
+ "successThreshold": {
+ "type": "integer"
+ },
+ "timeoutSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "replicas": {
+ "type": "integer"
+ },
+ "securityContext": {
+ "deprecated": true,
+ "properties": {
+ "allowPriviledgeEscalation": {
+ "type": "boolean"
+ },
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "enum": [
+ "OnRootMismatch",
+ "Always"
+ ],
+ "type": "string"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "sideCars": {
+ "properties": {
+ "configWatcher": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "extraVolumeMounts": {
+ "type": "string"
+ },
+ "resources": {
+ "type": "object"
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "controllers": {
+ "properties": {
+ "createRBAC": {
+ "type": "boolean"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "healthProbeAddress": {
+ "type": "string"
+ },
+ "image": {
+ "properties": {
+ "repository": {
+ "default": "docker.redpanda.com/redpandadata/redpanda-operator",
+ "type": "string"
+ },
+ "tag": {
+ "default": "Chart.appVersion",
+ "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "tag",
+ "repository"
+ ],
+ "type": "object"
+ },
+ "metricsAddress": {
+ "type": "string"
+ },
+ "resources": true,
+ "run": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "securityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "add": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "drop": {
+ "oneOf": [
+ {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ }
+ },
+ "type": "object"
+ },
+ "privileged": {
+ "type": "boolean"
+ },
+ "procMount": {
+ "type": "string"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "properties": {
+ "level": {
+ "type": "string"
+ },
+ "role": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "user": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "seccompProfile": {
+ "properties": {
+ "localhostProfile": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "windowsOptions": {
+ "properties": {
+ "gmsaCredentialSpec": {
+ "type": "string"
+ },
+ "gmsaCredentialSpecName": {
+ "type": "string"
+ },
+ "hostProcess": {
+ "type": "boolean"
+ },
+ "runAsUserName": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "startupProbe": {
+ "properties": {
+ "failureThreshold": {
+ "type": "integer"
+ },
+ "initialDelaySeconds": {
+ "type": "integer"
+ },
+ "periodSeconds": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "initialDelaySeconds",
+ "failureThreshold",
+ "periodSeconds"
+ ],
+ "type": "object"
+ },
+ "terminationGracePeriodSeconds": {
+ "type": "integer"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "topologySpreadConstraints": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "maxSkew": {
+ "type": "integer"
+ },
+ "topologyKey": {
+ "type": "string"
+ },
+ "whenUnsatisfiable": {
+ "pattern": "^(ScheduleAnyway|DoNotSchedule)$",
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "minItems": 1,
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "updateStrategy": {
+ "properties": {
+ "type": {
+ "pattern": "^(RollingUpdate|OnDelete)$",
+ "type": "string"
+ }
+ },
+ "required": [
+ "type"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "additionalSelectorLabels",
+ "replicas",
+ "updateStrategy",
+ "podTemplate",
+ "budget",
+ "startupProbe",
+ "livenessProbe",
+ "readinessProbe",
+ "podAffinity",
+ "podAntiAffinity",
+ "nodeSelector",
+ "priorityClassName",
+ "topologySpreadConstraints",
+ "tolerations",
+ "securityContext",
+ "sideCars"
+ ],
+ "type": "object"
+ },
+ "storage": {
+ "properties": {
+ "hostPath": {
+ "type": "string"
+ },
+ "persistentVolume": {
+ "deprecated": true,
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nameOverwrite": {
+ "type": "string"
+ },
+ "size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "enabled",
+ "labels",
+ "size",
+ "storageClass"
+ ],
+ "type": "object"
+ },
+ "tiered": {
+ "properties": {
+ "config": {
+ "properties": {
+ "cloud_storage_access_key": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint_port": {
+ "type": "integer"
+ },
+ "cloud_storage_azure_adls_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_azure_adls_port": {
+ "type": "integer"
+ },
+ "cloud_storage_bucket": {
+ "type": "string"
+ },
+ "cloud_storage_cache_check_interval": {
+ "type": "integer"
+ },
+ "cloud_storage_cache_directory": {
+ "type": "string"
+ },
+ "cloud_storage_cache_size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "cloud_storage_credentials_source": {
+ "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$",
+ "type": "string"
+ },
+ "cloud_storage_disable_tls": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_read": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_write": {
+ "type": "boolean"
+ },
+ "cloud_storage_enabled": {
+ "type": "boolean"
+ },
+ "cloud_storage_initial_backoff_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_manifest_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connection_idle_time_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connections": {
+ "type": "integer"
+ },
+ "cloud_storage_reconciliation_interval_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_region": {
+ "type": "string"
+ },
+ "cloud_storage_secret_key": {
+ "type": "string"
+ },
+ "cloud_storage_segment_max_upload_interval_sec": {
+ "type": "integer"
+ },
+ "cloud_storage_segment_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_trust_file": {
+ "type": "string"
+ },
+ "cloud_storage_upload_ctrl_d_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_max_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_min_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_p_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_update_interval_ms": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "cloud_storage_enabled"
+ ],
+ "type": "object"
+ },
+ "credentialsSecretRef": {
+ "properties": {
+ "accessKey": {
+ "properties": {
+ "configurationKey": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretKey": {
+ "properties": {
+ "configurationKey": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "hostPath": {
+ "type": "string"
+ },
+ "mountType": {
+ "pattern": "^(none|hostPath|emptyDir|persistentVolume)$",
+ "type": "string"
+ },
+ "persistentVolume": {
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "nameOverwrite": {
+ "type": "string"
+ },
+ "size": {
+ "type": "string"
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "labels",
+ "storageClass"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "mountType"
+ ],
+ "type": "object"
+ },
+ "tieredConfig": {
+ "deprecated": true,
+ "properties": {
+ "cloud_storage_access_key": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_api_endpoint_port": {
+ "type": "integer"
+ },
+ "cloud_storage_azure_adls_endpoint": {
+ "type": "string"
+ },
+ "cloud_storage_azure_adls_port": {
+ "type": "integer"
+ },
+ "cloud_storage_bucket": {
+ "type": "string"
+ },
+ "cloud_storage_cache_check_interval": {
+ "type": "integer"
+ },
+ "cloud_storage_cache_directory": {
+ "type": "string"
+ },
+ "cloud_storage_cache_size": {
+ "oneOf": [
+ {
+ "type": "integer"
+ },
+ {
+ "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$",
+ "type": "string"
+ }
+ ]
+ },
+ "cloud_storage_credentials_source": {
+ "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$",
+ "type": "string"
+ },
+ "cloud_storage_disable_tls": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_read": {
+ "type": "boolean"
+ },
+ "cloud_storage_enable_remote_write": {
+ "type": "boolean"
+ },
+ "cloud_storage_enabled": {
+ "type": "boolean"
+ },
+ "cloud_storage_initial_backoff_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_manifest_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connection_idle_time_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_max_connections": {
+ "type": "integer"
+ },
+ "cloud_storage_reconciliation_interval_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_region": {
+ "type": "string"
+ },
+ "cloud_storage_secret_key": {
+ "type": "string"
+ },
+ "cloud_storage_segment_max_upload_interval_sec": {
+ "type": "integer"
+ },
+ "cloud_storage_segment_upload_timeout_ms": {
+ "type": "integer"
+ },
+ "cloud_storage_trust_file": {
+ "type": "string"
+ },
+ "cloud_storage_upload_ctrl_d_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_max_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_min_shares": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_p_coeff": {
+ "type": "integer"
+ },
+ "cloud_storage_upload_ctrl_update_interval_ms": {
+ "type": "integer"
+ }
+ },
+ "type": "object"
+ },
+ "tieredStorageHostPath": {
+ "deprecated": true,
+ "type": "string"
+ },
+ "tieredStoragePersistentVolume": {
+ "deprecated": true,
+ "properties": {
+ "annotations": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "labels": {
+ "additionalProperties": {
+ "type": "string"
+ },
+ "type": "object"
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "required": [
+ "annotations",
+ "enabled",
+ "labels",
+ "storageClass"
+ ],
+ "type": "object"
+ }
+ },
+ "required": [
+ "hostPath",
+ "tiered",
+ "persistentVolume"
+ ],
+ "type": "object"
+ },
+ "tests": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "type": "object"
+ },
+ "tls": {
+ "properties": {
+ "certs": {
+ "minProperties": 1,
+ "patternProperties": {
+ "^[A-Za-z_][A-Za-z0-9_]*$": {
+ "properties": {
+ "applyInternalDNSNames": {
+ "type": "boolean"
+ },
+ "caEnabled": {
+ "type": "boolean"
+ },
+ "clientSecretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "duration": {
+ "pattern": ".*[smh]$",
+ "type": "string"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "issuerRef": {
+ "properties": {
+ "group": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "secretRef": {
+ "properties": {
+ "name": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "caEnabled"
+ ],
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ }
+ },
+ "required": [
+ "enabled",
+ "certs"
+ ],
+ "type": "object"
+ },
+ "tolerations": {
+ "oneOf": [
+ {
+ "items": {
+ "properties": {
+ "effect": {
+ "type": "string"
+ },
+ "key": {
+ "type": "string"
+ },
+ "operator": {
+ "type": "string"
+ },
+ "tolerationSeconds": {
+ "type": "integer"
+ },
+ "value": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "type": "array"
+ },
+ {
+ "type": "null"
+ }
+ ]
+ },
+ "tuning": {
+ "properties": {
+ "ballast_file_path": {
+ "type": "string"
+ },
+ "ballast_file_size": {
+ "type": "string"
+ },
+ "tune_aio_events": {
+ "type": "boolean"
+ },
+ "tune_ballast_file": {
+ "type": "boolean"
+ },
+ "tune_clocksource": {
+ "type": "boolean"
+ },
+ "well_known_io": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "required": [
+ "affinity",
+ "image"
+ ],
+ "type": "object"
+}
diff --git a/charts/redpanda/redpanda/5.9.9/values.yaml b/charts/redpanda/redpanda/5.9.9/values.yaml
new file mode 100644
index 000000000..2d23d1946
--- /dev/null
+++ b/charts/redpanda/redpanda/5.9.9/values.yaml
@@ -0,0 +1,1133 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file contains values for variables referenced from yaml files in the templates directory.
+#
+# For further information on Helm templating see the documentation at:
+# https://helm.sh/docs/chart_template_guide/values_files/
+
+#
+# >>> This chart requires Helm version 3.6.0 or greater <<<
+#
+
+# Common settings
+#
+# -- Override `redpanda.name` template.
+nameOverride: ""
+# -- Override `redpanda.fullname` template.
+fullnameOverride: ""
+# -- Default Kubernetes cluster domain.
+clusterDomain: cluster.local
+# -- Additional labels to add to all Kubernetes objects.
+# For example, `my.k8s.service: redpanda`.
+commonLabels: {}
+# -- Node selection constraints for scheduling Pods, can override this for StatefulSets.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+nodeSelector: {}
+# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
+affinity: {}
+# -- Taints to be tolerated by Pods, can override this for StatefulSets.
+# For details,
+# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+tolerations: []
+
+# -- Redpanda Docker image settings.
+image:
+ # -- Docker repository from which to pull the Redpanda Docker image.
+ repository: docker.redpanda.com/redpandadata/redpanda
+ # -- The Redpanda version.
+ # See DockerHub for:
+ # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags)
+ # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags).
+ # @default -- `Chart.appVersion`.
+ tag: ""
+ # -- The imagePullPolicy.
+ # If `image.tag` is 'latest', the default is `Always`.
+ pullPolicy: IfNotPresent
+
+# -- Redpanda Service settings.
+# service:
+# -- set service.name to override the default service name
+# name: redpanda
+# -- internal Service
+# internal:
+# -- add annotations to the internal Service
+# annotations: {}
+#
+# -- eg. for a bare metal install using external-dns
+# annotations:
+# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom
+# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP
+
+# -- Pull secrets may be used to provide credentials to image repositories
+# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
+imagePullSecrets: []
+
+# -- DEPRECATED Enterprise license key (optional).
+# For details,
+# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+license_key: ""
+# -- DEPRECATED Secret name and secret key where the license key is stored.
+license_secret_ref: {}
+ # secret_name: my-secret
+ # secret_key: key-where-license-is-stored
+
+# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication
+# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0.
+auditLogging:
+ # -- Enable or disable audit logging, for production clusters we suggest you enable,
+ # however, this will only work if you also enable sasl and a listener with sasl enabled.
+ enabled: false
+ # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`.
+ # For external listeners, use the external listener name, such as `default`.
+ listener: internal
+ # -- Integer value defining the number of partitions used by a newly created audit topic.
+ partitions: 12
+ # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`].
+ enabledEventTypes:
+ # -- List of topics to exclude from auditing, default is null.
+ excludedTopics:
+ # -- List of principals to exclude from auditing, default is null.
+ excludedPrincipals:
+ # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages.
+ clientMaxBufferSize: 16777216
+ # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log.
+ queueDrainIntervalMs: 500
+ # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard.
+ queueMaxBufferSizePerShard: 1048576
+ # -- Defines the replication factor for a newly created audit log topic. This configuration applies
+ # only to the audit log topic and may be different from the cluster or other topic configurations.
+ # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided,
+ # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null`
+ replicationFactor:
+
+# -- Enterprise (optional)
+# For details,
+# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition).
+enterprise:
+ # -- license (optional).
+ license: ""
+ # -- Secret name and key where the license key is stored.
+ licenseSecretRef: {}
+ # name: my-secret
+ # key: key-where-license-is-stored
+
+# -- Rack Awareness settings.
+# For details,
+# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/).
+rackAwareness:
+ # -- When running in multiple racks or availability zones, use a Kubernetes Node
+ # annotation value as the Redpanda rack value.
+ # Enabling this requires running with a service account with "get" Node permissions.
+ # To have the Helm chart configure these permissions,
+ # set `serviceAccount.create=true` and `rbac.enabled=true`.
+ enabled: false
+ # -- The common well-known annotation to use as the rack ID.
+ # Override this only if you use a custom Node annotation.
+ nodeAnnotation: topology.kubernetes.io/zone
+
+#
+# -- Redpanda Console settings.
+# For a reference of configuration settings,
+# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/).
+console:
+ enabled: true
+ configmap:
+ create: false
+ secret:
+ create: false
+ deployment:
+ create: false
+ config: {}
+
+#
+# -- Redpanda Managed Connectors settings
+# For a reference of configuration settings,
+# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/).
+connectors:
+ enabled: false
+ deployment:
+ create: false
+ test:
+ create: false
+
+# -- Authentication settings.
+# For details,
+# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/).
+auth:
+ sasl:
+ # -- Enable SASL authentication.
+ # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`.
+ enabled: false
+ # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+ mechanism: SCRAM-SHA-512
+ # -- A Secret that contains your superuser credentials.
+ # For details,
+ # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets).
+ secretRef: "redpanda-users"
+ # -- Optional list of superusers.
+ # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`.
+ # If this list is empty,
+ # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart.
+ # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own.
+ users: []
+ # - name: admin
+ # password: change-me
+ # mechanism: SCRAM-SHA-512
+ # -- Details about how to create the bootstrap user for the cluster.
+ # The secretKeyRef is optionally specified. If it is specified, the
+ # chart will use a password written to that secret when creating the
+ # "kubernetes-controller" bootstrap user. If it is unspecified, then
+ # the secret will be generated and stored in the secret
+ # "releasename"-bootstrap-user, with the key "password".
+ bootstrapUser:
+ # -- The name used to override the name of the bootstrap user. If unspecified the bootstrap user is named
+ # "kubernetes-controller". This should only be specified when SASL authentication is enabled (usually installation)
+ # and should not be changed afterward.
+ # name: my-user
+ # -- The authentication mechanism to use for the bootstrap user. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`.
+ mechanism: SCRAM-SHA-256
+ # secretKeyRef:
+ # name: my-password
+ # key: my-key
+
+# -- TLS settings.
+# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/).
+tls:
+ # -- Enable TLS globally for all listeners.
+ # Each listener must include a Certificate name in its `.tls` object.
+ # To allow you to enable TLS for individual listeners,
+ # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`.
+ # See `listeners..tls.enabled`.
+ enabled: true
+ # -- List all Certificates here,
+ # then you can reference a specific Certificate's name
+ # in each listener's `listeners..tls.cert` setting.
+ certs:
+ # -- This key is the Certificate name.
+ # To apply the Certificate to a specific listener,
+ # reference the Certificate's name in `listeners..tls.cert`.
+ default:
+ # -- To use a custom pre-installed Issuer,
+ # add its name and kind to the `issuerRef` object.
+ # issuerRef:
+ # name: redpanda-default-root-issuer
+ # kind: Issuer # Can be Issuer or ClusterIssuer
+ # -- To use a secret with custom tls files,
+ # secretRef:
+ # name: my-tls-secret
+ # -- Indicates whether or not the Secret holding this certificate
+ # includes a `ca.crt` key. When `true`, chart managed clients, such as
+ # rpk, will use `ca.crt` for certificate verification and listeners with
+ # `require_client_auth` and no explicit `truststore` will use `ca.crt` as
+ # their `truststore_file` for verification of client certificates. When
+ # `false`, chart managed clients will use `tls.crt` for certificate
+ # verification and listeners with `require_client_auth` and no explicit
+ # `truststore` will use the container's CA certificates.
+ caEnabled: true
+ # duration: 43800h
+ # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer.
+ # applyInternalDNSNames: false
+ # -- Example external tls configuration
+ # uncomment and set the right key to the listeners that require them
+ # also enable the tls setting for those listeners.
+ external:
+ # -- To use a custom pre-installed Issuer,
+ # add its name and kind to the `issuerRef` object.
+ # issuerRef:
+ # name: redpanda-default-root-issuer
+ # kind: Issuer # Can be Issuer or ClusterIssuer
+ # -- To use a secret with custom tls files,
+ # secretRef:
+ # name: my-tls-secret
+ # -- Indicates whether or not the Secret holding this certificate
+ # includes a `ca.crt` key. When `true`, chart managed clients, such as
+ # rpk, will use `ca.crt` for certificate verification and listeners with
+ # `require_client_auth` and no explicit `truststore` will use `ca.crt` as
+ # their `truststore_file` for verification of client certificates. When
+ # `false`, chart managed clients will use `tls.crt` for certificate
+ # verification and listeners with `require_client_auth` and no explicit
+ # `truststore` will use the container's CA certificates.
+ caEnabled: true
+ # duration: 43800h
+ # if you wish to for apply internal dns names to the certificate even when supplying an issuer
+ # applyInternalDNSNames: false
+
+# -- External access settings.
+# For details,
+# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/).
+external:
+ # -- Service allows you to manage the creation of an external kubernetes service object
+ service:
+ # -- Enabled if set to false will not create the external service type
+ # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander).
+ # Set this to false if you rather manage your own service.
+ enabled: true
+ # -- Enable external access for each Service.
+ # You can toggle external access for each listener in
+ # `listeners..external..enabled`.
+ enabled: true
+ # -- External access type. Only `NodePort` and `LoadBalancer` are supported.
+ # If undefined, then advertised listeners will be configured in Redpanda,
+ # but the helm chart will not create a Service.
+ # You must create a Service manually.
+ # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss.
+ # NodePort is recommended in cases where latency is a priority.
+ type: NodePort
+ # Optional source range for external access. Only applicable when external.type is LoadBalancer
+ # sourceRanges: []
+ # -- Optional domain advertised to external clients
+ # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address
+ # domain: local
+ # Optional list of addresses that the Redpanda brokers advertise.
+ # Provide one entry for each broker in order of StatefulSet replicas.
+ # The number of brokers is defined in statefulset.replicas.
+ # The values can be IP addresses or DNS names.
+ # If external.domain is set, the domain is appended to these values.
+ # There is an option to define a single external address for all brokers and leverage
+ # prefixTemplate as it will be calculated during initContainer execution.
+ # addresses:
+ # - redpanda-0
+ # - redpanda-1
+ # - redpanda-2
+ #
+ # annotations:
+ # For example:
+ # cloud.google.com/load-balancer-type: "Internal"
+ # service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ # If you enable externalDns, each LoadBalancer service instance
+ # will be annotated with external-dns hostname
+ # matching external.addresses + external.domain
+ # externalDns:
+ # enabled: true
+ # prefixTemplate: ""
+
+# -- Log-level settings.
+logging:
+ # -- Log level
+ # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`.
+ logLevel: info
+ # -- Send usage statistics back to Redpanda Data.
+ # For details,
+ # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting).
+ usageStats:
+ # Enable the `rpk.enable_usage_stats` property.
+ enabled: true
+ # Your cluster ID (optional)
+ # clusterId: your-helm-cluster
+
+# -- Monitoring.
+# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics.
+monitoring:
+ enabled: false
+ scrapeInterval: 30s
+ labels: {}
+ # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig.
+ # enableHttp2: true
+ # tlsConfig:
+ # caFile: /etc/prom-certs/root-cert.pem
+ # certFile: /etc/prom-certs/cert-chain.pem
+ # insecureSkipVerify: true
+ # keyFile: /etc/prom-certs/key.pem
+
+# -- Pod resource management.
+# This section simplifies resource allocation
+# by providing a single location where resources are defined.
+# Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates.
+#
+# The default values are for a development environment.
+# Production-level values and other considerations are documented,
+# where those values are different from the default.
+# For details,
+# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/).
+resources:
+ #
+ # -- CPU resources.
+ # For details,
+ # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources).
+ cpu:
+ # -- Redpanda makes use of a thread per core model.
+ # For details, see this [blog](https://redpanda.com/blog/tpc-buffers).
+ # For this reason, Redpanda should only be given full cores.
+ #
+ # Note: You can increase cores, but decreasing cores is not currently supported.
+ # See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350).
+ #
+ # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`.
+ # For production, use `4` or greater.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. See
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy.
+ cores: 1
+ #
+ # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU.
+ # This should be true unless the container has CPU affinity.
+ # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0`
+ #
+ # If the value of full cores in `resources.cpu.cores` is less than `1`, this
+ # setting is set to `true`.
+ # overprovisioned: false
+ #
+ # -- Memory resources
+ # For details,
+ # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources).
+ memory:
+ # -- Enables memory locking.
+ # For production, set to `true`.
+ # enable_memory_locking: false
+ #
+ # It is recommended to have at least 2Gi of memory per core for the Redpanda binary.
+ # This memory is taken from the total memory given to each container.
+ # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for
+ # the Seastar subsystem (reserveMemory) and other container processes.
+ # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi.
+ #
+ # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory
+ # requests/limits in the StatefulSet.
+ # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi
+ # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container.
+ # For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a memory limit and a memory request.
+ # * For every container in the Pod, the memory limit must equal the memory request.
+ #
+ container:
+ # Minimum memory count for each Redpanda broker.
+ # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits).
+ # This setting is equivalent to `resources.requests.memory`.
+ # For production, use 10Gi or greater.
+ # min: 2.5Gi
+ #
+ # -- Maximum memory count for each Redpanda broker.
+ # Equivalent to `resources.limits.memory`.
+ # For production, use `10Gi` or greater.
+ max: 2.5Gi
+ #
+ # This optional `redpanda` object allows you to specify the memory size for both the Redpanda
+ # process and the underlying reserved memory used by Seastar.
+ # This section is omitted by default, and memory sizes are calculated automatically
+ # based on container memory.
+ # Uncommenting this section and setting memory and reserveMemory values will disable
+ # automatic calculation.
+ #
+ # If you are setting the following values manually, keep in mind the following guidelines.
+ # Getting this wrong may lead to performance issues, instability, and loss of data:
+ # The amount of memory to allocate to a container is determined by the sum of three values:
+ # 1. Redpanda (at least 2Gi per core, ~80% of the container's total memory)
+ # 2. Seastar subsystem (200Mi * 0.2% of the container's total memory, 200Mi < x < 1Gi)
+ # 3. Other container processes (whatever small amount remains)
+ # redpanda:
+ # Memory for the Redpanda process.
+ # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise
+ # resources.memory.container.max).
+ # Equivalent to --memory.
+ # For production, use 8Gi or greater.
+ # memory: 2Gi
+ #
+ # Memory reserved for the Seastar subsystem.
+ # Any value above 1Gi will provide diminishing performance benefits.
+ # Equivalent to --reserve-memory.
+ # For production, use 1Gi.
+ # reserveMemory: 200Mi
+
+# -- Persistence settings.
+# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/).
+storage:
+ # -- Absolute path on the host to store Redpanda's data.
+ # If unspecified, then an `emptyDir` volume is used.
+ # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect.
+ hostPath: ""
+ # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and
+ # used to store Redpanda's data. Otherwise, `storage.hostPath` is used.
+ persistentVolume:
+ enabled: true
+ size: 20Gi
+ # -- To disable dynamic provisioning, set to `-`.
+ # If undefined or empty (default), then no storageClassName spec is set,
+ # and the default dynamic provisioner is chosen (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack).
+ storageClass: ""
+ # -- Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # -- Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+ # -- Option to change volume claim template name for tiered storage persistent volume
+ # if tiered.mountType is set to `persistentVolume`
+ nameOverwrite: ""
+ #
+ # Settings for the Tiered Storage cache.
+ # For details,
+ # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching).
+
+ tiered:
+ # mountType can be one of:
+ # - none: does not mount a volume. Tiered storage will use the data directory.
+ # - hostPath: will allow you to chose a path on the Node the pod is running on
+ # - emptyDir: will mount a fresh empty directory every time the pod starts
+ # - persistentVolume: creates and mounts a PersistentVolumeClaim
+ mountType: emptyDir
+
+ # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`.
+ #
+ # -- Absolute path on the host to store Redpanda's Tiered Storage cache.
+ hostPath: ""
+ # PersistentVolumeClaim to be created for the Tiered Storage cache and
+ # used to store data retrieved from cloud storage, such as S3).
+ persistentVolume:
+ # -- To disable dynamic provisioning, set to "-".
+ # If undefined or empty (default), then no storageClassName spec is set,
+ # and the default dynamic provisioner is chosen (gp2 on AWS, standard on
+ # GKE, AWS & OpenStack).
+ storageClass: ""
+ # -- Additional labels to apply to the created PersistentVolumeClaims.
+ labels: {}
+ # -- Additional annotations to apply to the created PersistentVolumeClaims.
+ annotations: {}
+
+ # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from
+ # referenced Kubernetes Secret
+ credentialsSecretRef:
+ accessKey:
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_access_key
+ configurationKey: cloud_storage_access_key
+ # name:
+ # key:
+ secretKey:
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_secret_key
+ # or
+ # https://docs.redpanda.com/current/reference/object-storage-properties/#cloud_storage_azure_shared_key
+ configurationKey: cloud_storage_secret_key
+ # name:
+ # key
+ # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey`
+ # configurationKey: cloud_storage_secret_key
+ # name:
+ # key:
+ #
+ # -- Tiered Storage settings
+ # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef`
+ # For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/).
+ # For a list of properties, see [Object Storage Properties](https://docs.redpanda.com/current/reference/properties/object-storage-properties/).
+ config:
+ # -- Global flag that enables Tiered Storage if a license key is provided.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enabled).
+ cloud_storage_enabled: false
+ # -- Cluster level default remote write configuration for new topics.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_write).
+ cloud_storage_enable_remote_write: true
+ # -- Cluster level default remote read configuration for new topics.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_enable_remote_read).
+ cloud_storage_enable_remote_read: true
+ # -- Maximum size of the disk cache used by Tiered Storage.
+ # Default is 20 GiB.
+ # See the [property reference documentation](https://docs.redpanda.com/docs/reference/object-storage-properties/#cloud_storage_cache_size).
+ cloud_storage_cache_size: 5368709120
+
+post_install_job:
+ enabled: true
+ # Resource requests and limits for the post-install batch job
+ # resources:
+ # requests:
+ # cpu: 1
+ # memory: 512Mi
+ # limits:
+ # cpu: 2
+ # memory: 1024Mi
+ # labels: {}
+ # annotations: {}
+ affinity: {}
+
+ podTemplate:
+ # -- Additional labels to apply to the Pods of this Job.
+ labels: {}
+ # -- Additional annotations to apply to the Pods of this Job.
+ annotations: {}
+ # -- A subset of Kubernetes' PodSpec type that will be merged into the
+ # final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+ spec:
+ securityContext: {}
+ containers:
+ - name: post-install
+ securityContext: {}
+ env: []
+
+statefulset:
+ # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster)
+ replicas: 3
+ updateStrategy:
+ type: RollingUpdate
+ budget:
+ maxUnavailable: 1
+ # -- DEPRECATED Please use statefulset.podTemplate.annotations.
+ # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have
+ # any dedicated annotation.
+ annotations: {}
+ # -- Additional labels to be added to statefulset label selector.
+ # For example, `my.k8s.service: redpanda`.
+ additionalSelectorLabels: {}
+ podTemplate:
+ # -- Additional labels to apply to the Pods of the StatefulSet.
+ labels: {}
+ # -- Additional annotations to apply to the Pods of the StatefulSet.
+ annotations: {}
+ # -- A subset of Kubernetes' PodSpec type that will be merged into the
+ # final PodSpec. See [Merge Semantics](#merging-semantics) for details.
+ spec:
+ securityContext: {}
+ containers:
+ - name: redpanda
+ securityContext: {}
+ env: []
+ # -- Adjust the period for your probes to meet your needs.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
+ startupProbe:
+ initialDelaySeconds: 1
+ failureThreshold: 120
+ periodSeconds: 10
+ livenessProbe:
+ initialDelaySeconds: 10
+ failureThreshold: 3
+ periodSeconds: 10
+ readinessProbe:
+ initialDelaySeconds: 1
+ failureThreshold: 3
+ periodSeconds: 10
+ successThreshold: 1
+ #
+ # StatefulSet resources:
+ # Resources are set through the top-level resources section above.
+ # It is recommended to set resource values in that section rather than here, as this will guarantee
+ # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly.
+ # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags
+ # at startup that set the amount of memory available to each process.
+ # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled.
+ # Adding a resource section here will be ignored.
+ #
+ # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ podAffinity: {}
+ # -- Anti-affinity rules for scheduling Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity).
+ # You may either edit the default settings for anti-affinity rules,
+ # or specify new anti-affinity rules to use instead of the defaults.
+ podAntiAffinity:
+ # -- The topologyKey to be used.
+ # Can be used to spread across different nodes, AZs, regions etc.
+ topologyKey: kubernetes.io/hostname
+ # -- Valid anti-affinity types are `soft`, `hard`, or `custom`.
+ # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object.
+ type: hard
+ # -- Weight for `soft` anti-affinity rules.
+ # Does not apply to other anti-affinity types.
+ weight: 100
+ # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here.
+ custom: {}
+ # -- Node selection constraints for scheduling Pods of this StatefulSet.
+ # These constraints override the global `nodeSelector` value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector).
+ nodeSelector: {}
+ # -- PriorityClassName given to Pods of this StatefulSet.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass).
+ priorityClassName: ""
+ # -- Taints to be tolerated by Pods of this StatefulSet.
+ # These tolerations override the global tolerations value.
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
+ tolerations: []
+ # For details,
+ # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/).
+ topologySpreadConstraints:
+ - maxSkew: 1
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext.
+ securityContext:
+ fsGroup: 101
+ runAsUser: 101
+ fsGroupChangePolicy: OnRootMismatch
+ sideCars:
+ configWatcher:
+ enabled: true
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a memory limit and a memory request.
+ # * For every container in the Pod, the memory limit must equal the memory request.
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. For details, see
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+ resources: {}
+ securityContext: {}
+ extraVolumeMounts: |-
+ # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers.
+ # Available controllers:
+ # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations.
+ # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating
+ # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned
+ # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim.
+ # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers.
+ # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when
+ # an existing node is removed.
+ controllers:
+ image:
+ tag: v2.2.5-24.2.7
+ repository: docker.redpanda.com/redpandadata/redpanda-operator
+ # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar
+ enabled: false
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ #
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ #
+ # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for
+ # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers
+ # access to exclusive CPUs on the node. For details, see
+ # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy
+ resources: {}
+ securityContext: {}
+ healthProbeAddress: ":8085"
+ metricsAddress: ":9082"
+ run:
+ - all
+ createRBAC: true
+ initContainers:
+ fsValidator:
+ enabled: false
+ expectedFS: xfs
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ tuning:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ setDataDirOwnership:
+ # -- In environments where root is not allowed, you cannot change the ownership of files and directories.
+ # Enable `setDataDirOwnership` when using default minikube cluster configuration.
+ enabled: false
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ setTieredStorageCacheDirOwnership:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ configurator:
+ # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see
+ # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed
+ # * Every container in the Pod must have a CPU limit and a CPU request.
+ # * For every container in the Pod, the CPU limit must equal the CPU request.
+ resources: {}
+ extraVolumeMounts: |-
+ ## Additional init containers
+ extraInitContainers: |-
+# - name: "test-init-container"
+# image: "mintel/docker-alpine-bash-curl-jq:latest"
+# command: [ "/bin/bash", "-c" ]
+# args:
+# - |
+# set -xe
+# echo "Hello World!"
+ initContainerImage:
+ repository: busybox
+ tag: latest
+ # -- Additional flags to pass to redpanda,
+ additionalRedpandaCmdFlags: []
+# - --unsafe-bypass-fsync
+ # -- Termination grace period in seconds is time required to execute preStop hook
+ # which puts particular Redpanda Pod (process/container) into maintenance mode.
+ # Before settle down on particular value please put Redpanda under load and perform
+ # rolling upgrade or rolling restart. That value needs to accommodate two processes:
+ # * preStop hook needs to put Redpanda into maintenance mode
+ # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal
+ #
+ # Both processes are executed sequentially where preStop hook has hard deadline in the
+ # middle of terminationGracePeriodSeconds.
+ #
+ # REF:
+ # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
+ # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination
+ terminationGracePeriodSeconds: 90
+ ## Additional Volumes that you mount
+ extraVolumes: |-
+ ## Additional Volume mounts for redpanda container
+ extraVolumeMounts: |-
+
+# -- Service account management.
+serviceAccount:
+ # -- Specifies whether a service account should be created.
+ create: false
+ # -- Specifies whether a service account should automount API-Credentials. The token is used in sidecars.controllers
+ automountServiceAccountToken: false
+ # -- Annotations to add to the service account.
+ annotations: {}
+ # -- The name of the service account to use.
+ # If not set and `serviceAccount.create` is `true`,
+ # a name is generated using the `redpanda.fullname` template.
+ name: ""
+
+# -- Role Based Access Control.
+rbac:
+ # -- Enable for features that need extra privileges.
+ # If you use the Redpanda Operator,
+ # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag
+ # to give it the required ClusterRoles.
+ enabled: false
+ # -- Annotations to add to the `rbac` resources.
+ annotations: {}
+
+# -- Redpanda tuning settings.
+# Each is set to their default values in Redpanda.
+tuning:
+ # -- Increase the maximum number of outstanding asynchronous IO operations if the
+ # current value is below a certain threshold. This allows Redpanda to make as many
+ # simultaneous IO requests as possible, increasing throughput.
+ #
+ # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`.
+ # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/).
+ tune_aio_events: true
+ #
+ # Syncs NTP
+ # tune_clocksource: false
+ #
+ # Creates a "ballast" file so that, if a Redpanda node runs out of space,
+ # you can delete the ballast file to allow the node to resume operations and then
+ # delete a topic or records to reduce the space used by Redpanda.
+ # tune_ballast_file: false
+ #
+ # The path where the ballast file will be created.
+ # ballast_file_path: "/var/lib/redpanda/data/ballast"
+ #
+ # The ballast file size.
+ # ballast_file_size: "1GiB"
+ #
+ # (Optional) The vendor, VM type and storage device type that redpanda will run on, in
+ # the format ::. This hints to rpk which configuration values it
+ # should use for the redpanda IO scheduler.
+ # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default"
+ # well_known_io: ""
+ #
+ # The following tuning parameters must be false in container environments and will be ignored:
+ # tune_network
+ # tune_disk_scheduler
+ # tune_disk_nomerges
+ # tune_disk_irq
+ # tune_fstrim
+ # tune_cpu
+ # tune_swappiness
+ # tune_transparent_hugepages
+ # tune_coredump
+
+
+# -- Listener settings.
+#
+# Override global settings configured above for individual
+# listeners.
+# For details,
+# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/).
+listeners:
+ # -- Admin API listener (only one).
+ admin:
+ # -- The port for both internal and external connections to the Admin API.
+ port: 9644
+ # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
+ # appProtocol:
+ # -- Optional external access settings.
+ external:
+ # -- Name of the external listener.
+ default:
+ port: 9645
+ # Override the global `external.enabled` for only this listener.
+ # enabled: true
+ # -- The port advertised to this listener's external clients.
+ # List one port if you want to use the same port for each broker (would be the case when using NodePort service).
+ # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas.
+ # If undefined, `listeners.admin.port` is used.
+ tls:
+ # enabled: true
+ cert: external
+ advertisedPorts:
+ - 31644
+ # -- Optional TLS section (required if global TLS is enabled)
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs).
+ cert: default
+ # -- If true, the truststore file for this listener is included in the ConfigMap.
+ requireClientAuth: false
+ # -- Kafka API listeners.
+ kafka:
+ # -- The port for internal client connections.
+ port: 9093
+ # default is "sasl"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ # -- The port used for external client connections.
+ port: 9094
+ # prefixTemplate: ""
+ # -- If undefined, `listeners.kafka.external.default.port` is used.
+ advertisedPorts:
+ - 31092
+ tls:
+ # enabled: true
+ cert: external
+ # default is "sasl"
+ authenticationMethod:
+ # -- RPC listener (this is never externally accessible).
+ rpc:
+ port: 33145
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ # -- Schema registry listeners.
+ schemaRegistry:
+ enabled: true
+ port: 8081
+ kafkaEndpoint: default
+ # default is "http_basic"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ port: 8084
+ advertisedPorts:
+ - 30081
+ tls:
+ # enabled: true
+ cert: external
+ requireClientAuth: false
+ # default is "http_basic"
+ authenticationMethod:
+ # -- HTTP API listeners (aka PandaProxy).
+ http:
+ enabled: true
+ port: 8082
+ kafkaEndpoint: default
+ # default is "http_basic"
+ authenticationMethod:
+ tls:
+ # Optional flag to override the global TLS enabled flag.
+ # enabled: true
+ cert: default
+ requireClientAuth: false
+ external:
+ default:
+ # enabled: true
+ port: 8083
+ # prefixTemplate: ""
+ advertisedPorts:
+ - 30082
+ tls:
+ # enabled: true
+ cert: external
+ requireClientAuth: false
+ # default is "http_basic"
+ authenticationMethod:
+
+# Expert Config
+# Here be dragons!
+#
+# -- This section contains various settings supported by Redpanda that may not work
+# correctly in a Kubernetes cluster. Changing these settings comes with some risk.
+#
+# Use these settings to customize various Redpanda configurations that are not covered in other sections.
+# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm,
+# and therefore should not be modified for the purpose of configuring those objects.
+# Instead, these settings get passed directly to the Redpanda binary at startup.
+# For descriptions of these properties,
+# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/).
+config:
+ rpk: {}
+ # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"`
+ # -- [Cluster Configuration Properties](https://docs.redpanda.com/current/reference/properties/cluster-properties/)
+ cluster: {}
+
+ # -- Tunable cluster properties.
+ # Deprecated: all settings here may be specified via `config.cluster`.
+ tunable:
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_min).
+ log_segment_size_min: 16777216 # 16 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#log_segment_size_max).
+ log_segment_size_max: 268435456 # 256 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#compacted_log_segment_size).
+ compacted_log_segment_size: 67108864 # 64 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#max_compacted_log_segment_size).
+ max_compacted_log_segment_size: 536870912 # 512 mb
+ # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit).
+ kafka_connection_rate_limit: 1000
+
+ # -- [Broker (node) Configuration Properties](https://docs.redpanda.com/docs/reference/broker-properties/).
+ node:
+ # -- Crash loop limit
+ # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset.
+ # This limit prevents a broker from getting stuck in an infinite cycle of crashes.
+ # User can disable this crash loop limit check by the following action:
+ #
+ # * One hour elapses since the last crash
+ # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects
+ # * The startup_log file in the node’s data_directory is manually deleted
+ #
+ # Default to 5
+ # REF: https://docs.redpanda.com/current/reference/broker-properties/#crash_loop_limit
+ crash_loop_limit: 5
+
+ # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/
+ schema_registry_client: {}
+ # # Number of times to retry a request to a broker
+ # # Default: 5
+ # retries: 5
+ #
+ # # Delay (in milliseconds) for initial retry backoff
+ # # Default: 100ms
+ # retry_base_backoff_ms: 100
+ #
+ # # Number of records to batch before sending to broker
+ # # Default: 1000
+ # produce_batch_record_count: 1000
+ #
+ # # Number of bytes to batch before sending to broker
+ # # Defautl 1MiB
+ # produce_batch_size_bytes: 1048576
+ #
+ # # Delay (in milliseconds) to wait before sending batch
+ # # Default: 100ms
+ # produce_batch_delay_ms: 100
+ #
+ # # Interval (in milliseconds) for consumer request timeout
+ # # Default: 100ms
+ # consumer_request_timeout_ms: 100
+ #
+ # # Max bytes to fetch per request
+ # # Default: 1MiB
+ # consumer_request_max_bytes: 1048576
+ #
+ # # Timeout (in milliseconds) for consumer session
+ # # Default: 10s
+ # consumer_session_timeout_ms: 10000
+ #
+ # # Timeout (in milliseconds) for consumer rebalance
+ # # Default: 2s
+ # consumer_rebalance_timeout_ms: 2000
+ #
+ # # Interval (in milliseconds) for consumer heartbeats
+ # # Default: 500ms
+ # consumer_heartbeat_interval_ms: 500
+
+ # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/
+ pandaproxy_client: {}
+ # # Number of times to retry a request to a broker
+ # # Default: 5
+ # retries: 5
+ #
+ # # Delay (in milliseconds) for initial retry backoff
+ # # Default: 100ms
+ # retry_base_backoff_ms: 100
+ #
+ # # Number of records to batch before sending to broker
+ # # Default: 1000
+ # produce_batch_record_count: 1000
+ #
+ # # Number of bytes to batch before sending to broker
+ # # Defautl 1MiB
+ # produce_batch_size_bytes: 1048576
+ #
+ # # Delay (in milliseconds) to wait before sending batch
+ # # Default: 100ms
+ # produce_batch_delay_ms: 100
+ #
+ # # Interval (in milliseconds) for consumer request timeout
+ # # Default: 100ms
+ # consumer_request_timeout_ms: 100
+ #
+ # # Max bytes to fetch per request
+ # # Default: 1MiB
+ # consumer_request_max_bytes: 1048576
+ #
+ # # Timeout (in milliseconds) for consumer session
+ # # Default: 10s
+ # consumer_session_timeout_ms: 10000
+ #
+ # # Timeout (in milliseconds) for consumer rebalance
+ # # Default: 2s
+ # consumer_rebalance_timeout_ms: 2000
+ #
+ # # Interval (in milliseconds) for consumer heartbeats
+ # # Default: 500ms
+ # consumer_heartbeat_interval_ms: 500
+
+ # Invalid properties
+ # Any of these properties will be ignored. These otherwise valid properties are not allowed
+ # to be used in this section since they impact deploying Redpanda in Kubernetes.
+ # Make use of the above sections to modify these values instead (see comments below).
+ # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin
+ # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls
+ # advertised_kafka_api: None # Address of Kafka API published to the clients
+ # advertised_pandaproxy_api: None # Rest API address and port to publish to client
+ # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members
+ # enable_admin_api: true # Enable the admin API
+ # enable_sasl: false # Enable SASL authentication for Kafka connections
+ # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests
+ # kafka_api_tls: None # TLS configuration for Kafka API endpoint
+ # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port
+ # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api
+ # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server
+ # rpc_server_tls: validate # TLS configuration for RPC server
+ # superusers: None # List of superuser usernames
+
+tests:
+ enabled: true
diff --git a/index.yaml b/index.yaml
index 2c222b96d..59678c93d 100644
--- a/index.yaml
+++ b/index.yaml
@@ -11078,6 +11078,35 @@ entries:
- assets/dynatrace/dynatrace-operator-0.12.0.tgz
version: 0.12.0
external-secrets:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: External Secrets Operator
+ catalog.cattle.io/kube-version: '>= 1.19.0-0'
+ catalog.cattle.io/release-name: external-secrets
+ apiVersion: v2
+ appVersion: v0.10.5
+ created: "2024-10-26T00:34:38.167474615Z"
+ dependencies:
+ - condition: bitwarden-sdk-server.enabled
+ name: bitwarden-sdk-server
+ repository: oci://ghcr.io/external-secrets/charts
+ version: v0.3.1
+ description: External secret management for Kubernetes
+ digest: 2db1648a5d5daca6b9ead44b7f256fb17edabe21c6ecdc6bb5b6e2ff70c81fc1
+ home: https://github.com/external-secrets/external-secrets
+ icon: file://assets/icons/external-secrets.png
+ keywords:
+ - kubernetes-external-secrets
+ - secrets
+ kubeVersion: '>= 1.19.0-0'
+ maintainers:
+ - email: kellinmcavoy@gmail.com
+ name: mcavoyk
+ name: external-secrets
+ type: application
+ urls:
+ - assets/external-secrets/external-secrets-0.10.5.tgz
+ version: 0.10.5
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: External Secrets Operator
@@ -15754,6 +15783,37 @@ entries:
- assets/hpe/hpe-csi-info-metrics-1.0.2.tgz
version: 1.0.2
instana-agent:
+ - annotations:
+ artifacthub.io/links: |
+ - name: Instana website
+ url: https://www.ibm.com/products/instana
+ - name: Instana Helm charts
+ url: https://github.com/instana/helm-charts
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Instana Agent
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: instana-agent
+ apiVersion: v2
+ appVersion: 1.276.0
+ created: "2024-10-26T00:34:38.67217249Z"
+ description: Instana Agent for Kubernetes
+ digest: 64da4c7353cccef3b0a55583f13fe76bc788ddfe52b770ec57a73432a6cc82af
+ home: https://www.instana.com/
+ icon: file://assets/icons/instana-agent.png
+ kubeVersion: '>=1.21-0'
+ maintainers:
+ - email: felix.marx@ibm.com
+ name: FelixMarxIBM
+ - email: henning.treu@ibm.com
+ name: htreu
+ - email: torsten.kohn@ibm.com
+ name: tkohn
+ name: instana-agent
+ sources:
+ - https://github.com/instana/instana-agent-docker
+ urls:
+ - assets/instana/instana-agent-1.2.74.tgz
+ version: 1.2.74
- annotations:
artifacthub.io/links: |
- name: Instana website
@@ -34705,6 +34765,30 @@ entries:
- assets/percona/psmdb-db-1.14.4.tgz
version: 1.14.4
psmdb-operator:
+ - annotations:
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Percona Operator for MongoDB
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: psmdb-operator
+ apiVersion: v2
+ appVersion: 1.17.0
+ created: "2024-10-26T00:34:41.740449581Z"
+ description: A Helm chart for deploying the Percona Operator for MongoDB
+ digest: 51588d993f242769ab0dd33c5870fa29df4bb679d0c06fd6cbc63c8e6295eb9c
+ home: https://docs.percona.com/percona-operator-for-mongodb/
+ icon: file://assets/icons/psmdb-operator.png
+ kubeVersion: '>=1.21-0'
+ maintainers:
+ - email: tomislav.plavcic@percona.com
+ name: tplavcic
+ - email: natalia.marukovich@percona.com
+ name: nmarukovich
+ - email: sergey.pronin@percona.com
+ name: spron-in
+ name: psmdb-operator
+ urls:
+ - assets/percona/psmdb-operator-1.17.1.tgz
+ version: 1.17.1
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Percona Operator for MongoDB
@@ -35601,6 +35685,48 @@ entries:
- assets/quobyte/quobyte-cluster-0.1.8.tgz
version: 0.1.8
redpanda:
+ - annotations:
+ artifacthub.io/images: |
+ - name: redpanda
+ image: docker.redpanda.com/redpandadata/redpanda:v24.2.7
+ - name: busybox
+ image: busybox:latest
+ artifacthub.io/license: Apache-2.0
+ artifacthub.io/links: |
+ - name: Documentation
+ url: https://docs.redpanda.com
+ - name: "Helm (>= 3.10.0)"
+ url: https://helm.sh/docs/intro/install/
+ catalog.cattle.io/certified: partner
+ catalog.cattle.io/display-name: Redpanda
+ catalog.cattle.io/kube-version: '>=1.21-0'
+ catalog.cattle.io/release-name: redpanda
+ apiVersion: v2
+ appVersion: v24.2.7
+ created: "2024-10-26T00:34:42.228563971Z"
+ dependencies:
+ - condition: console.enabled
+ name: console
+ repository: https://charts.redpanda.com
+ version: '>=0.5 <1.0'
+ - condition: connectors.enabled
+ name: connectors
+ repository: https://charts.redpanda.com
+ version: '>=0.1.2 <1.0'
+ description: Redpanda is the real-time engine for modern apps.
+ digest: 095e2de8200e51a162075981407246a37c70bd18ab562992dbd5983fe11eb88a
+ icon: file://assets/icons/redpanda.svg
+ kubeVersion: '>=1.21-0'
+ maintainers:
+ - name: redpanda-data
+ url: https://github.com/orgs/redpanda-data/people
+ name: redpanda
+ sources:
+ - https://github.com/redpanda-data/helm-charts
+ type: application
+ urls:
+ - assets/redpanda/redpanda-5.9.9.tgz
+ version: 5.9.9
- annotations:
artifacthub.io/images: |
- name: redpanda
@@ -46320,4 +46446,4 @@ entries:
urls:
- assets/netfoundry/ziti-host-1.5.1.tgz
version: 1.5.1
-generated: "2024-10-25T00:36:07.588047061Z"
+generated: "2024-10-26T00:34:37.299915265Z"