From 3c9be99b949016cd5d60aa65e2c2ae19e3ef2cd0 Mon Sep 17 00:00:00 2001 From: Ravi Lachhman <42775804+ravilach@users.noreply.github.com> Date: Tue, 15 Feb 2022 15:21:06 -0500 Subject: [PATCH] Second Commit after Make Charts --- assets/shipa/shipa-1.6.100.tgz | Bin 0 -> 41183 bytes charts/shipa/shipa/1.6.100/Chart.lock | 6 + charts/shipa/shipa/1.6.100/Chart.yaml | 29 ++ charts/shipa/shipa/1.6.100/LICENSE | 25 + charts/shipa/shipa/1.6.100/README.md | 121 +++++ charts/shipa/shipa/1.6.100/app-readme.md | 39 ++ .../charts/mongodb-replicaset/.helmignore | 22 + .../charts/mongodb-replicaset/Chart.yaml | 16 + .../1.6.100/charts/mongodb-replicaset/OWNERS | 6 + .../charts/mongodb-replicaset/README.md | 434 ++++++++++++++++++ .../mongodb-replicaset/ci/default-values.yaml | 1 + .../mongodb-replicaset/ci/metrics-values.yaml | 10 + .../mongodb-replicaset/ci/tls-values.yaml | 10 + .../mongodb-replicaset/init/on-start.sh | 226 +++++++++ .../mongodb-replicaset/templates/NOTES.txt | 14 + .../mongodb-replicaset/templates/_helpers.tpl | 78 ++++ .../templates/mongodb-admin-secret.yaml | 18 + .../templates/mongodb-ca-secret.yaml | 18 + .../templates/mongodb-init-configmap.yaml | 20 + .../templates/mongodb-keyfile-secret.yaml | 17 + .../templates/mongodb-metrics-secret.yaml | 18 + .../templates/mongodb-mongodb-configmap.yaml | 15 + .../mongodb-poddisruptionbudget.yaml | 20 + .../templates/mongodb-service-client.yaml | 32 ++ .../templates/mongodb-service.yaml | 25 + .../templates/mongodb-statefulset.yaml | 354 ++++++++++++++ .../tests/mongodb-up-test-configmap.yaml | 12 + .../templates/tests/mongodb-up-test-pod.yaml | 79 ++++ .../1.6.100/charts/mongodb-replicaset/test.sh | 48 ++ .../tests/mongodb-up-test.sh | 120 +++++ .../charts/mongodb-replicaset/values.yaml | 167 +++++++ charts/shipa/shipa/1.6.100/limits.yaml | 9 + charts/shipa/shipa/1.6.100/questions.yaml | 45 ++ .../shipa/shipa/1.6.100/scripts/bootstrap.sh | 146 ++++++ .../shipa/1.6.100/scripts/csr-api-config.json | 17 + .../shipa/1.6.100/scripts/csr-api-server.json | 16 + .../shipa/1.6.100/scripts/csr-client-ca.json | 12 + .../1.6.100/scripts/csr-docker-cluster.json | 16 + .../1.6.100/scripts/csr-etcd-client.json | 15 + .../shipa/shipa/1.6.100/scripts/csr-etcd.json | 17 + .../shipa/1.6.100/scripts/csr-shipa-ca.json | 12 + .../shipa/shipa/1.6.100/scripts/init-job.sh | 106 +++++ .../shipa/shipa/1.6.100/templates/NOTES.txt | 34 ++ .../shipa/1.6.100/templates/_helpers.tpl | 77 ++++ .../1.6.100/templates/clair-configmap.yaml | 86 ++++ .../1.6.100/templates/clair-deployment.yaml | 55 +++ .../1.6.100/templates/clair-service.yaml | 18 + .../1.6.100/templates/etcd-deployment.yaml | 65 +++ .../shipa/1.6.100/templates/etcd-pvc.yaml | 20 + .../shipa/1.6.100/templates/etcd-service.yaml | 16 + .../1.6.100/templates/metrics-configmap.yaml | 36 ++ .../1.6.100/templates/metrics-deployment.yaml | 55 +++ .../1.6.100/templates/metrics-service.yaml | 18 + .../1.6.100/templates/nginx-configmap.yaml | 18 + .../1.6.100/templates/nginx-deployment.yaml | 100 ++++ .../shipa/1.6.100/templates/nginx-rbac.yaml | 128 ++++++ .../1.6.100/templates/nginx-service.yaml | 62 +++ .../templates/nginx-serviceaccount.yaml | 6 + .../nginx-tcp-services-configmap.yaml | 14 + .../templates/postgres-deployment.yaml | 48 ++ .../shipa/1.6.100/templates/postgres-pvc.yaml | 20 + .../1.6.100/templates/postgres-service.yaml | 16 + .../templates/shipa-api-configmap.yaml | 157 +++++++ .../templates/shipa-api-deployment.yaml | 221 +++++++++ .../templates/shipa-api-init-configmap.yaml | 78 ++++ .../1.6.100/templates/shipa-api-init-job.yaml | 103 +++++ .../templates/shipa-api-init-secrets.yaml | 14 + .../1.6.100/templates/shipa-api-rbac.yaml | 98 ++++ .../1.6.100/templates/shipa-api-service.yaml | 19 + .../templates/shipa-certificates-secret.yaml | 21 + .../templates/shipa-db-auth-secrets.yaml | 14 + .../templates/shipa-defaults-configmap.yaml | 10 + .../shipa/1.6.100/templates/shipa-secret.yaml | 13 + .../templates/shipa-uninstall-job.yaml | 50 ++ .../templates/shipa-uninstall-rbac.yaml | 52 +++ charts/shipa/shipa/1.6.100/values.yaml | 232 ++++++++++ index.yaml | 33 ++ 77 files changed, 4418 insertions(+) create mode 100644 assets/shipa/shipa-1.6.100.tgz create mode 100644 charts/shipa/shipa/1.6.100/Chart.lock create mode 100644 charts/shipa/shipa/1.6.100/Chart.yaml create mode 100644 charts/shipa/shipa/1.6.100/LICENSE create mode 100644 charts/shipa/shipa/1.6.100/README.md create mode 100644 charts/shipa/shipa/1.6.100/app-readme.md create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/.helmignore create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/Chart.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/OWNERS create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/README.md create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/default-values.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/metrics-values.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/tls-values.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/init/on-start.sh create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/NOTES.txt create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/_helpers.tpl create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service-client.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/test.sh create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/tests/mongodb-up-test.sh create mode 100644 charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/values.yaml create mode 100644 charts/shipa/shipa/1.6.100/limits.yaml create mode 100644 charts/shipa/shipa/1.6.100/questions.yaml create mode 100644 charts/shipa/shipa/1.6.100/scripts/bootstrap.sh create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-api-config.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-api-server.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-client-ca.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-docker-cluster.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-etcd-client.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-etcd.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/csr-shipa-ca.json create mode 100644 charts/shipa/shipa/1.6.100/scripts/init-job.sh create mode 100644 charts/shipa/shipa/1.6.100/templates/NOTES.txt create mode 100644 charts/shipa/shipa/1.6.100/templates/_helpers.tpl create mode 100644 charts/shipa/shipa/1.6.100/templates/clair-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/clair-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/clair-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/etcd-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/etcd-pvc.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/etcd-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/metrics-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/metrics-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/metrics-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-rbac.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-serviceaccount.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/nginx-tcp-services-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/postgres-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/postgres-pvc.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/postgres-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-deployment.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-init-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-init-job.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-init-secrets.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-rbac.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-api-service.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-certificates-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-db-auth-secrets.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-defaults-configmap.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-secret.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-uninstall-job.yaml create mode 100644 charts/shipa/shipa/1.6.100/templates/shipa-uninstall-rbac.yaml create mode 100644 charts/shipa/shipa/1.6.100/values.yaml diff --git a/assets/shipa/shipa-1.6.100.tgz b/assets/shipa/shipa-1.6.100.tgz new file mode 100644 index 0000000000000000000000000000000000000000..1237ee3adcad9ba9b395f55f3f79bc0cb0cff43a GIT binary patch literal 41183 zcmV)!K#;#5iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POwAk{ij=CP7SddI7Dqk}QTCkr-+uc}|5{ zcM%y89v+j2yN8E6n-UL|np5QS;vCJKtvg8Na=E;>vm^hO%jN9fN^P&aRoSVQYvuCp zPNlL{u2idgwJj*$1v1$bFpm7K@{QZdcJ2#F$aN`4oKTn54FC&q?K*hK=Pvehi`j&E4w{=Tn&CPO#Hz|IC-RwxEL;b<^h`Eq9M5vg`q;sUVGUCj zH;_l(VV@D|*5SNrAkT|_R*HMYieY09yEb+$f?3@#K~0{3!7Gjti06z98 zBb@s4I*f^f>!nh$WQnc7O1Tv{n#fTy!Ny}0IK1`JurafI;&F*W1Kwa~1`-C0sSj_1 z5%yioF#}G4xQrvm0Y1fQh@eSb?o$Vj9pqwTN(HV{&OKHyl`bwWin7y1LJeXG_<32S z3(vHu%dyK#f#*Mn#LxN@{Ib)c4lqm!{a6nR3JpKKF1PkSC{1%!qNG zS{&uF@u~OQ=a!Q6-=WsoU9_=={+DYzwFUaWTX~@W_mQqiF2gOUsAW;?!6KWM7)K)q z8vxP1s}(DiV$HD01T!x7KC15S)$QHAeS}8i{mP3@NNZLJ1_S4M|-=qoyyMsZmqJn^J4Vem|z$Ch>KIHP%T%hX1Qusc7~M~_3CbY zw_1E&Deu%ol^+WaTYgni`~Ms{0cLl_0IuHumEB6En%)1q)rb9mFX<7q6e|O24M?s< zo!-VH7)}WT!T`Y!jiW5IGV596{Hk-Go;3eu%hX`_-zA5JsctFGi#N(P-}l8dorW zUasxhFZQkK{&*xB4IJl~I>egSq2XMhITQHeQ81~)7&%PPI7{-fb@=HQ0{}S=z35}H zn0UvX_?R)x+c|-f~2KW&K46Dw8LnjP~3*1L| zOwNEPU|>ak$&P~r;8GXPFt?^aU1u&ooyD9l!~Qw3FbMWcuCL|L;prho_Dkd-*TQ~D zW7#==Cc7uW3?-A7EVdK}F@`>|@u~)i2gtU?S6PL4b*PjDt5_6&D#nrlB8(H7KRhz4 zwJ=7j24oquRl_0c3|5axGyqE*$aY_p>tx3OK=t6RXIR%-)2W+JvM#yMPva4I)C&Zi zf(yc@U{mW1`!EegVhQ+S!wUi@mV+Q-*yTddz_!dS!T?)7<_y@B297Q0AhK<2iz=4t zC(wX1fvntwFpZ=|5>Um)f2VrP^(tUWerx5#A`uj3WS2t$Tm>X4T#fcJ$O+{RY;askgDOZ zMhiJTSGmg=Mo5ira$psl32|LA+Yy(GU z7!Wv=o&n-9E0F>_L!RVc6*ToNL>fGwUe3)CwdW=ye~5FiQhk0@Fbo^9>4+lV7DaLP zw9R8A;u<^q==tt$6~B01wRZQPqvzuhs^L*}XZ(EMs@XMrT;172HZlw`>Geeh!V^Lg z|k0uzJ4q_}U)*0)0w6}q&0y4iV#kapDKYf#^!!Q@b zs9+ZIsuc>`a4{v;6l}#?FtFz?nh{G3;5iWz9dRcKc!8_2fTv=q=!tsJ>Jg~bX-z3*f~+Lq#jRt%sLO}dl3*pl6yK3$VaATAEjrc5$bRn=j(e_! zRlZsSmGWz17#?L@tXeSxN+%V~#UV!L7)B0q&qP;3Y&eAvAEH$V1;w|H1IH2PLjj8L z@uL}nEq?d_#lBKx7Q3PH6Fz;lkwaX zeNX(fP+?mvfr4H}YRnagI>aBv^kE)1X8Bkk%c-rM_m=O4m(w@~zC5KwbkvsfFb?wgwXtY6?rOuIh&eY+y$Fh&*`uP5#qJ^0EeeVCpkfycV-&EtI8>KT z!)T;tKyV>S?2MS1rFG;-Gv;~}glbho5X{q1@$UkJqJzku5m&J9=B*_|-d6N9PbT+3 zNa9l;Lk7KJSu}9Dnyo>^2wqIZp!$F!mK>>q2_ZqzFME-aJ%ZsBOO-6pvD~^@AW9f1 z8k)g#DVG!ixteH7W?Mkp2BZKH799&hYzb*X*th6h3vX@=!yh4Qkv%dVL6f>JwzyL8 z&q<(9KgYUpBU|fq4FyP3wk#C0}#V#ChUm*8N>YUP?so)f2 z9kfj?R@BYO%OSS*LrooT-o1NIhCb3)y15G1l$Vb zG0Er*gF|LSU*(3&C8^!th6@Z<;QQF+&Kzv2R!iUs&O*+J6nUStx&s(sY{Q}GM`A+M zOgs^bO_HI%fsHs4f{3gw4#ZHi2a&ieibbOHH)+lT{ucdPW<3I>?<#5477PyuVgtDl zPtrtmH(XQDdKs-bffjdIQap}VDn}D0nU`?d;R4MCq$zT32kQ&ls8{YPY$8GDS-ltrN$jD*hgu&;6D~VW~1x|$(rR1QS5Bp?c zpC2I?O*AD{ZJmV2L*}~lH_RDF)|tG`H)pC|c)!j{Hob5iitN&PrMO$HrAn!T&xrNJ zt(W?^G!}1(>gt+E{2E}c*dL#jU@fyE%CNXpkiiI`KaX7_V5L|S%{eT?S% zdP2)+AqJeDVORf}P&#pNA6v-d))dt>LL8src~pT(WuN}ZX2|CbrDs~^^XYHc;%}qk z4hmdr+Cu)BGuPnkvoPC`iqVY~8LIS)7ifQ6v38NYGpg)hRJJQs`#G|9@qTU39wYSJ z-mUHKBLhJ5)D5M9szar^UzE&UU0%+7>YJ>Gbe*K`e`A$ew>NALiu{t_VjFAhKWaO* zoy`4jZGZpa{`X#zpdnvxoB)PXfp3%SZdZgdkP!~~qhRqzCT%n@{5z%A526tWCnKRMoodN|r2KRz*R>SDvF6_Wx6aO8`A#FtW*L$J&1 zhJi1oq&9fdIc}W3=?#Y0nHqL(ZJ@nQUF3-2{Ebo9LwtHr_)ugV@qiVb#LZw)SNN&? zOObdV3(w%+{~gE}e)Kf!WYsT!Q2T@qECN?G12Uyo+cC7_QGlr z$R)dMvapgvC&XP%&Qw7m5lKCQ{*63O{WOd#QQ2EevSBzrY&QmNc-e;I#<0`w4(rfS zvXnRos1JcR@sS;!3NS-+&=&?^YjYQ|)v0e|U#eKKKc@aH)+NkB>ljvqsNql2<4=7y z-$%;wf2ULI2ohH0-mRGeuHpZ7s{4Bx{%>b*Z~uY+yN~qYL+NWcC$qX_4#vd6eD2|c znHUypitF%o>ElO3lrq|v9&&9dpC?t)Qg>D~bU9P2Cqh!J$gmmb$wRKF49+FB3~6Cf zvkrd>(bctJuO|OVW`kfnCYMk!V_?{|<-ZknO{MNeQ5)hAn8WV@a^&+BNkc^&MdLkI z&}Dfp+7NwUFv1oJ7*^WU#LErY+cCk8t(Y>YXjL4Q6E(eZ4Y*o=;pphQfbl=6_~|3^dj5RaV)uf2USoVp_#k(N^$c zO6An*b)rf+XoQ`m(<{pqmUbpN*6QE-p$_~hRjq?oF(i7M3q|R?ZF4lQr`S4ektizZ{anvu`vk_L!!H@Un&$!pW@GD?;%7Mh5Nf{- zC497LT^nC6EmV#+<4URxg~f7sl#$ggj%0ITDh2J$lHyUfq&hLh{Z^99W{FnLU-9=)C_ETtPNm z4m*O3giR_S#jruS8td?h{K+7{Ocs{i-(>z)U zyWF44M>a(^O|&Hes(Uwx6c*ucX^s&pF>Ifl%f}!psfWqlg#GSB-?Y7DTwMS-R_2X^ z?+%le7s@atRWSJyJhX}Y-6>LkBJE*H+R&rKIO4=AIb`Jh9@@GTr+nr-I_$hW{?2Un zy4}IB-|4M( zT2JOLR+Go-ifVz@xn-(_#;z-BhDB19we_$(b`L&$&?ETqqqKIAA2gowyq6y|2BC4R z{1(FoF?o1~U4F{R4AX!g>Mulw!6>2YH)c;D-{jMOUW2D1_N1%rki z35dZN_IStySVF{4RZ#tfz;(zOcIJtDho{npDbmZbXOe-D5bTsfkD+rMnYFkW+YV+7 zd>Xhm_ld`p*o>q7Q%oQr!Ragez1s7gbZ=@^b3{0t^bbvj##p|A*xP|KJdbWTuxt5q zkAsIM#0{-E&#=oVd?zV6`ME6k{wf7z_B$aVx*I>KY>3$a=bfscO=Fw@iJW9CuUR`zQM zcFVPx@Tz@NhZp5COTz6*>WdsWe%nc#{~D=vGN%DtASKOU#E3JGt?Jdy3}_E2mf)Y{ ziPCJaZQ%Yq^H54#bFk#}=Gbak)W?*SFt=>eLTk!8G_c2xG^!pm79TEZu$2L4yt$;4 zlj!#uo~J*Ej;JsCQ{dT1KN1a*cqK>PwdSck9BZ&-4Lud-fg?t0L>$5iW>RoTnfHk5 znrx;QqTVe~jt!DTJ&g}wmlGd5^LQ~4mt+4NId!N`qmSAQM%PN6v_jY!5#**m1*5>_ zLF$t~#ZKx2^^xV^)FWklNsVGmmk}2n31{K@mO?ev>q(F=!P6lB zOeqG(h&YPSjfC*%@_6%WICZF{woho&9&VoyM79kdbDv;4s_J7|VxAhhQnhx_UYxkt_-lH1@k#_h%L_5kd+JV@R&8lGyE)dYRSs~6nA6)3@Km!k6l6C zh5}%n{a3Y;wg1}N*)KoH|M!uS@;~xCR*IAWt=JvdwY31(6#oG-Zs`CRv9X2xqI6K8 zl-7bO*P$Toatj9YuzaP$QikL+#I31PnTKTZsvQW6X@H5L5XniwzB+Vyc4s@gQHNzA z-D%nKf)zciw4|5E1&zJ9g*8GSP)Q6$TJn?+5x;(3Emq_!yHwfZJRd62F+%S!{%`=TqSU<1zgz>u(ALOMtwyZ0S#Y?qum=*RTFb#CZWNO%BX3LP&5~f-=Plyb;lsx~1g^J) ztWbrU9{(FJOv3SuW#`mX6OyN5U6?#iuEpGI;&kN0z@k>3DvO~z zk`c9AtS?qX)cD_xgc$h@`&sFNwsW}t1=e1aEGoZ@shik1Juyw0zXD#0bzi9M$hSQD5sn%74tuf< zPeN^Ocx_d!?Y~&kgunoCB$)n#(mC>F_e$c^@(Rd4$37h9-S-$2+0iP}}IYXDG zR>Pa4ImfcGN_pq`?*3kRc{T2f6WTT{WR8i0MJ4GwfQA0qQPJ}G3IqjanVRwd(szX` zE1%){s=8-*{sewmrIX0K%n#EF%|zsIFisi$fp$TgOw05KO9k)tu-R%34^JD%ojj4d z4ux9bN_q&f*jA_oQj0QEjs+uCDzn)WGHv1-Wt9p;PS835IfFs=EnU+=B%^MSkL$Wu zAgQKzZY>Jt`JK>j^HU9~Z{0YOfw^=9R?5n#=xHBs$)u#?%E4N@-u@10w>=?i`h|6i%p7T$mDS0Cj6dr6z{|BBZ?&LhS~Mt^W! zDL_-@n+IBL}!H~|dzmIfP{m-rFh;N|xxos7(MkPl>oDk)bI^Bc}xI(8Z3VjiDFuVV? zldoHS0kn?)+b?JDfA;ns_`mx}ckuovy@YP~0x0Q$Ip^(9s|VfQ5ZbNIun0})t871G~qWoI#mNw@B%iSAdWB4Jl4xh zsZ0ISu;-CGLIrY)7qm(0oldqL)s`YZtPVdtiGA+9D8HyZ`6VT-XEn_lvVNA5K-0+U zh7O8y=UrI8fHWqioDCN_OMU2zLD+rri|S5>#n!8^xXK-NsP_$5lXSupI<~}%p1~7^ zMQgr%81vX6F5ZU6%3{5K08fE=4&hMv*)3cRo#^e;hYumV=tD|TeS1gCGWvg;SAgs6 zKX+@{_n-Uao!tlee;?`2?)LOT`jW5r;x63H4POi&KD$f4M{unC)`Wh-E#%!bW11Iuqy;8ZdUKPJq>|1l)<;u#wuo&iB7;`C zEaG_79`-xU&(};dJW(=Mny~t+E$;m43%3{L7gx6gPO?Jlpx>T3aN(+~b794O8s=6h z9wYs_J>=^?Ukli4NDqmrxrs&VQn*X*>7x6wv;>l~%GCu~rr4)G*Edbe_`lm!0j{`oDWgccA~1OX%8ipAN7g5fuyy+z)Ue zQWWOewf%BTPL`u=-wx4iKF zd-vh~=YGHpM1(uDioPJ^514bvgYZcU4r9f-TpC1zWJ8)+0ZqZ$gdgq9S0Td0() zyF1IusJpVnT%=W#kKh6k4uJ=pLahu8Thz5xEE(w)$VbElI!;9U3wy$`KhwUlUi-+x z$Ji&-9w-2HsD=FcqEp!`k6kGFYA?38tX2*6An7LKg}kW!Ohm6shgVNVNUanr#q!_T z6jgWk>f`;ry}i8`W7`_nY^%Cg+u6ra2MrFQ;rv*u1V~J^|Rn$Waj{hM3IBXPmg=8({AIa zJveSO+s{gyv!ZE`-15R%X14%81#h7-FBmz5O~V4$X(cu93k^gQ;ULBi6qU@Q25Ns; zflv6nNnMUFGnVbhap=XdPtJ*hC%DZlbP;pNOt9t|xWn2h+l5oYV3Gd;hCmle*vHFq{UJGGm2 zS4gxjX6)FfBb;92V?><5$HS?Q*_1kV9nx(H^j>G*^n^P6l6s5%M>bPpEm@yTPG|@7 zW;jfvO=czdq*o2Z`WKA{=xJ@tIFXpZ%FXhYs{s`UT3!pXf|88X` zd;har-F=AvbT26>|I1lN0iRNz{2^JtqL4lajg)j4zWCsP!r_!V9{b&gM zz)>u#3CJU_eHwTPvrZk9Ir9iea+?G@bnRt>`!pD~!yJB~+ zLj2Li{DS&t#GUBa-#K1|pscaV zyTTPQj!Y=8g02--x*?|5v)RmEUL|faHqmnDXt%wzGCNP(oV3=|1@ko8UPghv4pdk& zqs9)+MK`^iSbFJ^Y->|sc{pEbO?9a)K^D?40G2K*g+#+6VZ}tp^p`aDo7P^q9LRYl zdF2bQaBeoZ##+1)TQ?uxr=1CO%{j=ex5?HeS?>Z6*ZQp;xE%oTr5ldx!My1P@WW=dS&f5!%H^c^yaDCqCbN{9M69e4=E zcYlsZ?l{swJRs-RXYB}d>G^+)KH%5Mf0e!L`_J9I-G}?Xdr9lh|2y{np4usQ=>b0K z+8ud;&xOC%6MTNHO})Xdt$lkQ;Wt6_!7Kb1mzL81TQmV#r~hA+|Mqrk5Apx*C0$Ma zyA=zO8_IpR?IJ3HPL7YLganbiSxkIh;m|3B{2BXN$?pGH&3b!2pjPkyO08DQ+JEhr zYY+E-_mb|w|5LnpZs_}66%(K$zwh!>gs@;wnp5QSqW%;Le%xU?a$_9|VX(xFRQ3QH z)$@`yrj+Tx5UgG*4c>H)8>h!7FAqD-)6VhwW+jY(VUwr)tjoephX&CjM6G*YG>wp@ zvUU_aRyV1*Z8A_@6pByG(n4rBT~NyOi{;L+_8c!JXoOh!zB1>UgQE#6YVWtLm$5t^ z_)a=>(xr0oeni~~wMWIkccQXft(&D~xx;jyBlsUaB>34>d&&C==@?J}F+-;>nAfZO z<;s4t?S$Kd1;xUm=}*7}cH-;f*2~kALA#%DIuPnbRAx$z;}8qGEGU3pKQ^=!$Pm9tGvh=5)l75oan}@xV*1E;KwDz#kf88Dq zWc}YLaiOqXSlnoqG)`Zvecbrrv~k=yebXBZm!Tm4d5q=)j@aVMp$vO(+ucpTaC(N_ zB%Ig1-s{8mX}{fU91ojs8mEKKu>H3E!!lqKN+%BPV+(oQnxY~j94m)(D?qlJ{r1vc zE-5j2-K#3IrAd3&oZ#|Dm?C-cDh5c-40Jr`iF`V*Gn5XR#|f?DjO23 zIb8V4w>O?4;#_IP+rex$H*GpY#9gc?b6YZVv8r4#CcgBDk4+oRSsg;gbBfs1wB*^d zlb}JSk0*q2U;A!}&J&r3EKbf-bVMBrhl4Ud98{Y96Z_jCdHLPDlW&g(Cr6V(`Q48y zul#m+;(Ytvne+R1C%erbtNaqZ=3f5~r*_o-_T|aRyVu{HygL4_{Hot;zv>Q7oaT2` z`%wJupS;=|e&4yUYt#1d%xPJ(7vFYk@7nLqY&x8HuYR2KccYAK&(IXST%tM=o?kHa5!ht=+MSblf;s-EX ze_Q#kdfCG>Z`%CLX^(z;SA9Qx>AZ8hogYu8!MowNJEOC+`MZie=-0me?WA3q^L1GoF*cQgBqU29Zv%kqDC*RS@!|FPMB^^y;2Kls*fcF&r#wwyZLbVUFD?K4}N@KnOd{miYPm5*{?^{cWh93^}hSM-?l5$%adyR{N4Ks zx8K;k-s|pQ*zTTuSMKg~zw>&dvv+e;J@JR{X{G<_)$haiyTcQw|7P^ttIJ;dMFsug z^iIC-Uv^uLKYDd^ada~6d^h~|<$Jfk_hb8#k9dUDxxzGe8$ zOa9}#?{>v$G`bVR)=a;Db?Qf%s_4dbiufFZKU-iE`>AcnJ=GE}*yUEF`cg^O+`%=(@$Td~$^DOcyj&+InfYgVn#GBDEzd$}Nt*Uu0c+Gvy zUQz2T2BwYi6W4vA@=^0JQHK0&M$B1QGrGWYv_G!8Zb4^gdNDVXQGHmH=}|^F_2*{d zomZ0Y@o6B?10A&|Bzf{~*tBML;%ZC@n<^`;9k{Yk)QOQGk(nAoM2qj9v@5#j&!0ap zB-phm-=~zDULx#tNWBA2O&P}`E*r5$sqjVusW=qW<5sWvw%tE%oD6$|W<#8q zylW_zR%#3)9Q07c%_v<(dW6J0s{=vHIpWBRFJn_zf#FNpO(WXXGcJW<-c$@u^4=@n zHSJ-um3P5tp-2{32wJTp%qQgq89-8f&xDgsgrmJ@?*$-Pl$V&Es%DP zmN4F4`M4nY9w^?v-ikWmD;a>_0~|z)DZBe*rrw?6P>)Oj0+(=Rdg3(py!h-!o~OPB z(z)4lB^=O6Sj{F(1{h&;CcY+DtPmaE`XESQOLo z*vF$sZ7Cc9VFE81h7Eywr4FG-K;Tp2P5?1LE)XI4lQF@5^|UB5f29mvQ7q z9?m>!n_Ae)xOWS4G^Ki+=Yq|mK922Mk!|~!u~3|fB==DAk>QE2@FYRZhDWIrqmd4u z=HnUVIDE1jnlr|$S2*)pbGtN zKy0AO5~%CP`Kqi*m?`}(=BahW@{*Z-RahH~He;}ft|8Ae4yiNFLh5W&f0G&dEE5&Neu$wV?%^PUKnvJ$D+R`PX2~tEdVGX@{@Z;qZkG-rh3fO!^?fLThVTtUd zF~Lr9&9?c0TT=XGQGC}pl8K9W;0sd7h&ypGJc3!^aN;?*q`s&FPm27eEoJ^l?)Hcp z$SbJ{KDBE7i%84we{RnJc+LIKezm-4|GQUyxc|A2bbagIweJn?(XLn0+$pxsSTNJE z&{8-)^?c%Tcw8Lngm24Rl|2RaYDU*rY~y)+!sXgsi*aBa%{*l(C0W8kwOrmSSIX7OZh5D?TL70{q(V2| zi?McQE~O8m1qS|F&hirtq;J~tplNnGS;tKwu*4g=^zq%LZeQ|fS=CJF{(EnCH(}i^ zGqlg8WDao&Z?3RiA5qH1GERCzUgUf%hvWqv&Giy%LWx;E@i;3*z>92}g})?Lsc30g zoYM6+>bl`nUfN7OuSD9bwxEJ50AOx~^hHf?DHoQarKU~%O<!_TI&_%e7t0DftbP!Ait4M77-vsK+waLq%IaZ7wO$2;8VgRjQFXI_Wvk#dGZoe3h~8MwL>fw zEa#NiFh%FYoj|+$4$hHJ#HqyKg7B%XZTVPg1d$_JlKMb-H!2ZJgr44j4v&bd=u37p zX4K%)Hzr$%K9X`38-6rRGI6PoO)@s|C1HHw+0zor9`EOCllSWr)dY-$GGqmmlwt%H z$#RD9M5Z7qkV{we>Ssw;u{0BFaoOu6x$(ohk2SdGKCSv3@Xv{xeFcN7L~-QW@N}s) zl{7^N#|oaUD;Z)1&(dv$L%V1KbuS~D7J06`AhNbupAptemcc@7jD?S@9&RS@apB6R z!HtOBQZDZcj%T0YAwSn1s2icN4wr zzQdFyGFQaLS{>Ob`}InLk%{J%cDk?_aVi-lN?vUT-u>dch|-Id!MTzhS`}RD{)RXm zv@18>*zTGx?_MS5)#bXy2*0%P$U=jEv^Qj;M|6P~P9& zz4o|C&4(VmPkjykPn(w8ePy#L>=RI6G0kNy1z|8Mt_?&$q*a&O=45wL{x z8yywdv<`n7;uMkReDO8rPzWzt6Qv69C#3C3lDDucU?htz0g8FA>xQ8TN72qMX!LZ#wZM0h9-JFG*@(s?P5qe>vW~14TEED9@(|VLAA35hQ!Dxjh zLx(0%POsp|2tHxR9$SHJFv(G5%MG9DK+bcZ(9-{DHmJ|D4PFZ6m`CJ2L9${`T524! zk!==xtgV{WX`vTp$J?OmYwBHZ0CIp1HW`NWj>->Rk=l$Kb?fF6nuNB|d@j7$%YO?I z!c4t~$nE&jxt8XDSDxvGS~njT338)ZPCm$c@b317rZw`PV5x8H0d9@`f4RK75dUwl z{NVrXUQ$y28zF8@;|BoW(ov55w?RnaaOIdu4zQ0E_oy#CZ|P+~VTzqukxffeO3w;) zD0q}{Q@{Pww$z(C1s@^njE={LWJb7Bp0Bnpzt!=8PwL#8V}C|m+4O54S@<~ruHnlt zE7wmeL!*=~K2P{SSZ)h53!gaTxG}%EC3r$Xkp+JZL-3`>Gs>c^-EAHBI^87(tQ)LY z~l5V2Yecf*l zq9#s#y&JWxJn*d><2Tk4|w7bWpZLM_yxu%s* zX!H0FVfuXMPZL$1NrNnQD{W^!U;C9$Y;dvJ_@?Y>KDDaiA>Bb*qyI~~4!Cw3>*D{^ zDhvKUcFQ{t`oH@~OQJi-Q{YC%AJIv2XPQ1Arxksv5~htE%(3Z7?TIKq!ei=VQ)bGC zorJo{h_UjZpguemGKhoS9Phrz`rLa4d(YtMWP@_MW&Mgkz#k*xKp|BEW&z_c!Z5=8 z0%I5UuMK#Vcx&N3BzET4D*Au zyW)dlu~=B{%9zsu_lYY+&(YovcC9og75m@HK_q%gu@;eVJeDC7jn^84KJ|9`;?i>Z zFSWb35&>=v{okoo_Okasf1Gs1=BP`3q_?6>Qe`&(2@8H zvO#?vFQIt$TwZzHE24hjD4yR0Pu#BqmPSq^Ojs{AthH>yl!0T_BEuF{^1RPiA}%p7FX0kl7;JVuRfJ-C~tquFPqq$ ztuL>K+2Vxd62F(kwFMdZ9BCkRu+~O}1F`})17MM|Z;m1hM!#W;v$|nI?wNI!-ntvu zu*S3Tk2wuj8-KNN;z^K?o${yQD*fGTDjsalZjhGq|F;(abe;Z3{5u=}v-;rw^Q>ZpMUrP`#kY8 zohe_*#j!GTzRKIt_-h={Cg*EhHXVX<@nc*v6=PuGTUhQo^Pj)}^E^jie~qm>|Ev2u z+54Z`!})(dX(NYAckgEDwy&WUybRq7kqWU~ay!$~v7y#p(5xKV^cBhKS-9@?O@!&X z8=RF>y8))&hW9!N8SgU=rv3${CG>y6t@0iEe<<&kYgzuUy#GM|?{- zePL!lS&P>6O9UUecEjCJxgK~oY*j9WWL&>ZoBh-~<{vBN)BnH?Lu}s01MoHUf45TI&C36k^4VDg&4jw53A_iA#E;FCkZvFlm4MU^fTZ5s8ynAfY#oVLLZMC=HBBV3!Qhw}XhTYUt zy`?TeblZ84N$cT;5)1=V&O0SS`ES%yNG^eAHm-LO`H((IS||VA#w(CD@?UkYvLOFe zcOL9N?j?Pi_aApIBW@z(EfX3mIYMJb=Dh!hC|~-Btu~Lp^%o_}AC0VhYqH^sk`+%R zKDDv_7r##K@zp?LtZwi9KxzU$fAe*9{uf(=(*dVGzLPdqpZ}Geaye`NRV_c*f8AU9 z>SbV8wzmFtYisLYw$$Ih{Kx#F|Dyj}NPp3PMZK>i48B#|a<=G}wRLufxId)ZOJeSf zt>)Hr3vKzy`Rh2;8aZ^N7e`}jYpeMG$|UQh>&&;%)@;kk)cM~tb^iZbR#b#vHtGhMWYNt#8Ws)iVpSGMWvNhWx0`f9^{_=ljYW>Hp{#JXdvDMl- z+G=kVw`N;*POtx43M;l{ZTVYd%UkS&?C*a|!RK3eYqsTWIa^5nJKO93AyeZ&ZJlqS zEoUnbWta8itN%Gu>mfa)hxCxHn!Zwh{^dV?YD6B=LwZP`T@v&G^xwbhzyDSJ{YvNm zMgRQ|i8}wP|APMecm4Ojs=r_9a(~f(|AYSfFZ%Dl>c61>{$2n5uj;QRT3>15<15|r zS6V{(>Rfus^w~VTiH5*x^HJiXgChYA`E;iU6a^F!{}q1Fz%C4zzKDw zZ-{_lATB7|2>E41T;$JTO#K<#h6}={Kz;d_2HcoYTe*=T)ZGT;WALy)Bb;MfMVq#< z4Sb3?@F|8dbsTy@+zD9JwTZM(kd&bEEb5pg9*G@|Ds zOAmqJQcf(q4SY(NbW14!BwKUs3@SEZmV?L)`^9_=h?^XQ5ChMrc3|OKM*>vG44YcP z47NN|@_B`XM15w=&>Tk6>xB)R0(NccGb~nu=hGSG7}R)h1~&G|IksW!)0r9pM#ua@ zOmnzun1?N~Y{2u0SWLcHFs@oU(!pxcFothB0~qvP4c|BVZRiZ(xZiu%X|-GM@&_2c zX+yJj{6oL<`pppD^bT9?{s0=?7BqX^VZZb8WZ3Huj6!1ook2lnG`c@P`}^a5doX}r zA38_Jhn;o{-Z%RFMt9h054NGxZ62PqI^EaX@bY8`-QLhR>>PE5?G_As+p^KcYS4QH zN9}&|O`|((yzCryhCj&mUUi0D(blV8-)O*bqd)94PYxS>I6mng_Xcec-D-6P&BI3L zsNE_;rwiR4wBNP6Lm0ei93G~7Y4qNA+kJt0vWxJt4Tqh^%fq&4NOrQ->9?Ch(VO^R z%}%S`9X1ZPjlprd*=ZbZL;L&o(eYuU|HHP1IcR@(((VpBjYDWPjvBAq19-Y-M2`Et z=1ISOBv9_Xg2Bnl!LTzt8Mfhduh){}tOJ-0{tAb^fgG%pL3`V1HHHn@@NvKQsxut? zRs8$q$)F?0tkWH~`~8#SVW-!925)-r+wao;`^FE@JCR)$Q*<(D8}grt1-mUL5<0J-(R$YrXzRkqy}_WPmx&y*<{LfS z#p~J*sq??zZnTct#hHD}r;AE!&j08DD?hr5xA4{u+i;3^T+y z_F?2B*O~%hlCsald1>Qw>`+g>3sc!eIF{yY^4#~8X`49k7{|yC&xs5`7pQNGMvNZK09QMqp7U2zcW^i7UgP?t=fMLAH+QT~}<1>bKvhqN^^eDr6 zTsV~o6PL?2>Y|U&%g@VTeiJfw9szoeeK}-0yRsyk8OF3BupAoLrsgbs7^&g&rKc+d9`ex)b2a}05)%Vy0rB7|8N-|gFh%DW2!B>L ze*N{=5n@v?q^GH{zeV}TtLP+#qH}yu+bvdJREw3}VrB0+h^pC%H;fa8eI}QUo*6x0 zl0ljSz9ftbZYr@L^z3X)o=cT>@HzI;1T!^T))e`i$z`cVT|zDz#y9YP{jdMq|NVdb zFXGs1*F#hUeCk8sO?+gF9}1{okn{=xn_jq_%y4S2c-WWhqaFI?ih~sw4a0be9eN>o zVSxnW*o(b&iRyAtRZ|*6Yzz2v8u+U^UN?-UT6!opWrYhlp`s-PGI~$RrZjMDu`Aal`Yr9QEhi{hAzjf3FGd5io? zNJ-*?I8MZjM${z2(Lx-)$%p^9zd^hA$`E3av`!9VXI3UL6n=t!0a*3ge zpj1?xZ@>@$Mc*2BxW1-hRrvs*KwrPuqY+Bc7eKZhdf-&cE+jw6k446*SfDzrB=QIo zY`ScwlU(@e2Esj|Xh0I6f)1vem=FNd6pNGw{Gd`Uml>Gj+)>k8@e!OvOPzyO5SV7PKn@c4T)%lp5}sq9f5zU1uc3AE} zAO-;okdxY4$>!ltnE2R(LO4VP_$Ghrh4j4HDK%S$ag3}pG!b(t8fRqUihoZN2!-?l$7zNfD<_rY2wZ$0`N#J$K zHvF30BBqVcf8B;(y?{-B6<~fay0oh zbXFkx@vF)*YMCmcDOuK~Jg>a&F@$a>EjklSgW%KZ#;+e7#P}&klaJ;Hi_T_*pH2~* ze*D!iUQr*YYkEGOMNHndSmqo}1R&9#=VMdnZNm&B*)riUMGP38Ay*von#mJcT9k)= z6Id`FlS_DtFN;tq){5nA2~qyj^sUOXZM{uH#Hs7dA%XC(+hVCn-NprBf_D(57{;#P zND})Tu@n!h(Gk?)5u7kI!E%{BQVooW&p3$9mP>zae4a~uMaD7$oJ+^W|-_sbdHE4nQ>Jm(S!~SWIO^(^2Bk`kZ)Io8AiS}Rdw{4VMZlZ z)K({V&fIJO7fe%DjNyCOSLbJbT{(3*^_P@Z6SR4GJqh^;CJ)->r>>39OPOv$rFdDq z6i0B9bGqsw912d-Z?s`_)JY{MphM}I*q59N66FgvOO=%;fn;6eYj>C-Yf4I=I>LYvBhFk)igr)biF<^l;Rm_U#&^d7@+W<12ocyO4B*F!a zmbwIa-9!8&qAX&sY|If6LU;m!GnZaC*q-1byi#{8SkrvL=Y=9F<4F5W*$xLCyJPBG zqEY#jyJS)K9J_L4!uCc1aiokDanWeRxQ`^y4Gx-PU#j>b&5RysQ|VHgN*WZC`qNUK z-8FS?&p=%p%^~o_ViFupsO3;&svXlLD;1M!8!=E?U}S>f<$MmJbMo$VO#KVw+eO3Z zxSSxznJYzuigIBFhqp$)PGr`S7+>0y#Wh zN`y1bwOWCn4XvKb#1xkQ`a7~_Sl$t4%S7RR<*!P$wxb}$%AXXYV=B+BIFY}=`j{7p z@JQazF0eS1koq!8C^f}Ig&oz-NX7mW6E2vP5pu*%_KRQ)r*h*8;b$sjD2bGi=`HGx z9b$1%dcaWM87?q~%m~-l+=2{Q$OYsu8fg<_{3LPmsbqHGVoD+{yuq*#LFH1SW1yY@ zha7o@>T#xTexZ+CYl?k1=@h~EDY1T4za^_3H%47}TZ^|;w3({qYNb>um(FUoiCo(Z zIaBEw&c(d+EU^&RE|LYtHD^A5HWD+sJCnZ|<_DptUFintU}E_KJq1imd`aimYvs7k z>b1C7Dt9%iLb4@2UPZ0w9L_y_5RYMQQQ{p`%Eg^pu~IHp%W;{M5_=82R9P#`kKtCz zVh(P2{ww}ZF3_8Xd0Cp)@PFlMIUE1Ex?8P0@PGG_a{YfFisjHp?j$b+oLVc92UPVl zjH;%IYF`Oqu|qP;3+k{_o`nI;RD8G42j@S9r1g0wwf`g0_)bW`I{Uxs-hO8P*Q$H9 zhy8yaDVq7ZVZu4`2^u-Lo?+(<2sgHlJr-Ur)`9y0jsi9^>9sv{JXD8{OR@}a7tJu> z;snHb{P#HxeCkgmHwrLO-hK*UwE^Z_I>j_Y5x_1i!7@C;7cfbbaPxbf>C zw~TdIf+BWid7Lkj&8fdC~3GUgn9TGr$*3H%iw7(z3lrx{6siDD|Xo326x zxS)P_sV!qn>Yqt#gcUs}-jWVSi)C$>JI8|MR`)n@Z&L&DQ>M+$dYnRf8EbaU`Rbix zpV%0>(kZRvyHOfvhn(Tm>@CCK?xzo6#aLL0FswJ8NFm;+A^B-ZD;xFpQ_ET>d40AAXa7n=<9v&m& z7zSada)q1{b?lKpu>JHIe316`@CeezVcLX8xgb|G56?V4hfKs+QB&UCOY@2;o`qIx zx+Y?Pz{gC0)pmqR7v=}9_%Nb0T%`(;X5--T)6kGe8Wu`GInj*4r0^S~F8m3<{SJkq zkZpeYxuBxM{#^K_@Js?cYW&S$T>cHrKcMh<@TPOzI6Z1~x~IcN|8;v<02AeZ z|F;7uKzdE32V#C>WLp<~fuwx6;8KOL3t@ZsM!Kuni`G0xPLT zk5676cABT1|KPNhj)^l==EPWx}6^z!%nYz+G&*@=YL)bP2d1Uq#*BpOcnBSv(a0YB_~%uJ{_gNj?&#}a8&BZf;kdXnuY>8rVz9hL;->ATR6FbX zoh-ZnP31-B!YWwlqK09O85110EA~E^;&imo=I09h2@-<*w>c85%hI~&8jWRoc7@i$ zirFsytS&k%bg&#zAxgvr%`-e-QCMUrD|kK?Yve%9zy5mF?YwzM)3rbU-o`{=^FGQA zpj!B39aIZy!w#ml_7(dXT2bC}KNVB6yh0AAbloM8rLmh2P+Ze6{27?zr6s>ETFhTt zM$y1#<5ZN;a_XA#{Zqau*xPv~s=aOhu(nn-&~Z(pdDv-pho>7h9MQl``w@^0&#(geAH^`11gMEgPgXMU@cIRJFJ5A6C|icB19;M8(u@-VDGQp63BrhXD3@ z8tI(9y9&TUrx!Qts_My&l^TNV2Hg}$Y8Wz`b1e+LmlhF8?8!}mEFu!`$5k*A`zM7* zW*2Sx zG>pEjLUoJ(e>6UR>Y@KEQvUu=h*!7J##;N|{qn;8-+QqCy_Y2Sf3sT%jcw#+DoiQk z@n$S!t|#<{D`eH(V!!<&>!0CyOiYk7p#r|oP*{_ZKX9QA)$-1BLz9t$yjPCejOa+O z5C$nOM4R`Qhs}FiX>tFjb*8t`#=8Aq+0VZJ+^y|A*#F*3%HRKYzkfeZZup-sE$;uE z`-B^|v6lZYXYK#@c4`m%|6Wpd|AU>9+CNWrVDP{W+*VrL|Je(uo42u+|F13Z|9krn z`~P0j!u}W2pS$bVY-eoQiyL}(@0$DhfjzjVl)wLPjrEsl?fG9_wEwSGANK!!q|NvL zl2bovICxD?;DK~}y0p0eQwCbM(#AF9fAQ&I|KCG;kpKU=Q+odsmvHkpI=a>8e{22! z@9kEz=YQql{onnh#QVR+muZnh_<~^sE+-B=erg521Exs>?gbo5Ha;)8fg?UK;$T-f z;;)xNWB7Krb=>Q8hxN?w)8k%$`0TG>Q%Mz6+eJkpn1itg6~m@3HVjoynNu7TG`5nQ zJWghXZ^4jlgUPhN%1oomqZPISAA@On)aM6zXn|?kgrSjxr6G}djvQhuFY@Uo9XcT{ z{Oxb;-Yetr$)MdA+>Y`1xG@;K@AX^Ky>|vljAqd@NqNvp_XVc-zP70Ho|IR1?4udJ zp#GWcezcwSHLe+Dn;g$P2XXBe)OZ9JSUV}3N~e8}4ArCFJ`oNaonZ!y&am`_3!Ek% zKuK27(34d*jA8F>yBogNJ4b%W58RTr%PPe&52OPp^}-NY77bip;`9u=&x}T^)jxRr z_T*)|-)#@ugOIH}ebXBZ>vfy#Y@}+~V&`+s) zjxI~ZZ{$K7C^-zJ$Lde|CEMx-7eR>uDLt0|zY3s7fIJVow!{#o7}?t}!ei=Vhzz|N z&31oiC
    kDE6H=1ZsuVh4Z9R={+@tiU&$05HeIMUDa!Bdkp0)XQPw+EEk`F*HwD z>3=E-@=%&Qx#IfLV86KmX7VRT#MuTk7PEiLBiV>X5?!3ZlULpTH zESh7V&g8q?D}v2J^{Im;$RS2E7oSD2{q zp{?35Vv%ZRh4GB9uNEJ;i(|RIcDNC?!*)x(UccmifYUG76?ZqBVz3dLjwteN=_6P%S+?T(l2567C*5JYe^3rh zQpE&>PFQ0Q$ny#zUz+M4^1P69ic9O~Ch^?pFf=jm6qXQ^evswP!dwhmyVW}CbWa7- zcM!3D*)q+;-bw4=apFg|gnGgsJ?qy$v!#w3KS*tw;Df@V$!~G_*S+5B!}e*v-E15W zn{OJYgU+xm4e*!cEcENRb1FmVbsLALC;h{NEAaCPSVxWi@UYi=dwSgOecNv8hY7i# zGeST!J8@&>#8@%~kN?MQxX=M7g{xp;r(k+UVu2U5SC` zlXC$SyXPvTR0KUM>tOd>db%*t!U9jP4$YJ2eALAkmqokTZx8deg3OxY8DiVO$jo!dcpe_|#N}8=xC1(t@Pz9uqO)*WtG@=ZL{GwE7kGpi!<-d$DOuyxqO()=y=2Yejp5J;5)dnJ0`~Wb_@dohDmS`uW?X@>DaOy(k#tllJ(Xrdyvs$g9R?wALHe+>rpTROwpcjy zPL7!VY5t0)Oo*oO2QIu0CX;iD0*xjNJgL2v3%-7i=6Wi*G7L6%Bt8Lxqz5l^-o zFIDO7PWpY5ytz0zJfF(g8FnCp!lYb$83IHnRAwV}zA3+@Aua>VyOPTKtZWz_wOfSw zfjkOd2KEH=I(+zO06c;jx;$~C$YyoPxjljzaU1cssu9Hw#jcclV?U{34A!@Jt{e_) z2dm+CDS7AS9I5yRsk}$Y;G|+i#AwIgWBSB<4yA|oRsBO)UsNR~AhX>mqib_tfW zlt>e71o4WYLK7mnunm9678j#Itmbhn!$uu9vQGl-x{hxIjyFxp5fS?iQ_KMnz`;Hc zg)bZ+$Y*vdX9yH zAsYLDtzu9OMXfNcNglI^FpxpC5n!P@qJl_l!vz^3NTMJXbksMXUDzvlU#NyT7gYdI zPP|u?2ufiv+y{J^a|N>+AJa=p!eaKjrB#IK5T-$a6mI;f_Bh*=T*N~E2NB1#5 zPZTBHayh+b`%Lt>x3|XuaOa=UXw~#5`7S%Q;y3}T#NidQpEJlH#L}K9;$0{CbuG%Q zu@>gfD2t*+ep$#OQ(l&eO@o|M(wv8hvQoBevAo+f2zQnp9kD=Xj<*UE)f`(x#667h zQJR+#`o1x+2}`vd9c{1Sf1`Hsj~4qukqhtcFe0Y(SKyc|Kp`k|HUcR)vXhK=;k zfF;jLK=IGytKXs;KF!+27x=tNJRgcu%( zJF>^7`5D;GOlM@%1qK@nUQ5AepbZ_zk8J47_8;|(JOO~sfm;NQ4Gz1l&ol)b^mO3Z zVLK;h)zA1N_&d08k=+WQHrgT|@q$eN!Q>E{xvYt)BFqn?AgFgeBS06nh9}B5p0Kzi zo*1}%b~!Fw%rss!Jq2R_pIOfV@+`w9Z%#a@p-bc$j^3hnzIW8~>aBHASXb9t% zO;E%x+UG6ck6p|Q^Y}55Pia2<);UY2how&oud~hYkmCnQ8rW)`|8PBYhdlfj3z*+( zontiO^7|luN1DDQS(U?ZnusQ2btX0e>i7`!r%|X)nsfQVfOI_TAPieEK(^;YP;kZp zps`~@&%IZ4WCUTF{($@#A`gWl&|m~{7!U{)CL;N&K@EAqKKmPs zp_pK*c0lscW`zgJx=8p%j{a>yH>9!#e1O!-1qeuq&I-V6(c zVY-b_bkiKmLN+GU37jU53k+LFkI2WZ#(W9Ozu*X&&V;4eM32yNO=e6Blgx!x4H8fl z4LoOT>oeemxf`MB*oaV+z-1UbX6Y$o7nQWPgK^+^1~j)x8pi_buRszhlEw?f9LB8? z1Q5LHt*Ebk@Z%q3ztQ{P0O);TfP$9MHw}AGIojl{sov+eSOLMBe#L5uFVMl&aaWt) znGsBS-s19m;EC9TS%_g{wa)dNKH|La_a**`>4CW@Rgej%(ONIZ`)%|Ni$8bJFvlKh z4?W}$9aG2pCjf4mQAn8N{4wEYiIPO#I5!?p0vwb5Tnr64Wype4els{P*Z-H!EFk`UlX=sD=f-Dc+a7v5h5~eVRUDov`H1O#>VN@mFAge}eDdfuK_R zVn}h|`T1AykAE0j#5FXEQiZv3GW7tdsvxpA3Uc)J`5Au*Nfz+4^elwNCmsmk`MI!e zfI%|G(1w zAifZ|FFXoZ!vA;hw+#RPQu^TkKjr!Ueftx5FsyyTgs^xVOkH$<7YEdaXdisqetza~ zDX#kHVnIFkm_XoIxdKz1bD1w?yoITOxlNR%?8B zXFOs}J8BHsI{BM|%6y1m)CXq!Q}AsJP2*m+FX+g{M?Zx z5l{bS-W}jabh&~52M_qK{Oea)#1KNA8!~TO%|k0P1{j}j(ay*f!ZhWQWS=<)Vo~|9 z&dL>1gpq7vWeKwI{7hX$yMp|Gvc7dke3^72MFMWmCFQ0rrgBNPW z1avUTngsd$8iMlGc>IkCOX(A4*j~}Q8`&~ zkwr=#(ytoa#vN#wABW?~9dV-9oN_q?@n_0^tIPl4N9q#Kmg-7=LCfqvl9-AAQ`{+* zKjiWs=Q22C)S;Z6{c|r_u$OaV8xZw!Y6CJ2(pkP=^6IoG|GrAK`+~b@!KA zZDNZJsYA$hc`YU!Mb(DLGXgk3`za+o%*o6OF%f-#Mv(`z!gS)ul70n&a|10ix4;i} zqY>qf_pa_7@3E|AW)N znbT(uDKr={cRWAD<1)dmiPQAgyl$HN> zr4RYpGv;6-<{`)DO-jV-HJH;9PU;4=Z_EVm>@c-0_ z;#ORrQApgx$L{cF?+%$GbsA`wuG-@nia1z>A65V=}-*%Pa%RJI(*g*T3uNdK3qtPvRgf;Q&kJ zzjAi{?~39_{QsZwWY$Jbkc%1V%_UdGw;!ZF3Sh`GE@vx#Fpqa;9-QwYZJ%6@XZNZJ z_!bPb;duhTufygZ^Kh;r~0k#gF`NKjm2i zha`5piF`l2PEUMt>GY;T?18|+`r|xRo?gXIGX3O*{#kd-*-QKRd?u${nz6>7ljO(8 zR`VV{2W0xA9f#TySTO4PB?rQ2-Sx|TAUif?d22xl`@2Rh$n}u`x@4ElJn*YBbB;Ydszf;Pd|CLHR zAMyWw%9G3glk+6M=`fPwuX1rLjK%60RVSQ;^E0opx_BT)O8Q} zKJud|Pk%DY{;QYfPkCO!|KlJLEA9b{`F}~wk^hV3kMqBu@+6rtbX|Wt=E!WGTOXF3 z|5=utXdjhd133V3q~81hE_iET4YFY+s0Tl0YJ{&HD zB#{7R*qS-k5um|4z`D>5lYSjRA6>#=2>2!EYWx-uzz^ULVX?gHkF6Mryp#J#_n8}T zbI~z<0=01iB%PY(K^G-v{61)K(Y)#yO*7SJCS}%;z0|OfDU+V{ z+-|~UJKJ40R%P5oP8iFixHGR}rsu4)ZzeKv+}%vf;>1WiXb;c|ZN$PFhI9rSD?ykE zrJ7ad=R|k~>6oqwL}lBHN+rRLVzDl$$jYP`Nh)URvQAmSITMAM-@>4i$!i&lN+zZ> z8E`Pca>7Z{9CymtM)WNV6Abu7f0X#2cz))ytzRYr2QR1{#~03H z0|01_WkFltPrSl|N9YawnIZ*^&%FAP`VDBBB$W5^k;}Z*T)?4h5x_7H)LiVofEvQCDLpLcK0`3eK#1dF z=j`E_HwsaScn_C~dD~eW89#h-xMVWg{(KghDmBX=^SD)^5YpK}9>vYD)VV+<7;3uL zKWQzz;|xSOIF`)866DXp`kb94j@;oQ$*rl7moFIZJe*=}bGkjj*jLbXqb zf+OZasZ=k|>&J&*Th(?RjCoonOUyEl0k!MR>P2TxYkcO)o4}&*W{?`U);g`7`-M-0_{&7jw-qOLsn9uBAf&J?71t@99xTxM zvo-X-3xnZ74vEt5m~2`oICz0fQz&4h9%L~?KlKe;|7y4gqCoz8t%Oi0;O{dpM`7f< zWvclqs^dbXwNUVVv+3yQV5#U66%PaNEjM+r3YXR9f>?gbhBK4cA%4(fXcms2T*?D6 z^=00_#9|Z;Xx{tPG4mSi%*9aL9D0Cx!0~#Y3Pr~hIhz}EXn`dKgTj_$?W@b}!%xx%JG~1Lr*Cd>7$IUkg(`PmT$lP|aMY9H$YzCG1`5^5~ zbAKvnr)T1gw4G_}4aA*k>Gjl|Y3TLjooQ$>eJ>Z7Un6tAx7_;zq5b>!6;;E0msyZ6 zpN8!$kyF#fUUo8+uKUV!p&0{QLCd`Ot&qXucHgjP^O>j16v7jDVeA>p-BV_RFblIR zBW{x>$}F%&c#wmWR4UDdO-*fWVMB5L&AetNs4oP_M7a30K*ZH~r|xrVnzky(9RH~t51~{K zVMgGDYh9Ql_>CY%u9~;lB$q(b+-T%n?0fRZ(SFV3;?7z4^ zLetM+ok$5_|6o2~Fzo;u5AXYT(g;>;h^)Zc%G%CT_>EmZ35eO$)*#o#au%exUK*qV zb+ydVgK}m%Aq2!N#7W>&v_{i%r+rSdQ2E9a%6G9{H1Elb-!ru~(KnJgYNgsKAwMs5 zdZKNTNM&*Hg+omPooYGjPRw59^*Y~hFtc=6D}VJxk2%lk_kXa=5f>S|LXr zPvza2_%A!s$Nm4G^86+7pOSg$o}UZxn=m`wyWRPDrIi+>t?S=)^tZ-;+mUv^%*22D$p8Iwp4|0+>FEEPSAO2rbAE_SOYn!=L&q8M`+yKX zJ9da}^W|OC2qgtl;m(5=!tyy27?>4a*T=5o1<>5?!@%Dcg`Maqf5wVY0DYLSU!?37 z>Dv$V=EGy+%^JBX0&piJU#;VqK1ho%nhOdF*dF^HO}w{l8h!MLv~93WiW3O8Q%Z5x zrW=hImrpdEw3>$BvVJ!yXOT3L-snn`gUIBF@IOhU2B~s$csnbTGUN z1|E5LzU;tJ7ZrB6hLTv;G$QQUZ&>k8-@W(DW>;(Q0nI;&RPM?OZFzmr+ES1B+ctC_JB;G?? z=hlFY2J~Xgrt6_Q;}Plf;O1{z0=TfvDR6936N3a?0@z z34J)?J_&*4a-aT-TLUWe3}@_vdZp@fg6lc=NDDZ@&=K6GeF=VRpv zoFdZ##2CkMYir=rLmv7zHhd#MKB%Ao8m7;2pTJoZb`eOz-apcB`Y3?l@UrfMP}6bn zrf%GU+njLWx4?)Ba-YDZ8j2Rcu}MhDv8^M|oMI`&u+f%Gr{hEFj^=M`j;$d#@V8;#4?IY`ZOGfeb4(L?{&pg|oxeTP%Q1XFFnH%))=a}P zn6Z)cNG2g35s|sb3I&Gcn#e+S-~$NssSPbdgQhtJz6MQg@L@K<02v;{>eZP{tOX`U(Tb8JGyVhEGOMn+d@w6iBaer>xx^wuoV&Q$iObJVI`2xMnsqcZT$}12HqIm z0$e2ptdWkWppQMgxS~KJF8=k>@!Ubv4-tpq%-x)_wJseU#Hnup&3*GitV9ree}3`g z|Dce1Goa119&Q5Ef%q-Y4{%Fvp1urN0%Xt1NPqw1bvT_9 z@#i)NQnI4%9FHuiaOa3lu~vpO)}0c0^+{uMM=%R%00#?j8o3(Gf>%C2z%5zuujQw67X2JZF%`T4(vqQf^tH2}4goty zHc1AF4II!%Sm{7I{yW}i^;I^mH|+a!Zsw%9RmBf;N+18YVbZ>9(b<*j)+eo*G*2(Rp_W<aUSPHFX(AT7OQE#*NPN1d9rNfSt+osdo0iNE0kANf9gW14g* zeRSt|c*O-{&n7aq4Up$K9>b~iHc00u$GZIi4t27f$Ep*?YeEXhR#}MC*RH7Kt(v*~ zG+~(-q3NArMrt(kG)XwuEa~(05(OmiT8t!0AZ^wIDG z!ycT4Q8jMUt=I2>kAlyH;8;<1ESVtK)FBX->J6W22=56gx$cuTMW$L0l~PiUTvB>@ zZ|?}{CA)Vt(^3}F@Pg7`0V!hubFdmi%F@_29UDvAuR-oRK{^Mkb0K{Na^Gu3HIot5 zl4pF;iqe-Ysc;!(H(rMS_k#2=zDSp~^u89-%p!aPq%4!nqBE(5=TX$SKyOK}(&y{t z(VNoEo+fke>Bc0Bs$bj-B1=;@MAK;U;nA#sTsH zb)+N4il_~0UwcnTld;w2?)x(CmEOn?4G;kOzA>;ZjOv&4`TE%p;JFVk$kUwiFN5^8UPv>kK=X9dOGl3~in4>9SGps- zfle0(JHG`Cr?e1oaj7uCGzg*?%`buUwVskoW5wUjLdr@39T$s?lPg2|$`gqNf!}YV z)-#aOQZEBBhE#eNNVB20^JkxxdgbiDRE5rmG#vmvIyuWg8m0q#1yX;2+w!YDdKX4m zr#2KNEcE6j^(NorWg+TsXCZz4l6pU!<}ImNNMFCC-ms#UM6=JI{nsz4H>{|IIR(NK z-YlfAUs7*?G|FGJNIq?$03iFp@Ej^UJwVTZeG~by5&{i-71Q4vB$Pzv`S}vcp{^TP zh=FD(`vvswOW?%eAXn@2m5_3ua>Vyf9Cv7%z;T&2GK2xpk&A4dT>VO1@zIhuWr)j+ zKXzTyKv;SWqw^F@!$tslgE7726gbRXQoj|z(KNgY^EufralG+~$;NVnX%adCRPDgS zVy6YCv7Yo`KtNhZDluvJ$Xy$O<617#jJqj7P#eZqb^yH*MVcrSd=!8YnjVlkzkiPY z{Npwn2^mQ8veB)85l75nf$@OM>1P1J&0+JLDn$g3KIz+F&d&7qPehlA>q8o}@z`9? zc`)$sCPUnWk-mLJkR^bcgOwU+xhDFYbE9hhRj9&Uc>ib$Epyq;sNcY+Pi@2f^l2a5 zIAa3g*hd7A@HW%$iRS*;O#Im5xC>iDVCsy)5I!J)0V)yEoZPkX#xM^Es_AEp8*NBU&4%qGF9495@NA|$yPjb|Z%V8H+7M|Yrcz_h1qmtP z8F0pdI}QXE4uST@+$Pu}AhfZrRL`r2ttyEFb(_m+@XRsA6F8oZJhHAs&Q82y*mb(Y zl+l#q(#s*bA{ea)kaH7|7&0&`PFrAwOyi8CxX^kWlY6`b(ne|lkU3*N7g?k+6l0g* z7usCHazbn@p5p{~4jv2>4e)&Xp=X^y4`wtE=@?LG(v!HbBeuZ9HKVghH>W~&on>r0 z5pM|Bk3hT>nBgbK!efp7$d3Yl<3?!egWEB&Dq@gsLo?j%XG#l6TQLPT*~BeNr*si5tcU!-GqfN!0^JgbZ%KgKK3>2Wi0GWq z9eb|hBVPdZAe?Ms(Fz>aFJ_hDhJzvU>HJuZ7a>_oLL!ixoh*iZ2n1mdEJ_Heo-zDK zBk z>E$uJ4ANd`c#9zCIb>4Eq+*27tu&sOsWbL~GqJ((A?Qz;h03r8blf2~cU)xqz6l1% z_IwBmc+G22z!X>%cYcY!d*~Y|JeI{hP_WSi6eyQ1;Bu^ZL5EWxNTMi;Q8StsfPz2n z-vfU8SU#|(x`X8;L31pgBIEEb2ygAU&<`l<#~9n)!B}wcm^N=U7(w+T{92fZw_C&` zDqP<&b0*29{j{eUv~@1w&?SIF9lAl{zO4n_Xa&aej>(1+mQOJ^wM;Imu+PPjvq_{Y zy+4x&$_~SHxtYwBzHf%1wk#3=K6a>MuW1sqY*wgD7PB~MSt85KOxChB>ig#aa)L*t zLDCzr#=#h7>5kPRo`AvH36F~k@>)`g@+t?i=qMbF};#+qX<7VDu0xjlF(o~wUM$` zh}2*sBArH8V-x;&K3+1!=%;kME`gF`zF+l^N+hTy?~ z>6N<<@T&NYEl@$T@4!F*S-m*te)rI~KR6G4`-&a|WK;fs03J$TJ@k#!>83U|{2|i6 z66x&#lfu{852U4>_kVD|v(~^LTp#*|cI?=G;8Anv0XRO~uN|JZs(8ce_;7%GupL`L z?pQa-Tz>|-F)#vXwv2%dgRzH*Bv7?A!yO_I&pC(L2GW8-TqG`%VNe70VXzO1z*x&IXSZ`j)Cl|+u$4VRj#{Gt`&Z;-~6_ekPXFxNon1Bp( zUc!+}yJZm+5~RSU4!^ z<>*lxk`xG301h#COZR_5`cNZledzcBp;H#=AW>Sn{hat!y!{MNpb1nGg0VCgHQ|%4 zCy=rf!rY>z@1#zi644TgX5tT>v8e;wnGp35vm)F=yxAkx0vASSh{ti8So{eNl3vbK zvLIO~Qwc1?T{M%PGHQ}#np}`qG88(PbIRC{(oAv0Ei4q-!(-HV!=w5SMHAi`iE^9R z8eK;Zo%Fn5u?s9mL>cb^v&R4iV;?Iry76G>c#0Ek8up#zS&U00wiMvFrZe#Av1@o? z1=#}<^^NSy&@wsJ8{S^nZW3)zG&*p&F);_(ec=1hgk$8-c(Rg`0UYcDQP>qEx`QXO z6(+qkxo~seD@wau80V4?oez1u^Cca$_Cd+V?_yV|eIVhTdcMn1Vw(+fdVufGbaId z$~w7|K^7SFP-xh(qwqXr`D#PQM>civVV0R#VrRAnKUDv@Tpjq9>B)psq>U87pj$Kx z_>zbYWBB0KLcTvO45zvWZ$Fd$bVAoNqB673?nT4^G2b%Rb2Nl>!yZs|k9Eg%c^~u< z;UT_1wh$;$CvV5b+GKKZvlWum@(&Uqg-dh|95WH(6hSi>rrIEQ!%~F^BvAYn=nhD! zEh!s9AxD8(H?Rid4?#f#8zH;FyyJj(J;M&}eaGI^`vP62EwV~Cx3>5V+?S1FAZySt zF->yZg^h?-7#l!5$0X66NIXarPLWQO56n2onQ4ETFcL)A&Pp~vXRMwt7=9CL9bR&r zT)1+mKKc+wy)Oy7LWv8rui+s$QL_5|?QN;}h2&P3_Njy)wL-aGrkU>?06gB7d>-tB z-)ZRh1W81L5`~<%0yF3c{(~kku~Q&n*lFkd=lKmv@7-YWRSj|g{DB+geX1c~H1M7; z^5IJs=pVl?k#~k~k-5TeFfU{UsljcE-xAe^yk^!p(&+nQm1m&7bF0Le!*J}nj$6MV zqHkT_dgY(!M0_OGRP#7qJ%u)-^no zn8Y3W-mo+8X(!Hz^vSUujo3>~6yW^;_y{q3EWJ{NIXatQf#c3mfD2*CEI@t`-@etT z#CXTJl>lmn=Les`1f@;7n=CF9W#!R+GC?6*$D5moJEiA5cmlVw9P4H5DPc>>Wx>Qi zO@Z9}K0;GzA8ZgSmbCG_wZ*>|i~0_DyH0vRgzO~1(BH*`5F0?*O}2Ss_Qp0S6krfw zF5mAvkDyQ>(iW9c_e;VqC=^(D?*kIo8xPxlIN(z|VhU}1f`QY63cTjYR*@oo@=hwfU8b!=m# z7MTlQbgV(;XiS%vhMgHvi{w)!epzZg3~JOe@LoxkM`iqEmxHfnctH^#~4^$vbBO&>t`0SE`4V8}e7Hec0}_;`gog zq0+{`4^OIdr~v?RTVfR$^T6+-#zp^USNyU{#ky?-`{H)-l{KYI&EgxX{<6|Q9X*O^ zm>qCQTBQYrGW&GR;{2M@;+k^?EWLJK->G8myslnzW^&$8bpMSu@4e=XK8P6qnEI?);j|=au6GAzvW-kdR*4 z9gzc$Ba@Zup$Eem`{tDCg@~LczfHrFW;Hy|7km>wpo`Jw)~_Jc^6m^E+{s@mt`dDAK;ec8JsbkyN9e7Yjx1o=f5yt3@ofsx? zD$s`OwvHYVmC~Bfumfa6TSFXolkn*x2+6y0LvLu2n>nBXA0TtU((pIOP90|e7-X*W zkf0;fR+)b@NT5~{iLHVJeb!i#_XVyU{T!3?|D_SBhOrZb*3`pTF;T~Z+gV+H85$f0{=^iZPM**#Hk<=E1zmi^kmX<9uQVINWU=U zl7NX`cYyDtP3gG-wC_wf5IBz5y`m$I+>+4=OXOUH*HhAw6N8tG$4|0AFlW&=9_s{7 z>A|k8gRx7GKgV_ylN;&j7?>14)FU-@D=`O|0>{aiG~fsU4SI-1RS$P*T&W_rfaZ7} z(gJcoW{&AO*d0;y64Sy=SpulrN#uu^y^BwjsIQp~ZmW;uDBGNm@-h$FPH8-$|Z^d!)zE85L6tu9>LzCgc^wMac8n zZAf~+n^5G1blwfu(F?Q9k}PFmQpl{E761YC1}L~py{EHv?m+#Bp^)+tOsI5?K;oQd zqC2vrb%*S9bZRh8l2t+dGIn0O-9~}7P0ogHsT=5~<1uvZn zZ;B~~)S)n8_7N_!`>`L;D+xnHEJKtbIMiDrTK}25>j3)fjCTqqL*yaaj_r6BG^y9O zz;PFMKy${Pk7EBV%ug}rp#CQgv9ge!A}?2;nxuT-8G~UUfU14xcpB1)n;G8X!N75J zVCV>9wm5?v0UY9`kmx1!a>3jC1M!j_W31Xb>7BYLdT0VkH2YNN38!`%%+R76lMXyY zwgp_-A+9Jo^1+?wSQ(E+;ZMn_wJiUWW^6ObyO7v6Ue?F5{BPn;HvhY{D@q^vpMJ)( z24p9^GDAJL1kk_>5O0%g=KVj1^gf<{gJ*^H&s>K7y!Bt)DbK9`V(DZ3|BMH3V0mtJ zQT!pA0o|rzYbw@HD%*G>w$6U!92mXMtwPdCkI+=3K|;9sUVeWylKuxjE3E&(e8bxR zzm~86FXdt}v;M^|yC3WWBA0p(Gs-uz=Bdaj$b2#TsCq;IsD|a7B7ciG5?| zt>n%Fu9@$-pS-7(F7+qeR>B=5E-Qt)OzNrd239Bv-Cfw{a!P%9T`?;I%AY znTmDwq<5}5<>Ov4c!Vc`t2~*dX0>tDxt33^I?7SEDz(&Wy{1cMRW)mhQdN%7>D5_J z)mysNxK`{V1Gd#~H~004E)Ja=u`H`6!A@IMYN#Vsd!^w89CapYad_Vzm8&-;T}C6R z)b1!Ys+PYg?W1crs@=5JhN@58Oh1aLN{!-;sh?;k4Oi~EM)Urt)GO*W*pZH!RlU+F z)lNI2X*5MeQ96yIj;bDAwUx%zNGV-i>vm66&yPp7hZg?Ukta>DM9UP+NIy1lw=_NKadG;X%dQm0Zg z`qkz`N0ht0Q|A#`a;wud8{I4SqN%D~xu~ANZs$qA9~$ztsx*sAO;e99)ncvL6emSl zypr0YS?P;ArCw3GIxk*LRP_jU@8wgy(m0pfJzu^)db*K@I~ON6ljD(I>UH&&a^f1Q z-Ltf!-f4BqqF!z6woZn-n%JnyoyQAVEbqXIURJs))VgJ;Tfw+p8I)VaMz2$?U3Nyl z6y=h9)-jKU-P7h-r!pL?mEkvN)*A4{R9c;0MQ*Fta;f3CO=)A9`4+z@@ePLnaCA$ z)T$hP>)39!H!`Q{iM!J)_2i3A!|Ym)*BeX}FmW?Ad>u3@*Pw7bJ`>$-M- z_H;D4=`^5n->9`tWVcm)9QV4~1gUDfr^-7@)%QB1(N3$nXSGYtnXJ~_&Z+yYb>d6? zlJ=w*%SE{|yy~ir=0!z6Z+9Dk@>CO1dpK22n~xn+J?V~mV|4O(s*Ax+$5Je96qMj; zqtREDqjpi=Q72BhuMUqprQXv`Nx5$pgL<#6)YY1 zsu3txs@sO5+vuF^l)I!q7(_p~?KDIVLkolbSnZg#b) zcCD7%k}fq%z0-cRDYYwd&^678-rbvYP4!Hdnnh$iR{B-5d1Lo(&~f13wDn!NZCW?t zRat#f75)Cm?$-uqH&5n$Q&iPf*F05Dl&)fRo?y)!>lN)mnFa46`AB`LHDT4Y;KaSwPL&q2 zhC8UHKWcWPg{qxWuT!7 ^`1m3I55wPR>26LlI${qAtuF1gni$9vz}wfd84b*3HF z?A?q4cyZFGqx;6B-&Vw9Q@vE%4IiE;ZD`hR+9Q3^>-f`VC-~OBuTSKXR)VLsQ&_y2 zoQqdG-Rhp%>kiB9lTI0qdQh_-uh26qVz4wKh_!J-Pp+c^$iV)2b;Q?OLC9 zG3|AgN`K&%k*SxuqhbB3(;Mnl{iNI3oA$4@N8Rl8Zc0P(;(Aop#G2Zx9C>Q{>IsVF zd-YU3RmA3`c`}r)%wALL?lpRyJ*#;l72A~~@pv>4TcW;u{&Zw$C+?11bDgd!pTQ@+ z)Em|OEAjES6sZfK&?>R0qi$8sxb$9cR_9N(bTgAO`U)4{v zQMsYF>pPvU)Ra$$mUiFqy4}5&+;PNnv3#Z1^zKD>GU<&Z`Qo%XX|?roOI75His|>d z=C`Zv-s#n-CU?8eS^IQUQmcy8?5Yj5JMyls8#TGzs5PsjNn34P%3b-qRUAI*Cy$M$ z?H>0=J+o_-&u_Z=q;C(8o9*Uf-`JaICj+r-N%b4M`P92|A1|(tT76Mzw8i0$W|ifO zZtWOKjidHy<5a#sYNG2}33bY{+?5*08a-T1gT`4=Q7=x)<=%Dup{L5S(v}0=tUdKD zSJkS+;Mi1x_PydYMRP~#2HzBWcnqIZTd&EcY#x?7VrP0$(|3{Db1qKIQSVf_mn$ls z+oPK&ZPKkBJ@mT`*sC;4oss^iT_1T@-RfDlGdx$?!}}X?=(ei0YO|u&JEQVWzcRc) zUF8v4Lr<ZnCk zRFtzP-MZ?^b#0_{`qe%A_};8t)Ef7?Rc^|~y-NR7KWdt;qjV*;Q#n$vihA#=TN~<~ z;H2MeOtjO1)I14B7gg16jT(;9mfNk4`Pi2lon}{c&~?wa=uXbMcD>Z8xx4*QS-k0r zI~Nt@OgkMOHH)$$n{rt{sXm=a=A|xnq+YcnDo=+`ebo(=Ywe*g-W27Ia@nc5JMF6f zq}a-N_e2U>6Zc!QqpCeq--VsdQ}d)*)Q!Mb+O?zJN&T_))VNWu8?sW9r>LvcZi<1~ zx;~VkIqY2B538D_^q?d^_D{@Czbaj}P1o0s1NGP*9`{V;zS9Ygd!pj>PMsa~z9Y4t zbXgPisiK-!=w#@ei5;;&GSB;^BSjMxQ#SUl^sb_)W}~T?@mY>wB?4i@4eRDl5DQ)>lwajnw z3Fe_@fGS$4-TGxm9re_Hr8haBxI@{}kNUM?v3pvBH&*STebOnRQM0IAtG(`hE$BQo zPMWHY_xm&DsprB`&1kA}{pw!5yf~?K^_o&THmIDUbjsCwt!#$GzgnYz*|W_4W7tNp?bro!$wTmmujym4{YUz;vs=pAe|C01&VPQ&v-Y>`vF~m7 z4SO5e51*YG2^i$OV7ggwrPxIUr3d%v>H=IRFC!Fn)$X;O=j4PbL!q5?}?# z8*H1jpuc@yKd#EHYN05Iq)Nv&k?)7`R){McbjiZ$n+TY20vr#(fyWN34I4~6au4V; z@SVG00zJg70p0Ke&*+bX6tY6-Nc6I}fMWw_1OBiD>Mb4|9k%MN&)gd5*4w8Soi^wm zD$1eUu2);&LIKAYa;4s`U&t+RQ3Hqa4LGaImCpbfpFK ztX_25`-MGGeCD~p^uJn;j>xC;*4O4mrTWZsoN)(!{~hq_hn@B*4-O6hA9!QLgFpWG z6+=uT(2zq9;um+ouOC*Lb@^+jRaN-J$M94mDsXw&YIQG^O0tmVA>BXNEQ|ra9=FMZ zf*ZXE+admV0EFN*t8Jxz+?op^ardByCn21yN&?bkp#;2P!8F8oMij~CEA$5b!6r{* zVDW%26jL%JB43%Md`ryDNe|hK>qjjsO%r$_w@u}`~lW2f53y{Z-1A-4-g;(3UJm# z5JeWr0sI715pgki3t{}O%+5tW3-~uE6!g9egW*Al z1VVPt7A`KqS{R#Fh3X@OL^jG`x&!=m+b6qZ=e< z1nGqes@L^)jGE+C^AI=ef;ocvG(t#X+hd_1@EY5X0G}6kN^nLz;HAW5D3RO05rF$B z9IlhOw-Gb1^b*e?Y^5c>aFI|?;WUnNMu?ZCHT@cf5Ib1k4FBBX$heL|&g&+ zBwCB1CJXpW%sBT!$U#5-@yv7cgb}t$@Z6ikjzWP&+CAXc6Go9x$~Z`GnyU&Zuarla z5HeQ);Z~MD@+FTIBo5L;J-&D*@R-vE-jtBHd@jcxhzZw z;Eqk~b0P>8&o~0TQtbJH&tm6+J9_iZ!15+Zs?RRP8g>*YMI%8{#xA|FO0UG~{Y3a6 zpgYJX;d_S8B(e9;)3gb6E2}_heLDfWU`@&0F`jDMQjUP1nxMGj6!bzIwT&*Xw0cl; z#v~LG!9}=ep5sF7%K<<0rSBm)3Pl$^y{=g;ysF8V6I?#4ZBs3KNTR4yfsI`0B~%D5 zm3s3~x#77;_p#H>rO>N?ram(7z-FeIEqcW-l4>IjfokOMH0o%yP}euJBiV>UX>DAM9dB&0 z$dgn7-l-|8b}POgV6BD0uNVI$FK%9z3g=TIA^mZwrg zTN_DE7h*5ED@koahsq7Tu_y?vpUle25OD4?1$;5qwKo30|M&k1Z*$VFkUrDd21n_d zP2Hl&2z!gr&)bw1SfnJpWeuSZ`UqiEYRGs%ddhl|;K^(c#6nLt<48<<$sup0wey9L z(j7WLo8LFS8v4dQ*hp@P8=t`jTR$87;PS5U&pFv4FPELC&|?w;`&Z2w+rh!RvH#dMIrRf%2{haSjTRE2E_s&oyz#sx5Fqe6 zW&20^cUu5(yvL|>DJ4DJm{zik4T#B)p|_;2RmvE*6i|G{!syr z6M;P;O@j6R00jbdR*s;47*x@x)%OWtvFy-1Y_+S(0e-niygUzO z1{&_IBxPCN#}S$?-gvpx-byrD=8Opn2=KU(uophH@vJRBQMN|9;empiIA|qDPA*6` z3ucFtEj2<@Fgq>=M&9`@VeublysMt^#{L#dj(8J}8Q}?U`Yd6j(_fvE?9hk8!r5;3>^y^v)S-KVnoZt=@o69^Lh@0*?@#6Hz*XMOurfb?IoFi zDM+qE*IdSD@@{OJp-0a5TIc+nNPYiN&C7rmeWq@6DD7MsNpQHONNLJ%Df*n-5{bU=izGEW_-sjv`@o;CWNx$d{};S9efzrXufPER1nZk&ms`JrfBeJP+DbVId&qYk+eeYjHZlKvm>*^{oHM|$8~hgW zYA3>PN=u3@_FFTKzhO5Et?W$dk9$geiIpJ`pEyPCxF{IA8Hysumj~2OGIGtvpg?`f z6Fn_~o2>IRotEV31~XcO8c!c-j>S&udGOoci?MrI*6;eIbMh|p5}l1XBOd(tK~&YP zR2Q>zgK;9|&kKbKBXoUplO7EJ14vux784%dWMYyt^q(Xz72ifIn-Z0gfo2+*&<&r( zsK(UJvuR|J!-wPthV(!9P`ysH$PzPWTOATufAKoH`xpPbCB)gYk_Rm-jV&=Q z>iW%wg0*%sl2~nzW^gUf*bq99Bn~Mhk$d+UpEKd9`JNZuKEzyvxFzIp@Lxdqq@z0_ z$AfhVO@yvECW1B?y8r^+(Z*y)p*JWnScxU}QevQqewxsp<`D$mn*M4= 1.16.0-0' +maintainers: +- email: rlachhman@shipa.io + name: ravi +name: shipa +sources: +- https://github.com/shipa-corp +- https://github.com/shipa-corp/helm-chart +type: application +version: 1.6.100 diff --git a/charts/shipa/shipa/1.6.100/LICENSE b/charts/shipa/shipa/1.6.100/LICENSE new file mode 100644 index 000000000..dda518917 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/LICENSE @@ -0,0 +1,25 @@ +Copyright (c) 2020, shipa authors. All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + * Neither the name of the Globo.com nor the names of its contributors +may be used to endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/charts/shipa/shipa/1.6.100/README.md b/charts/shipa/shipa/1.6.100/README.md new file mode 100644 index 000000000..d5b50554b --- /dev/null +++ b/charts/shipa/shipa/1.6.100/README.md @@ -0,0 +1,121 @@ + +**Note:** The master branch is the main development branch. Please use releases instead of the master branch in order to get stable versions. + +# Documentation + +Documentation for Shipa can be found at https://learn.shipa.io + +# Installation Requirements + +1. Kubernetes 1.18 - 1.22. Check out the actual [documentation](https://learn.shipa.io/docs/installation-requirements#kubernetes-clusters) +2. Helm v3 + +# Defaults + +We create LoadBalancer service to expose Shipa to the internet: +1. 8080 -> shipa api over http +1. 8081 -> shipa api over https + +By default we use dynamic public IP set by a cloud-provider but there is a parameter to use static ip (if you have it): +```bash +--set service.nginx.loadBalancerIP=35.192.15.168 +``` + +# Installation + +Users can install Shipa on any existing Kubernetes cluster, and Shipa leverages Helm charts for the install. + +> ⚠️ NOTE: Installing or upgrading Shipa may require downtime in order to perform database migrations. + + +Below are the steps required to have Shipa installed in your existing Kubernetes cluster: + +Create a namespace where the Shipa services should be installed +```bash +NAMESPACE=shipa-system +kubectl create namespace $NAMESPACE +``` +Create the values.override.yaml with the Admin user and password that will be used for Shipa +```bash +cat > values.override.yaml << EOF +auth: + adminUser: + adminPassword: +EOF +``` +Add Shipa helm repo +```bash +helm repo add shipa-charts https://shipa-charts.storage.googleapis.com +``` +Install Shipa +```bash +helm install shipa shipa-charts/shipa -n $NAMESPACE --timeout=1000s -f values.override.yaml +``` + +## Upgrading shipa helm chart + +```bash +helm upgrade shipa . --timeout=1000 --namespace=$NAMESPACE -f values.override.yaml +``` + +## Upgrading shipa helm chart if you have Pro license + +We have two general ways how to execute helm upgrade if you have Pro license: +* Pass a license file to helm upgrade + +```bash +helm upgrade shipa . --timeout=1000 --namespace=$NAMESPACE -f values.override.yaml -f license.yaml +``` +* Merge license key from a license file to values.override.yaml and execute helm upgrade as usual +```bash +cat license.yaml | grep "license:" >> values.override.yaml +``` + +# CI/CD + +Packaging and signing helm charts is automated using Github Actions + +Charts are uploaded to multiple buckets based on condition: + +1. `shipa-charts-dev`, `push` to `master`, `push` to PR opened against `master` +2. `shipa-charts-cloud`, `tag` containing `cloud` +3. `shipa-charts`, `tag` not containing `cloud` + + +Chart name is composed of: +`{last_tag}-{commit_hash}` + +For on-prem releases, if tag is not pre-release, meaning it has semantic versioning without RC suffix (ex. 1.3.0, not 1.3.0-rc1), chart name is only `{last_tag}`, as otherwise it is seen by helm chart as development version + +### Usage +``` +# only first time +helm repo add shipa-dev https://shipa-charts-dev.storage.googleapis.com +helm repo add shipa-cloud https://shipa-charts-cloud.storage.googleapis.com +helm repo add shipa-onprem https://shipa-charts.storage.googleapis.com + +# refresh available charts +helm repo update + +# check available versions +helm search repo shipa --versions + +# check available versions with development versions +helm search repo shipa --versions --devel + +# check per repo +helm search repo shipa-dev --versions --devel +helm search repo shipa-cloud --versions --devel +helm search repo shipa-onprem --versions --devel + +# helm install +helm install shipa shipa-dev/shipa --version 1.x.x -n shipa-system --timeout=1000s -f values.override.yaml +``` + +# Shipa client + +If you are looking to operate Shipa from your local machine, we have binaries of shipa client: https://learn.shipa.io/docs/downloading-the-shipa-client + +# Collaboration/Contributing + +We welcome all feedback or pull requests. If you have any questions feel free to reach us at info@shipa.io diff --git a/charts/shipa/shipa/1.6.100/app-readme.md b/charts/shipa/shipa/1.6.100/app-readme.md new file mode 100644 index 000000000..700df754a --- /dev/null +++ b/charts/shipa/shipa/1.6.100/app-readme.md @@ -0,0 +1,39 @@ +# Shipa + +[Shipa](http://www.shipa.io/) is an Application-as-Code [AaC] provider that is designed for having a cleaner developer experience and allowing for guardrails to be easily created. The "platform engineering dilemma" is how do you allow for innovation yet have control. Shipa is application focused so allowing developers who are not experienced in Kubernetes run through several critical tasks such as deploying, managing, and iterating on their applications without detailed Kubernetes knowledge. From the operator or admin standpoint, easily enforcing rules/convention without building multiple abstraction layers. + +## Install Shipa - Helm Chart + +The [Installation Requirements](https://learn.shipa.io/docs/installation-requirements) specify up to date cluster and ingress requirements. Installing the chart is pretty straight forward. + +Intially will need to set an intial Admin User and Admin Password/Secret to first access Shipa. + +``` +helm repo add shipa-charts https://shipa-charts.storage.googleapis.com + +helm repo update + +helm upgrade --install shipa shipa-charts/shipa \ + +--set auth.adminUser=admin@acme.com --set auth.adminPassword=admin1234 \ + +--namespace shipa-system --create-namespace --timeout=1000s --wait +``` + +## Install Shipa - ClusterIP +Shipa by default will install Traefik as the loadbalencer. +Though if this creates a conflict or there is a cluster limitation, you can also leverage ClusterIP for routing which is the +second set of optional prompts in the Rancher UI. +[Installing Shipa with ClusterIP on K3](https://shipa.io/2021/10/k3d-and-shipa-deploymnet/) + +``` +helm install shipa shipa-charts/shipa -n shipa-system --create-namespace \ +--timeout=15m \ +--set=metrics.image=gcr.io/shipa-1000/metrics:30m \ +--set=auth.adminUser=admin@acme.com \ +--set=auth.adminPassword=admin1234 \ +--set=shipaCluster.serviceType=ClusterIP \ +--set=shipaCluster.ip=10.43.10.20 \ +--set=service.nginx.serviceType=ClusterIP \ +--set=service.nginx.clusterIP=10.43.10.10 +``` \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/.helmignore b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/.helmignore new file mode 100644 index 000000000..28b828e89 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +install diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/Chart.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/Chart.yaml new file mode 100644 index 000000000..9620d643f --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +appVersion: "3.6" +description: NoSQL document-oriented database that stores JSON-like documents with + dynamic schemas, simplifying the integration of data in content-driven applications. +home: https://github.com/mongodb/mongo +icon: https://webassets.mongodb.com/_com_assets/cms/mongodb-logo-rgb-j6w271g1xn.jpg +maintainers: +- email: unguiculus@gmail.com + name: unguiculus +- email: ssheehy@firescope.com + name: steven-sheehy +name: mongodb-replicaset +sources: +- https://github.com/mongodb/mongo +- https://github.com/percona/mongodb_exporter +version: 3.11.3 diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/OWNERS b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/OWNERS new file mode 100644 index 000000000..1e6a85097 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/OWNERS @@ -0,0 +1,6 @@ +approvers: + - unguiculus + - steven-sheehy +reviewers: + - unguiculus + - steven-sheehy diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/README.md b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/README.md new file mode 100644 index 000000000..c9729c059 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/README.md @@ -0,0 +1,434 @@ +# MongoDB Helm Chart + +## Prerequisites Details + +* Kubernetes 1.9+ +* Kubernetes beta APIs enabled only if `podDisruptionBudget` is enabled +* PV support on the underlying infrastructure + +## StatefulSet Details + +* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/ + +## StatefulSet Caveats + +* https://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations + +## Chart Details + +This chart implements a dynamically scalable [MongoDB replica set](https://docs.mongodb.com/manual/tutorial/deploy-replica-set/) +using Kubernetes StatefulSets and Init Containers. + +## Installing the Chart + +To install the chart with the release name `my-release`: + +``` console +helm repo add stable https://kubernetes-charts.storage.googleapis.com/ +helm install --name my-release stable/mongodb-replicaset +``` + +## Configuration + +The following table lists the configurable parameters of the mongodb chart and their default values. + +| Parameter | Description | Default | +| ----------------------------------- | ------------------------------------------------------------------------- | --------------------------------------------------- | +| `replicas` | Number of replicas in the replica set | `3` | +| `replicaSetName` | The name of the replica set | `rs0` | +| `skipInitialization` | If `true` skip replica set initialization during bootstrapping | `false` +| `podDisruptionBudget` | Pod disruption budget | `{}` | +| `port` | MongoDB port | `27017` | +| `imagePullSecrets` | Image pull secrets | `[]` | +| `installImage.repository` | Image name for the install container | `unguiculus/mongodb-install` | +| `installImage.tag` | Image tag for the install container | `0.7` | +| `installImage.pullPolicy` | Image pull policy for the init container that establishes the replica set | `IfNotPresent` | +| `copyConfigImage.repository` | Image name for the copy config init container | `busybox` | +| `copyConfigImage.tag` | Image tag for the copy config init container | `1.29.3` | +| `copyConfigImage.pullPolicy` | Image pull policy for the copy config init container | `IfNotPresent` | +| `image.repository` | MongoDB image name | `mongo` | +| `image.tag` | MongoDB image tag | `3.6` | +| `image.pullPolicy` | MongoDB image pull policy | `IfNotPresent` | +| `podAnnotations` | Annotations to be added to MongoDB pods | `{}` | +| `securityContext.enabled` | Enable security context | `true` | +| `securityContext.fsGroup` | Group ID for the container | `999` | +| `securityContext.runAsUser` | User ID for the container | `999` | +| `securityContext.runAsNonRoot` | | `true` | +| `resources` | Pod resource requests and limits | `{}` | +| `persistentVolume.enabled` | If `true`, persistent volume claims are created | `true` | +| `persistentVolume.storageClass` | Persistent volume storage class | `` | +| `persistentVolume.accessModes` | Persistent volume access modes | `[ReadWriteOnce]` | +| `persistentVolume.size` | Persistent volume size | `10Gi` | +| `persistentVolume.annotations` | Persistent volume annotations | `{}` | +| `terminationGracePeriodSeconds` | Duration in seconds the pod needs to terminate gracefully | `30` | +| `tls.enabled` | Enable MongoDB TLS support including authentication | `false` | +| `tls.mode` | Set the SSL operation mode (disabled, allowSSL, preferSSL, requireSSL) | `requireSSL` | +| `tls.cacert` | The CA certificate used for the members | Our self signed CA certificate | +| `tls.cakey` | The CA key used for the members | Our key for the self signed CA certificate | +| `init.resources` | Pod resource requests and limits (for init containers) | `{}` | +| `init.timeout` | The amount of time in seconds to wait for bootstrap to finish | `900` | +| `metrics.enabled` | Enable Prometheus compatible metrics for pods and replicasets | `false` | +| `metrics.image.repository` | Image name for metrics exporter | `bitnami/mongodb-exporter` | +| `metrics.image.tag` | Image tag for metrics exporter | `0.9.0-debian-9-r2` | +| `metrics.image.pullPolicy` | Image pull policy for metrics exporter | `IfNotPresent` | +| `metrics.port` | Port for metrics exporter | `9216` | +| `metrics.path` | URL Path to expose metics | `/metrics` | +| `metrics.resources` | Metrics pod resource requests and limits | `{}` | +| `metrics.securityContext.enabled` | Enable security context | `true` | +| `metrics.securityContext.fsGroup` | Group ID for the metrics container | `1001` | +| `metrics.securityContext.runAsUser` | User ID for the metrics container | `1001` | +| `metrics.socketTimeout` | Time to wait for a non-responding socket | `3s` | +| `metrics.syncTimeout` | Time an operation with this session will wait before returning an error | `1m` | +| `metrics.prometheusServiceDiscovery`| Adds annotations for Prometheus ServiceDiscovery | `true` | +| `auth.enabled` | If `true`, keyfile access control is enabled | `false` | +| `auth.key` | Key for internal authentication | `` | +| `auth.existingKeySecret` | If set, an existing secret with this name for the key is used | `` | +| `auth.adminUser` | MongoDB admin user | `` | +| `auth.adminPassword` | MongoDB admin password | `` | +| `auth.metricsUser` | MongoDB clusterMonitor user | `` | +| `auth.metricsPassword` | MongoDB clusterMonitor password | `` | +| `auth.existingMetricsSecret` | If set, and existing secret with this name is used for the metrics user | `` | +| `auth.existingAdminSecret` | If set, and existing secret with this name is used for the admin user | `` | +| `serviceAnnotations` | Annotations to be added to the service | `{}` | +| `configmap` | Content of the MongoDB config file | `` | +| `initMongodStandalone` | If set, initContainer executes script in standalone mode | `` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `affinity` | Node/pod affinities | `{}` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `priorityClassName` | Pod priority class name | `` | +| `livenessProbe.failureThreshold` | Liveness probe failure threshold | `3` | +| `livenessProbe.initialDelaySeconds` | Liveness probe initial delay seconds | `30` | +| `livenessProbe.periodSeconds` | Liveness probe period seconds | `10` | +| `livenessProbe.successThreshold` | Liveness probe success threshold | `1` | +| `livenessProbe.timeoutSeconds` | Liveness probe timeout seconds | `5` | +| `readinessProbe.failureThreshold` | Readiness probe failure threshold | `3` | +| `readinessProbe.initialDelaySeconds`| Readiness probe initial delay seconds | `5` | +| `readinessProbe.periodSeconds` | Readiness probe period seconds | `10` | +| `readinessProbe.successThreshold` | Readiness probe success threshold | `1` | +| `readinessProbe.timeoutSeconds` | Readiness probe timeout seconds | `1` | +| `extraVars` | Set environment variables for the main container | `{}` | +| `extraLabels` | Additional labels to add to resources | `{}` | + +*MongoDB config file* + +All options that depended on the chart configuration are supplied as command-line arguments to `mongod`. By default, the chart creates an empty config file. Entries may be added via the `configmap` configuration value. + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +``` console +helm install --name my-release -f values.yaml stable/mongodb-replicaset +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +Once you have all 3 nodes in running, you can run the "test.sh" script in this directory, which will insert a key into the primary and check the secondaries for output. This script requires that the `$RELEASE_NAME` environment variable be set, in order to access the pods. + +## Authentication + +By default, this chart creates a MongoDB replica set without authentication. Authentication can be +enabled using the parameter `auth.enabled`. Once enabled, keyfile access control is set up and an +admin user with root privileges is created. User credentials and keyfile may be specified directly. +Alternatively, existing secrets may be provided. The secret for the admin user must contain the +keys `user` and `password`, that for the key file must contain `key.txt`. The user is created with +full `root` permissions but is restricted to the `admin` database for security purposes. It can be +used to create additional users with more specific permissions. + +To connect to the mongo shell with authentication enabled, use a command similar to the following (substituting values as appropriate): + +```shell +kubectl exec -it mongodb-replicaset-0 -- mongo mydb -u admin -p password --authenticationDatabase admin +``` + +## TLS support + +To enable full TLS encryption set `tls.enabled` to `true`. It is recommended to create your own CA by executing: + +```console +openssl genrsa -out ca.key 2048 +openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" +``` + +After that paste the base64 encoded (`cat ca.key | base64 -w0`) cert and key into the fields `tls.cacert` and +`tls.cakey`. Adapt the configmap for the replicaset as follows: + +```yml +configmap: + storage: + dbPath: /data/db + net: + port: 27017 + ssl: + mode: requireSSL + CAFile: /data/configdb/tls.crt + PEMKeyFile: /work-dir/mongo.pem + # Set to false to require mutual TLS encryption + allowConnectionsWithoutCertificates: true + replication: + replSetName: rs0 + security: + authorization: enabled + # # Uncomment to enable mutual TLS encryption + # clusterAuthMode: x509 + keyFile: /keydir/key.txt +``` + +To access the cluster you need one of the certificates generated during cluster setup in `/work-dir/mongo.pem` of the +certain container or you generate your own one via: + +```console +$ cat >openssl.cnf < mongo.pem +$ rm mongo.key mongo.crt +``` + +Please ensure that you exchange the `$HOSTNAME` with your actual hostname and the `$HOSTNAME1`, `$HOSTNAME2`, etc. with +alternative hostnames you want to allow access to the MongoDB replicaset. You should now be able to authenticate to the +mongodb with your `mongo.pem` certificate: + +```console +mongo --ssl --sslCAFile=ca.crt --sslPEMKeyFile=mongo.pem --eval "db.adminCommand('ping')" +``` + +## Promethus metrics + +Enabling the metrics as follows will allow for each replicaset pod to export Prometheus compatible metrics +on server status, individual replicaset information, replication oplogs, and storage engine. + +```yaml +metrics: + enabled: true + image: + repository: ssalaues/mongodb-exporter + tag: 0.6.1 + pullPolicy: IfNotPresent + port: 9216 + path: "/metrics" + socketTimeout: 3s + syncTimeout: 1m + prometheusServiceDiscovery: true + resources: {} +``` + +More information on [MongoDB Exporter](https://github.com/percona/mongodb_exporter) metrics available. + +## Deep dive + +Because the pod names are dependent on the name chosen for it, the following examples use the +environment variable `RELEASENAME`. For example, if the helm release name is `messy-hydra`, one would need to set the following before proceeding. The example scripts below assume 3 pods only. + +```console +export RELEASE_NAME=messy-hydra +``` + +### Cluster Health + +```console +for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(db.serverStatus())"'; done +``` + +### Failover + +One can check the roles being played by each node by using the following: + +```console +$ for i in 0 1 2; do kubectl exec $RELEASE_NAME-mongodb-replicaset-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +MongoDB server version: 3.6.3 +{ + "hosts" : [ + "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "messy-hydra-mongodb-1.messy-hydra-mongodb.default.svc.cluster.local:27017", + "messy-hydra-mongodb-2.messy-hydra-mongodb.default.svc.cluster.local:27017" + ], + "setName" : "rs0", + "setVersion" : 3, + "ismaster" : true, + "secondary" : false, + "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "me" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + "electionId" : ObjectId("7fffffff0000000000000001"), + "maxBsonObjectSize" : 16777216, + "maxMessageSizeBytes" : 48000000, + "maxWriteBatchSize" : 1000, + "localTime" : ISODate("2016-09-13T01:10:12.680Z"), + "maxWireVersion" : 4, + "minWireVersion" : 0, + "ok" : 1 +} +``` + +This lets us see which member is primary. + +Let us now test persistence and failover. First, we insert a key (in the below example, we assume pod 0 is the master): + +```console +$ kubectl exec $RELEASE_NAME-mongodb-replicaset-0 -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))" + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +{ "nInserted" : 1 } +``` + +Watch existing members: + +```console +$ kubectl run --attach bbox --image=mongo:3.6 --restart=Never --env="RELEASE_NAME=$RELEASE_NAME" -- sh -c 'while true; do for i in 0 1 2; do echo $RELEASE_NAME-mongodb-replicaset-$i $(mongo --host=$RELEASE_NAME-mongodb-replicaset-$i.$RELEASE_NAME-mongodb-replicaset --eval="printjson(rs.isMaster())" | grep primary); sleep 1; done; done'; + +Waiting for pod default/bbox2 to be running, status is Pending, pod ready: false +If you don't see a command prompt, try pressing enter. +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", + +``` + +Kill the primary and watch as a new master getting elected. + +```console +$ kubectl delete pod $RELEASE_NAME-mongodb-replicaset-0 + +pod "messy-hydra-mongodb-0" deleted +``` + +Delete all pods and let the statefulset controller bring it up. + +```console +$ kubectl delete po -l "app=mongodb-replicaset,release=$RELEASE_NAME" +$ kubectl get po --watch-only +NAME READY STATUS RESTARTS AGE +messy-hydra-mongodb-0 0/1 Pending 0 0s +messy-hydra-mongodb-0 0/1 Pending 0 0s +messy-hydra-mongodb-0 0/1 Pending 0 7s +messy-hydra-mongodb-0 0/1 Init:0/2 0 7s +messy-hydra-mongodb-0 0/1 Init:1/2 0 27s +messy-hydra-mongodb-0 0/1 Init:1/2 0 28s +messy-hydra-mongodb-0 0/1 PodInitializing 0 31s +messy-hydra-mongodb-0 0/1 Running 0 32s +messy-hydra-mongodb-0 1/1 Running 0 37s +messy-hydra-mongodb-1 0/1 Pending 0 0s +messy-hydra-mongodb-1 0/1 Pending 0 0s +messy-hydra-mongodb-1 0/1 Init:0/2 0 0s +messy-hydra-mongodb-1 0/1 Init:1/2 0 20s +messy-hydra-mongodb-1 0/1 Init:1/2 0 21s +messy-hydra-mongodb-1 0/1 PodInitializing 0 24s +messy-hydra-mongodb-1 0/1 Running 0 25s +messy-hydra-mongodb-1 1/1 Running 0 30s +messy-hydra-mongodb-2 0/1 Pending 0 0s +messy-hydra-mongodb-2 0/1 Pending 0 0s +messy-hydra-mongodb-2 0/1 Init:0/2 0 0s +messy-hydra-mongodb-2 0/1 Init:1/2 0 21s +messy-hydra-mongodb-2 0/1 Init:1/2 0 22s +messy-hydra-mongodb-2 0/1 PodInitializing 0 25s +messy-hydra-mongodb-2 0/1 Running 0 26s +messy-hydra-mongodb-2 1/1 Running 0 30s + + +... +messy-hydra-mongodb-0 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-1 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +messy-hydra-mongodb-2 "primary" : "messy-hydra-mongodb-0.messy-hydra-mongodb.default.svc.cluster.local:27017", +``` + +Check the previously inserted key: + +```console +$ kubectl exec $RELEASE_NAME-mongodb-replicaset-1 -- mongo --eval="rs.slaveOk(); db.test.find({key1:{\$exists:true}}).forEach(printjson)" + +MongoDB shell version: 3.6.3 +connecting to: mongodb://127.0.0.1:27017 +{ "_id" : ObjectId("57b180b1a7311d08f2bfb617"), "key1" : "value1" } +``` + +### Scaling + +Scaling should be managed by `helm upgrade`, which is the recommended way. + +### Indexes and Maintenance + +You can run Mongo in standalone mode and execute Javascript code on each replica at initContainer time using `initMongodStandalone`. +This allows you to create indexes on replicasets following [best practices](https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/). + +#### Example: Creating Indexes + +```js +initMongodStandalone: |+ + db = db.getSiblingDB("mydb") + db.my_users.createIndex({email: 1}) +``` + +Tail the logs to debug running indexes or to follow their progress + +```sh +kubectl exec -it $RELEASE-mongodb-replicaset-0 -c bootstrap -- tail -f /work-dir/log.txt +``` + +### Migrate existing ReplicaSets into Kubernetes +If you have an existing ReplicaSet that currently is deployed outside of Kubernetes and want to move it into a cluster you can do so by using the `skipInitialization` flag. + +First set the `skipInitialization` variable to `true` in values.yaml and install the Helm chart. That way you end up with uninitialized MongoDB pods that can be added to the existing ReplicaSet. + +Now take care of realizing the DNS correct resolution of all ReplicaSet members. In Kubernetes you can for example use an `ExternalName`. + +``` +apiVersion: v1 +kind: Service +metadata: + name: mongodb01 + namespace: mongo +spec: + type: ExternalName + externalName: mongodb01.mydomain.com +``` + +If you also put each StatefulSet member behind a loadbalancer the ReplicaSet members outside of the cluster will also be able to reach the pods inside the cluster. + +``` +apiVersion: v1 +kind: Service +metadata: + name: mongodb-0 + namespace: mongo +spec: + selector: + statefulset.kubernetes.io/pod-name: mongodb-0 + ports: + - port: 27017 + targetPort: 27017 + type: LoadBalancer +``` + +Now all that is left to do is to put the LoadBalancer IP into the `/etc/hosts` file (or realize the DNS resolution through another way) +``` +1.2.3.4 mongodb-0 +5.6.7.8 mongodb-1 +``` + +With a setup like this each replicaset member can resolve the DNS entry of each other and you can just add the new pods to your existing MongoDB cluster as if they where just normal nodes. + +Of course you need to make sure to get your security settings right. Enforced TLS is a good idea in a setup like this. Also make sure that you activate auth and get the firewall settings right. + +Once you fully migrated remove the old nodes from the replicaset. diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/default-values.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/default-values.yaml new file mode 100644 index 000000000..a8bad27cd --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/default-values.yaml @@ -0,0 +1 @@ +# No config change. Just use defaults. diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/metrics-values.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/metrics-values.yaml new file mode 100644 index 000000000..df64aca1e --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/metrics-values.yaml @@ -0,0 +1,10 @@ +auth: + enabled: true + adminUser: username + adminPassword: password + metricsUser: metrics + metricsPassword: password + key: keycontent + +metrics: + enabled: true diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/tls-values.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/tls-values.yaml new file mode 100644 index 000000000..043d7ac0c --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/ci/tls-values.yaml @@ -0,0 +1,10 @@ +tls: + # Enable or disable MongoDB TLS support + enabled: true + # Please generate your own TLS CA by generating it via: + # $ openssl genrsa -out ca.key 2048 + # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" + # After that you can base64 encode it and paste it here: + # $ cat ca.key | base64 -w0 + cacert: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNxakNDQVpJQ0NRQ1I1aXNNQlRmQzdUQU5CZ2txaGtpRzl3MEJBUXNGQURBWE1SVXdFd1lEVlFRRERBeHQKZVdSdmJXRnBiaTVqYjIwd0hoY05NVGt4TVRFeU1EZ3hOakUwV2hjTk5EY3dNek13TURneE5qRTBXakFYTVJVdwpFd1lEVlFRRERBeHRlV1J2YldGcGJpNWpiMjB3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUUNwM0UrdVpWanhaY3BYNUFCbEtRa2crZjFmSnJzR1JJNVQrMzcyMkIvYnRyTVo4M3FyRTg2RFdEYXEKN0k1YTdlOGFVTGt2ZVpsaW02aWxsUW5CTHJPVUtVZ3R1OWZINlZydlBuMTl3UDFibEMvU0NWZHoxemNSUWlJWQpOMVVWN2VGaWUzdjhiNXVRM2RFcVBPV2FMM0w2N0Q1T0lDb043Z21QL2QwVVBaWjNHdDJLNTZsNXBzY1h4OGYwCkd3ZWdSRGpiVnZmc2dUSW50dEJ6SGh6c0JENUxON054aDd5RWVacW5admtuTDg5S2JZUEFPUk82N3NKUlBhWHMKUDhuVDhqalFJaGlRSUZDNTVXN3JrZ1hid1Znajdwb0kyby9XSDM4WXZ6TG1OVnMyOThYUDZmUXhCQ0NwMmFjRgpkOTVQRjZmbFVJeW9RNGRuOUF5UlpRa0owdlpMQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS21XCjY2SlB4V0E4MVlYTEZtclFrdmM2NE9ycFJXTHJtNHFqaFREREtvVzY1V291MzNyOEVVQktzQ2FQOHNWWXhobFQKaWhGcDhIemNqTXpWRjFqU3ZiT0c5UnhrSG16ZEIvL3FwMDdTVFp0S2R1cThad2RVdnh1Z1FXSFNzOHA4YVNHUAowNDlkSDBqUnpEZklyVGp4Z3ZNOUJlWmorTkdqT1FyUGRvQVBKeTl2THowZmYya1gzVjJadTFDWnNnbDNWUXFsCjRsNzB3azFuVk5tTXY4Nnl5cUZXaWFRTWhuSXFjKzBwYUJaRjJFSGNpSExuZWcweVVTZVN4REsrUkk4SE9mT3oKNVFpUHpqSGs1b3czd252NDhQWVJMODdLTWJtRzF0eThyRHMxUlVGWkZueGxHd0t4UmRmckt3aHJJbVRBT2N4Vwo5bVhCU3ZzY3RjM2tIZTRIVFdRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" + cakey: "LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBcWR4UHJtVlk4V1hLVitRQVpTa0pJUG45WHlhN0JrU09VL3QrOXRnZjI3YXpHZk42CnF4UE9nMWcycXV5T1d1M3ZHbEM1TDNtWllwdW9wWlVKd1M2emxDbElMYnZYeCtsYTd6NTlmY0Q5VzVRdjBnbFgKYzljM0VVSWlHRGRWRmUzaFludDcvRytia04zUktqemxtaTl5K3V3K1RpQXFEZTRKai8zZEZEMldkeHJkaXVlcAplYWJIRjhmSDlCc0hvRVE0MjFiMzdJRXlKN2JRY3g0YzdBUStTemV6Y1llOGhIbWFwMmI1SnkvUFNtMkR3RGtUCnV1N0NVVDJsN0QvSjAvSTQwQ0lZa0NCUXVlVnU2NUlGMjhGWUkrNmFDTnFQMWg5L0dMOHk1alZiTnZmRnorbjAKTVFRZ3FkbW5CWGZlVHhlbjVWQ01xRU9IWi9RTWtXVUpDZEwyU3dJREFRQUJBb0lCQVFDVWM3eWNBVzFMaEpmawpXcHRSemh4eFdxcnJSeEU3ZUIwZ0h2UW16bHFCanRwVyt1bWhyT3pXOC9qTFIzVmUyUVlZYktaOGJIejJwbTR0ClVPVTJsaGRTalFYTkdwZUsyMUtqTjIwN3c3aHFHa2YwL0Q4WE9lZWh5TGU5akZacmxQeGZNdWI0aDU1aGJNdUsKYTdDTElaOE8xL3ZZRWRwUFZGTzlLYlRYSk1CbEZJUERUaFJvR2RCTEFkREZNbzcrUnZYSFRUcXdyWmxDbWRDbgp5eld3WkhIQUZhdEdGWU9ybXcxdlZZY3h0OXk5c0FVZDBrVTQza05jVHVHR0MwMGh1QlZMcW9JZU9mMG12TDB0Ckg0S0d6LzBicGp4NFpoWlNKazd3ZkFsQ0xGL1N5YzVJOEJXWWNCb05Jc0RSbDdDUmpDVUoxYVNBNVNYNzZ2SVoKSlhnRWEyV3hBb0dCQU50M0pDRGtycjNXRmJ3cW1SZ2ZhUVV0UE1FVnZlVnJvQmRqZTBZVFFNbENlNTV2QU1uNQpadEFKQTVKTmxKN2VZRkVEa0JrVURJSDFDM3hlZHVWbEREWXpESzRpR0V1Wk8wVDNERFN3aks2cExsZ3JBN0QyCmZnS29ubVdGck5JdTI4UW1MNHhmcjUrWW9SNUo0L05QdFdWOWwwZk1NOHEwSTd5SVRNODlsZWlqQW9HQkFNWWoKTHk3VER1MWVJVWkrQXJFNTJFMEkwTVJPNWNLS2hxdGxJMnpCZkZlWm5LYWdwbnhCMTMxbi9wcGg0Wm1IYnMzZQpxOXBSb0RJT0h4cm5NOWFCa1JBTHJHNjBMeXF3eU5NNW1JemkvQytJK2RVOG55ZXIvZVNNRTNtdlFzbmpVcEhtClRtTjRrM0l4RWtqRnhCazVndFNlNlA5U0UyOFd6eVZoOGlkZHRjNDVBb0dBYzcwWFBvbWJaZDM3UkdxcXBrQWEKWUhLRThjY0hpSEFEMDVIUk54bDhOeWRxamhrNEwwdnAzcGlDVzZ1eVR6NHpTVVk1dmlBR29KcWNYaEJyWDNxMAp2L2lZSFZVNXZ0U21ueTR5TDY5VDRlQ3k0aWg5SDl3K2hDUnN0Rm1VMUp1RnBxSUV2V0RRKzdmQWNIckRUbE9nCjlFOFJjdm5MN29DbHdBMlpoRW1VUDBVQ2dZQWFhdUtGbWJwcHg1MGtkOEVnSkJoRTNTSUlxb1JUMWVoeXZiOWwKWnI3UFp6bk50YW04ODRKcHhBM2NRNlN5dGEzK1lPd0U1ZEU0RzAzbVptRXcvb0Y2NURPUFp4TEszRnRLWG1tSwpqMUVVZld6aUUzMGM2ditsRTFBZGIxSzJYRXJNRFNyeWRFY2tlSXA1alhUQjhEc1RZa1NxbGlUbE1PTlpscCtVCnhCZlRjUUtCZ0RoZHo4VjU1TzdNc0dyRVlQeGhoK0U0bklLb3BRc0RlNi9QdWRRVlJMRlNwVGpLNWlKcTF2RnIKajFyNDFCNFp0cjBYNGd6MzhrSUpwZGNvNUFxU25zVENreHhnYXh3RTNzVmlqNGZZRWlteDc3TS84VkZVbDZwLwphNmdBbFh2WHFaYmFvTGU3ekM2RXVZWjFtUzJGMVd4UE9KRzZpakFiMVNIQjVPOGFWdFR3Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==" diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/init/on-start.sh b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/init/on-start.sh new file mode 100644 index 000000000..12ac89364 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/init/on-start.sh @@ -0,0 +1,226 @@ +#!/usr/bin/env bash + +# Copyright 2018 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e pipefail + +port=27017 +replica_set="$REPLICA_SET" +script_name=${0##*/} +SECONDS=0 +timeout="${TIMEOUT:-900}" +tls_mode="${TLS_MODE}" + +if [[ "$AUTH" == "true" ]]; then + admin_user="$ADMIN_USER" + admin_password="$ADMIN_PASSWORD" + admin_creds=(-u "$admin_user" -p "$admin_password") + if [[ "$METRICS" == "true" ]]; then + metrics_user="$METRICS_USER" + metrics_password="$METRICS_PASSWORD" + fi + auth_args=("--auth" "--keyFile=/data/configdb/key.txt") +fi + +log() { + local msg="$1" + local timestamp + timestamp=$(date --iso-8601=ns) + echo "[$timestamp] [$script_name] $msg" 2>&1 | tee -a /work-dir/log.txt 1>&2 +} + +retry_until() { + local host="${1}" + local command="${2}" + local expected="${3}" + local creds=("${admin_creds[@]}") + + # Don't need credentials for admin user creation and pings that run on localhost + if [[ "${host}" =~ ^localhost ]]; then + creds=() + fi + + until [[ $(mongo admin --host "${host}" "${creds[@]}" "${ssl_args[@]}" --quiet --eval "${command}" | tail -n1) == "${expected}" ]]; do + sleep 1 + + if (! ps "${pid}" &>/dev/null); then + log "mongod shutdown unexpectedly" + exit 1 + fi + if [[ "${SECONDS}" -ge "${timeout}" ]]; then + log "Timed out after ${timeout}s attempting to bootstrap mongod" + exit 1 + fi + + log "Retrying ${command} on ${host}" + done +} + +shutdown_mongo() { + local host="${1:-localhost}" + local args='force: true' + log "Shutting down MongoDB ($args)..." + if (! mongo admin --host "${host}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.shutdownServer({$args})"); then + log "db.shutdownServer() failed, sending the terminate signal" + kill -TERM "${pid}" + fi +} + +init_mongod_standalone() { + if [[ ! -f /init/initMongodStandalone.js ]]; then + log "Skipping init mongod standalone script" + return 0 + elif [[ -z "$(ls -1A /data/db)" ]]; then + log "mongod standalone script currently not supported on initial install" + return 0 + fi + + local port="27018" + log "Starting a MongoDB instance as standalone..." + mongod --config /data/configdb/mongod.conf --dbpath=/data/db "${auth_args[@]}" "${ssl_server_args[@]}" --port "${port}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 & + export pid=$! + trap shutdown_mongo EXIT + log "Waiting for MongoDB to be ready..." + retry_until "localhost:${port}" "db.adminCommand('ping').ok" "1" + log "Running init js script on standalone mongod" + mongo admin --port "${port}" "${admin_creds[@]}" "${ssl_args[@]}" /init/initMongodStandalone.js + shutdown_mongo "localhost:${port}" +} + +my_hostname=$(hostname) +log "Bootstrapping MongoDB replica set member: $my_hostname" + +log "Reading standard input..." +while read -ra line; do + if [[ "${line}" == *"${my_hostname}"* ]]; then + service_name="$line" + fi + peers=("${peers[@]}" "$line") +done + +# Generate the ca cert +ca_crt=/data/configdb/tls.crt +if [ -f "$ca_crt" ]; then + log "Generating certificate" + ca_key=/data/configdb/tls.key + pem=/work-dir/mongo.pem + ssl_args=(--ssl --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem") + ssl_server_args=(--sslMode "$tls_mode" --sslCAFile "$ca_crt" --sslPEMKeyFile "$pem") + +# Move into /work-dir +pushd /work-dir + +cat >openssl.cnf < $pem + rm mongo.key mongo.crt +fi + +init_mongod_standalone + +if [[ "${SKIP_INIT}" == "true" ]]; then + log "Skipping initialization" + exit 0 +fi + +log "Peers: ${peers[*]}" +log "Starting a MongoDB replica" +mongod --config /data/configdb/mongod.conf --dbpath=/data/db --replSet="$replica_set" --port="${port}" "${auth_args[@]}" "${ssl_server_args[@]}" --bind_ip=0.0.0.0 2>&1 | tee -a /work-dir/log.txt 1>&2 & +pid=$! +trap shutdown_mongo EXIT + +log "Waiting for MongoDB to be ready..." +retry_until "localhost" "db.adminCommand('ping').ok" "1" +log "Initialized." + +# try to find a master +for peer in "${peers[@]}"; do + log "Checking if ${peer} is primary" + # Check rs.status() first since it could be in primary catch up mode which db.isMaster() doesn't show + if [[ $(mongo admin --host "${peer}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.status().myState") == "1" ]]; then + retry_until "${peer}" "db.isMaster().ismaster" "true" + log "Found primary: ${peer}" + primary="${peer}" + break + fi +done + +if [[ "${primary}" = "${service_name}" ]]; then + log "This replica is already PRIMARY" +elif [[ -n "${primary}" ]]; then + if [[ $(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --quiet --eval "rs.conf().members.findIndex(m => m.host == '${service_name}:${port}')") == "-1" ]]; then + log "Adding myself (${service_name}) to replica set..." + if (mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "rs.add('${service_name}')" | grep 'Quorum check failed'); then + log 'Quorum check failed, unable to join replicaset. Exiting prematurely.' + exit 1 + fi + fi + + sleep 3 + log 'Waiting for replica to reach SECONDARY state...' + retry_until "${service_name}" "rs.status().myState" "2" + log '✓ Replica reached SECONDARY state.' + +elif (mongo "${ssl_args[@]}" --eval "rs.status()" | grep "no replset config has been received"); then + log "Initiating a new replica set with myself ($service_name)..." + mongo "${ssl_args[@]}" --eval "rs.initiate({'_id': '$replica_set', 'members': [{'_id': 0, 'host': '$service_name'}]})" + + sleep 3 + log 'Waiting for replica to reach PRIMARY state...' + retry_until "localhost" "db.isMaster().ismaster" "true" + primary="${service_name}" + log '✓ Replica reached PRIMARY state.' + + if [[ "${AUTH}" == "true" ]]; then + log "Creating admin user..." + mongo admin "${ssl_args[@]}" --eval "db.createUser({user: '${admin_user}', pwd: '${admin_password}', roles: [{role: 'root', db: 'admin'}]})" + fi +fi + +# User creation +if [[ -n "${primary}" && "$AUTH" == "true" && "$METRICS" == "true" ]]; then + metric_user_count=$(mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.system.users.find({user: '${metrics_user}'}).count()" --quiet) + if [[ "${metric_user_count}" == "0" ]]; then + log "Creating clusterMonitor user..." + mongo admin --host "${primary}" "${admin_creds[@]}" "${ssl_args[@]}" --eval "db.createUser({user: '${metrics_user}', pwd: '${metrics_password}', roles: [{role: 'clusterMonitor', db: 'admin'}, {role: 'read', db: 'local'}]})" + fi +fi + +log "MongoDB bootstrap complete" +exit 0 + diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/NOTES.txt b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/NOTES.txt new file mode 100644 index 000000000..2d942592e --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/NOTES.txt @@ -0,0 +1,14 @@ +1. After the statefulset is created completely, one can check which instance is primary by running: + + $ for ((i = 0; i < {{ .Values.replicas }}; ++i)); do kubectl exec --namespace {{ .Release.Namespace }} {{ template "mongodb-replicaset.fullname" . }}-$i -- sh -c 'mongo --eval="printjson(rs.isMaster())"'; done + +2. One can insert a key into the primary instance of the mongodb replica set by running the following: + MASTER_POD_NAME must be replaced with the name of the master found from the previous step. + + $ kubectl exec --namespace {{ .Release.Namespace }} MASTER_POD_NAME -- mongo --eval="printjson(db.test.insert({key1: 'value1'}))" + +3. One can fetch the keys stored in the primary or any of the slave nodes in the following manner. + POD_NAME must be replaced by the name of the pod being queried. + + $ kubectl exec --namespace {{ .Release.Namespace }} POD_NAME -- mongo --eval="rs.slaveOk(); db.test.find().forEach(printjson)" + diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/_helpers.tpl b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/_helpers.tpl new file mode 100644 index 000000000..223ec6604 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/_helpers.tpl @@ -0,0 +1,78 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "mongodb-replicaset.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "mongodb-replicaset.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "mongodb-replicaset.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name for the admin secret. +*/}} +{{- define "mongodb-replicaset.adminSecret" -}} + {{- if .Values.auth.existingAdminSecret -}} + {{- .Values.auth.existingAdminSecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-admin + {{- end -}} +{{- end -}} + +{{- define "mongodb-replicaset.metricsSecret" -}} + {{- if .Values.auth.existingMetricsSecret -}} + {{- .Values.auth.existingMetricsSecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-metrics + {{- end -}} +{{- end -}} + + +{{/* +Create the name for the key secret. +*/}} +{{- define "mongodb-replicaset.keySecret" -}} + {{- if .Values.auth.existingKeySecret -}} + {{- .Values.auth.existingKeySecret -}} + {{- else -}} + {{- template "mongodb-replicaset.fullname" . -}}-keyfile + {{- end -}} +{{- end -}} + +{{- define "mongodb-replicaset.connection-string" -}} + {{- $string := "" -}} + {{- if .Values.auth.enabled }} + {{- $string = printf "mongodb://$METRICS_USER:$METRICS_PASSWORD@localhost:%s" (.Values.port|toString) -}} + {{- else -}} + {{- $string = printf "mongodb://localhost:%s" (.Values.port|toString) -}} + {{- end -}} + + {{- if .Values.tls.enabled }} + {{- printf "%s?ssl=true&tlsCertificateKeyFile=/work-dir/mongo.pem&tlsCAFile=/ca/tls.crt" $string -}} + {{- else -}} + {{- printf $string -}} + {{- end -}} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml new file mode 100644 index 000000000..311f2e0e4 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-admin-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingAdminSecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.adminSecret" . }} +type: Opaque +data: + user: {{ .Values.auth.adminUser | b64enc }} + password: {{ .Values.auth.adminPassword | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml new file mode 100644 index 000000000..03762529c --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-ca-secret.yaml @@ -0,0 +1,18 @@ +{{- if .Values.tls.enabled -}} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-ca +data: + tls.key: {{ .Values.tls.cakey }} + tls.crt: {{ .Values.tls.cacert }} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml new file mode 100644 index 000000000..8f5ba0db5 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-init-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-init +data: + on-start.sh: | +{{ .Files.Get "init/on-start.sh" | indent 4 }} +{{- if .Values.initMongodStandalone }} + initMongodStandalone.js: | +{{ .Values.initMongodStandalone | indent 4 }} +{{- end }} + diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml new file mode 100644 index 000000000..5e0513ebb --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-keyfile-secret.yaml @@ -0,0 +1,17 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingKeySecret) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.keySecret" . }} +type: Opaque +data: + key.txt: {{ .Values.auth.key | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml new file mode 100644 index 000000000..c1484481e --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-metrics-secret.yaml @@ -0,0 +1,18 @@ +{{- if and (.Values.auth.enabled) (not .Values.auth.existingMetricsSecret) (.Values.metrics.enabled) -}} +apiVersion: v1 +kind: Secret +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.metricsSecret" . }} +type: Opaque +data: + user: {{ .Values.auth.metricsUser | b64enc }} + password: {{ .Values.auth.metricsPassword | b64enc }} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml new file mode 100644 index 000000000..eec20b991 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-mongodb-configmap.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-mongodb +data: + mongod.conf: | +{{ toYaml .Values.configmap | indent 4 }} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml new file mode 100644 index 000000000..6768aa3b0 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-poddisruptionbudget.yaml @@ -0,0 +1,20 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service-client.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service-client.yaml new file mode 100644 index 000000000..3982aae4c --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service-client.yaml @@ -0,0 +1,32 @@ +# A headless service for client applications to use +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- if .Values.serviceAnnotations }} +{{ toYaml .Values.serviceAnnotations | indent 4 }} + {{- end }} + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }}-client +spec: + type: ClusterIP + clusterIP: None + ports: + - name: mongodb + port: {{ .Values.port }} +{{- if .Values.metrics.enabled }} + - name: metrics + port: {{ .Values.metrics.port }} + targetPort: metrics +{{- end }} + selector: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} + diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service.yaml new file mode 100644 index 000000000..99748a668 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-service.yaml @@ -0,0 +1,25 @@ +# A headless service to create DNS records for discovery purposes. Use the -client service to connect applications +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + type: ClusterIP + clusterIP: None + ports: + - name: mongodb + port: {{ .Values.port }} + publishNotReadyAddresses: true + selector: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml new file mode 100644 index 000000000..60c043aa6 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/mongodb-statefulset.yaml @@ -0,0 +1,354 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ template "mongodb-replicaset.chart" . }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 4 }} +{{- end }} + name: {{ template "mongodb-replicaset.fullname" . }} +spec: + selector: + matchLabels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} + serviceName: {{ template "mongodb-replicaset.fullname" . }} + replicas: {{ .Values.replicas }} + template: + metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + release: {{ .Release.Name }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/mongodb-mongodb-configmap.yaml") . | sha256sum }} + {{- if and (.Values.metrics.prometheusServiceDiscovery) (.Values.metrics.enabled) }} + prometheus.io/scrape: "true" + prometheus.io/port: {{ .Values.metrics.port | quote }} + prometheus.io/path: {{ .Values.metrics.path | quote }} + {{- end }} + {{- if .Values.podAnnotations }} +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{- range .Values.imagePullSecrets }} + - name: {{ . }} + {{- end}} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.securityContext.runAsUser }} + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + initContainers: + - name: copy-config + image: "{{ .Values.copyConfigImage.repository }}:{{ .Values.copyConfigImage.tag }}" + imagePullPolicy: {{ .Values.copyConfigImage.pullPolicy | quote }} + command: + - "sh" + args: + - "-c" + - | + set -e + set -x + + cp /configdb-readonly/mongod.conf /data/configdb/mongod.conf + + {{- if .Values.tls.enabled }} + cp /ca-readonly/tls.key /data/configdb/tls.key + cp /ca-readonly/tls.crt /data/configdb/tls.crt + {{- end }} + + {{- if .Values.auth.enabled }} + cp /keydir-readonly/key.txt /data/configdb/key.txt + chmod 600 /data/configdb/key.txt + {{- end }} + volumeMounts: + - name: workdir + mountPath: /work-dir + - name: config + mountPath: /configdb-readonly + - name: configdir + mountPath: /data/configdb + {{- if .Values.tls.enabled }} + - name: ca + mountPath: /ca-readonly + {{- end }} + {{- if .Values.auth.enabled }} + - name: keydir + mountPath: /keydir-readonly + {{- end }} + resources: +{{ toYaml .Values.init.resources | indent 12 }} + - name: install + image: "{{ .Values.installImage.repository }}:{{ .Values.installImage.tag }}" + args: + - --work-dir=/work-dir + imagePullPolicy: "{{ .Values.installImage.pullPolicy }}" + volumeMounts: + - name: workdir + mountPath: /work-dir + resources: +{{ toYaml .Values.init.resources | indent 12 }} + - name: bootstrap + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - /work-dir/peer-finder + args: + - -on-start=/init/on-start.sh + - "-service={{ template "mongodb-replicaset.fullname" . }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: REPLICA_SET + value: {{ .Values.replicaSetName }} + - name: TIMEOUT + value: "{{ .Values.init.timeout }}" + - name: SKIP_INIT + value: "{{ .Values.skipInitialization }}" + - name: TLS_MODE + value: {{ .Values.tls.mode }} + {{- if .Values.auth.enabled }} + - name: AUTH + value: "true" + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: user + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: password + {{- if .Values.metrics.enabled }} + - name: METRICS + value: "true" + - name: METRICS_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: user + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: password + {{- end }} + {{- end }} + volumeMounts: + - name: workdir + mountPath: /work-dir + - name: init + mountPath: /init + - name: configdir + mountPath: /data/configdb + - name: datadir + mountPath: /data/db + resources: +{{ toYaml .Values.init.resources | indent 12 }} + containers: + - name: {{ template "mongodb-replicaset.name" . }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + {{- if .Values.extraVars }} + env: +{{ toYaml .Values.extraVars | indent 12 }} + {{- end }} + ports: + - name: mongodb + containerPort: 27017 + resources: +{{ toYaml .Values.resources | indent 12 }} + command: + - mongod + args: + - --config=/data/configdb/mongod.conf + - --dbpath=/data/db + - --replSet={{ .Values.replicaSetName }} + - --port=27017 + - --bind_ip=0.0.0.0 + {{- if .Values.auth.enabled }} + - --auth + - --keyFile=/data/configdb/key.txt + {{- end }} + {{- if .Values.tls.enabled }} + - --sslMode={{ .Values.tls.mode }} + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + livenessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --ssl + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + readinessProbe: + exec: + command: + - mongo + {{- if .Values.tls.enabled }} + - --ssl + - --sslCAFile=/data/configdb/tls.crt + - --sslPEMKeyFile=/work-dir/mongo.pem + {{- end }} + - --eval + - "db.adminCommand('ping')" + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + volumeMounts: + - name: datadir + mountPath: /data/db + - name: configdir + mountPath: /data/configdb + - name: workdir + mountPath: /work-dir +{{ if .Values.metrics.enabled }} + - name: metrics + image: "{{ .Values.metrics.image.repository }}:{{ .Values.metrics.image.tag }}" + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + command: + - sh + - -c + - >- + /bin/mongodb_exporter + --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }} + --mongodb.socket-timeout={{ .Values.metrics.socketTimeout }} + --mongodb.sync-timeout={{ .Values.metrics.syncTimeout }} + --web.telemetry-path={{ .Values.metrics.path }} + --web.listen-address=:{{ .Values.metrics.port }} + volumeMounts: + {{- if and (.Values.tls.enabled) }} + - name: ca + mountPath: /ca + readOnly: true + {{- end }} + - name: workdir + mountPath: /work-dir + readOnly: true + env: + {{- if .Values.auth.enabled }} + - name: METRICS_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: user + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.metricsSecret" . }}" + key: password + {{- end }} + ports: + - name: metrics + containerPort: {{ .Values.metrics.port }} + resources: +{{ toYaml .Values.metrics.resources | indent 12 }} + {{- if .Values.metrics.securityContext.enabled }} + securityContext: + runAsUser: {{ .Values.metrics.securityContext.runAsUser }} + {{- end }} + livenessProbe: + exec: + command: + - sh + - -c + - >- + /bin/mongodb_exporter + --mongodb.uri {{ template "mongodb-replicaset.connection-string" . }} + --test + initialDelaySeconds: 30 + periodSeconds: 10 +{{ end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: +{{ toYaml . | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ template "mongodb-replicaset.fullname" . }}-mongodb + - name: init + configMap: + defaultMode: 0755 + name: {{ template "mongodb-replicaset.fullname" . }}-init + {{- if .Values.tls.enabled }} + - name: ca + secret: + defaultMode: 0400 + secretName: {{ template "mongodb-replicaset.fullname" . }}-ca + {{- end }} + {{- if .Values.auth.enabled }} + - name: keydir + secret: + defaultMode: 0400 + secretName: {{ template "mongodb-replicaset.keySecret" . }} + {{- end }} + - name: workdir + emptyDir: {} + - name: configdir + emptyDir: {} +{{- if .Values.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: datadir + annotations: + {{- range $key, $value := .Values.persistentVolume.annotations }} + {{ $key }}: "{{ $value }}" + {{- end }} + spec: + accessModes: + {{- range .Values.persistentVolume.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistentVolume.size | quote }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: datadir + emptyDir: {} +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml new file mode 100644 index 000000000..45854201a --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "mongodb-replicaset.fullname" . }}-tests +data: + mongodb-up-test.sh: | +{{ .Files.Get "tests/mongodb-up-test.sh" | indent 4 }} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml new file mode 100644 index 000000000..3e213a680 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/templates/tests/mongodb-up-test-pod.yaml @@ -0,0 +1,79 @@ +apiVersion: v1 +kind: Pod +metadata: + labels: + app: {{ template "mongodb-replicaset.name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "mongodb-replicaset.fullname" . }}-test + annotations: + "helm.sh/hook": test-success +spec: + initContainers: + - name: test-framework + image: dduportal/bats:0.4.0 + command: + - bash + - -c + - | + set -ex + # copy bats to tools dir + cp -R /usr/local/libexec/ /tools/bats/ + volumeMounts: + - name: tools + mountPath: /tools + containers: + - name: mongo + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: + - /tools/bats/bats + - -t + - /tests/mongodb-up-test.sh + env: + - name: FULL_NAME + value: {{ template "mongodb-replicaset.fullname" . }} + - name: NAMESPACE + value: {{ .Release.Namespace }} + - name: REPLICAS + value: "{{ .Values.replicas }}" + {{- if .Values.auth.enabled }} + - name: AUTH + value: "true" + - name: ADMIN_USER + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: user + - name: ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: "{{ template "mongodb-replicaset.adminSecret" . }}" + key: password + {{- end }} + volumeMounts: + - name: tools + mountPath: /tools + - name: tests + mountPath: /tests + {{- if .Values.tls.enabled }} + - name: tls + mountPath: /tls + {{- end }} + volumes: + - name: tools + emptyDir: {} + - name: tests + configMap: + name: {{ template "mongodb-replicaset.fullname" . }}-tests + {{- if .Values.tls.enabled }} + - name: tls + secret: + secretName: {{ template "mongodb-replicaset.fullname" . }}-ca + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} + restartPolicy: Never diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/test.sh b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/test.sh new file mode 100644 index 000000000..0b7fd767b --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/test.sh @@ -0,0 +1,48 @@ +#! /bin/bash + +# Copyright 2016 The Kubernetes Authors. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +NS="${RELEASE_NAMESPACE:-default}" +POD_NAME="${RELEASE_NAME:-mongo}-mongodb-replicaset" + +MONGOCACRT=/ca/tls.crt +MONGOPEM=/work-dir/mongo.pem +if [ -f $MONGOPEM ]; then + MONGOARGS="--ssl --sslCAFile $MONGOCACRT --sslPEMKeyFile $MONGOPEM" +fi + +for i in $(seq 0 2); do + pod="${POD_NAME}-$i" + kubectl exec --namespace $NS $pod -- sh -c 'mongo '"$MONGOARGS"' --eval="printjson(rs.isMaster())"' | grep '"ismaster" : true' + + if [ $? -eq 0 ]; then + echo "Found master: $pod" + MASTER=$pod + break + fi +done + +kubectl exec --namespace $NS $MASTER -- mongo "$MONGOARGS" --eval='printjson(db.test.insert({"status": "success"}))' + +# TODO: find maximum duration to wait for slaves to be up-to-date with master. +sleep 2 + +for i in $(seq 0 2); do + pod="${POD_NAME}-$i" + if [[ $pod != $MASTER ]]; then + echo "Reading from slave: $pod" + kubectl exec --namespace $NS $pod -- mongo "$MONGOARGS" --eval='rs.slaveOk(); db.test.find().forEach(printjson)' + fi +done diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/tests/mongodb-up-test.sh b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/tests/mongodb-up-test.sh new file mode 100644 index 000000000..9998719f4 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/tests/mongodb-up-test.sh @@ -0,0 +1,120 @@ +#!/usr/bin/env bash + +set -ex + +CACRT_FILE=/work-dir/tls.crt +CAKEY_FILE=/work-dir/tls.key +MONGOPEM=/work-dir/mongo.pem + +MONGOARGS="--quiet" + +if [ -e "/tls/tls.crt" ]; then + # log "Generating certificate" + mkdir -p /work-dir + cp /tls/tls.crt /work-dir/tls.crt + cp /tls/tls.key /work-dir/tls.key + + # Move into /work-dir + pushd /work-dir + +cat >openssl.cnf < $MONGOPEM + MONGOARGS="$MONGOARGS --ssl --sslCAFile $CACRT_FILE --sslPEMKeyFile $MONGOPEM" +fi + +if [[ "${AUTH}" == "true" ]]; then + MONGOARGS="$MONGOARGS --username $ADMIN_USER --password $ADMIN_PASSWORD --authenticationDatabase admin" +fi + +pod_name() { + local full_name="${FULL_NAME?Environment variable FULL_NAME not set}" + local namespace="${NAMESPACE?Environment variable NAMESPACE not set}" + local index="$1" + echo "$full_name-$index.$full_name.$namespace.svc.cluster.local" +} + +replicas() { + echo "${REPLICAS?Environment variable REPLICAS not set}" +} + +master_pod() { + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.isMaster().ismaster") + if [[ "$response" == "true" ]]; then + pod_name "$i" + break + fi + done +} + +setup() { + local ready=0 + until [[ "$ready" -eq $(replicas) ]]; do + echo "Waiting for application to become ready" >&2 + sleep 1 + + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok" || true) + if [[ "$response" -eq 1 ]]; then + ready=$((ready + 1)) + fi + done + done +} + +@test "Testing mongodb client is executable" { + mongo -h + [ "$?" -eq 0 ] +} + +@test "Connect mongodb client to mongodb pods" { + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS "--host=$(pod_name "$i")" "--eval=rs.status().ok") + if [[ ! "$response" -eq 1 ]]; then + exit 1 + fi + done +} + +@test "Write key to primary" { + response=$(mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.insert({\"abc\": \"def\"}).nInserted") + if [[ ! "$response" -eq 1 ]]; then + exit 1 + fi +} + +@test "Read key from slaves" { + # wait for slaves to catch up + sleep 10 + + for ((i = 0; i < $(replicas); ++i)); do + response=$(mongo $MONGOARGS --host=$(pod_name "$i") "--eval=rs.slaveOk(); db.test.find({\"abc\":\"def\"})") + if [[ ! "$response" =~ .*def.* ]]; then + exit 1 + fi + done + + # Clean up a document after test + mongo $MONGOARGS --host=$(master_pod) "--eval=db.test.deleteMany({\"abc\": \"def\"})" +} diff --git a/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/values.yaml b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/values.yaml new file mode 100644 index 000000000..7e750af0e --- /dev/null +++ b/charts/shipa/shipa/1.6.100/charts/mongodb-replicaset/values.yaml @@ -0,0 +1,167 @@ +# Override the name of the chart, which in turn changes the name of the containers, services etc. +nameOverride: "" +fullnameOverride: "" + +replicas: 3 +port: 27017 + +## Setting this will skip the replicaset and user creation process during bootstrapping +skipInitialization: false + +replicaSetName: rs0 + +podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 2 + +auth: + enabled: false + existingKeySecret: "" + existingAdminSecret: "" + existingMetricsSecret: "" + # adminUser: username + # adminPassword: password + # metricsUser: metrics + # metricsPassword: password + # key: keycontent + +## Optionally specify an array of imagePullSecrets. +## Secrets must be manually created in the namespace. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +## +imagePullSecrets: [] +# - myRegistrKeySecretName + +# Specs for the Docker image for the init container that establishes the replica set +installImage: + repository: unguiculus/mongodb-install + tag: 0.7 + pullPolicy: IfNotPresent + +# Specs for the Docker image for the copyConfig init container +copyConfigImage: + repository: busybox + tag: 1.29.3 + pullPolicy: IfNotPresent + +# Specs for the MongoDB image +image: + repository: mongo + tag: 3.6 + pullPolicy: IfNotPresent + +# Additional environment variables to be set in the container +extraVars: {} +# - name: TCMALLOC_AGGRESSIVE_DECOMMIT +# value: "true" + +# Prometheus Metrics Exporter +metrics: + enabled: false + image: + repository: bitnami/mongodb-exporter + tag: 0.10.0-debian-9-r71 + pullPolicy: IfNotPresent + port: 9216 + path: "/metrics" + socketTimeout: 3s + syncTimeout: 1m + prometheusServiceDiscovery: true + resources: {} + securityContext: + enabled: true + runAsUser: 1001 + +# Annotations to be added to MongoDB pods +podAnnotations: {} + +securityContext: + enabled: true + runAsUser: 999 + fsGroup: 999 + runAsNonRoot: true + +init: + resources: {} + timeout: 900 + +resources: {} +# limits: +# cpu: 500m +# memory: 512Mi +# requests: +# cpu: 100m +# memory: 256Mi + +## Node selector +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} + +affinity: {} + +tolerations: [] + +extraLabels: {} + +priorityClassName: "" + +persistentVolume: + enabled: true + ## mongodb-replicaset data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessModes: + - ReadWriteOnce + size: 10Gi + annotations: {} + +# Annotations to be added to the service +serviceAnnotations: {} + +terminationGracePeriodSeconds: 30 + +tls: + # Enable or disable MongoDB TLS support + enabled: false + # Set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL) + mode: requireSSL + # Please generate your own TLS CA by generating it via: + # $ openssl genrsa -out ca.key 2048 + # $ openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt -subj "/CN=mydomain.com" + # After that you can base64 encode it and paste it here: + # $ cat ca.key | base64 -w0 + # cacert: + # cakey: + +# Entries for the MongoDB config file +configmap: {} + +# Javascript code to execute on each replica at initContainer time +# This is the recommended way to create indexes on replicasets. +# Below is an example that creates indexes in foreground on each replica in standalone mode. +# ref: https://docs.mongodb.com/manual/tutorial/build-indexes-on-replica-sets/ +# initMongodStandalone: |+ +# db = db.getSiblingDB("mydb") +# db.my_users.createIndex({email: 1}) +initMongodStandalone: "" + +# Readiness probe +readinessProbe: + initialDelaySeconds: 5 + timeoutSeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + +# Liveness probe +livenessProbe: + initialDelaySeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 diff --git a/charts/shipa/shipa/1.6.100/limits.yaml b/charts/shipa/shipa/1.6.100/limits.yaml new file mode 100644 index 000000000..28b736eaa --- /dev/null +++ b/charts/shipa/shipa/1.6.100/limits.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limits +spec: + limits: + - defaultRequest: + cpu: 40m + type: Container diff --git a/charts/shipa/shipa/1.6.100/questions.yaml b/charts/shipa/shipa/1.6.100/questions.yaml new file mode 100644 index 000000000..868b0071b --- /dev/null +++ b/charts/shipa/shipa/1.6.100/questions.yaml @@ -0,0 +1,45 @@ +questions: +- variable: auth.adminUser + default: "" + required: true + type: string + label: Initial Admin User Name e.g acme@yourorg.com + group: "Initial Settings - Required" +- variable: auth.adminPassword + default: "" + type: password + required: true + label: Initial Admin Password/Secret + group: "Initial Settings - Required" +- variable: shipaCluster.serviceType + default: "" + type: enum + required: false + label: Cluster Service Type e.g ClusterIP [shipaCluster.serviceType] + group: "Shipa Cluster - Optional" + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" +- variable: shipaCluster.ip + default: "" + type: string + required: false + label: Cluster IP if using ClusterIP Service Type [shipaCluster.ip] + group: "Shipa Cluster - Optional" +- variable: service.nginx.serviceType + default: "" + type: enum + required: false + label: Overide Nginx with a Service Type like ClusterIP [service.nginx.serviceType] + group: "Shipa Cluster - Optional" + options: + - "ClusterIP" + - "NodePort" + - "LoadBalancer" +- variable: service.nginx.clusterIP + default: "" + type: string + required: false + label: Cluster IP for Nginx [service.nginx.clusterIP] + group: "Shipa Cluster - Optional" \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/scripts/bootstrap.sh b/charts/shipa/shipa/1.6.100/scripts/bootstrap.sh new file mode 100644 index 000000000..292428315 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/bootstrap.sh @@ -0,0 +1,146 @@ +#!/bin/sh + +set -euxo pipefail + +is_shipa_initialized() { + + # By default we create secret with empty certificates + # and save them to the secret as a result of the first run of boostrap.sh + + CA=$(kubectl get secret/shipa-certificates -o json | jq ".data[\"ca.pem\"]") + LENGTH=${#CA} + + if [ "$LENGTH" -gt "100" ]; then + return 0 + fi + return 1 +} + +echo "Waiting for nginx ingress to be ready" + +# This helper gets an IP address or DNS name of NGINX_SERVICE and prints it to /tmp/nginx-ip +/bin/bootstrap-helper --service-name=$NGINX_SERVICE --namespace=$POD_NAMESPACE --timeout=600 --filename=/tmp/nginx-ip + +NGINX_ADDRESS=$(cat /tmp/nginx-ip) +HOST_ADDRESS=$(cat /tmp/nginx-ip) + +# If target CNAMEs are set by user in values.yaml, then use the first CNAME from the list as HOST_ADDRESS +# since Shipa host can be only one in the shipa.conf +if [ ! -z "$SHIPA_MAIN_TARGET" -a "$SHIPA_MAIN_TARGET" != " " ]; then + HOST_ADDRESS=$SHIPA_MAIN_TARGET +fi + + +echo "Prepare shipa.conf" +cp -v /etc/shipa-default/shipa.conf /etc/shipa/shipa.conf +sed -i "s/SHIPA_PUBLIC_IP/$HOST_ADDRESS/g" /etc/shipa/shipa.conf +sed -ie "s/SHIPA_ORGANIZATION_ID/$SHIPA_ORGANIZATION_ID/g" /etc/shipa/shipa.conf + +echo "shipa.conf: " +cat /etc/shipa/shipa.conf + +if is_shipa_initialized; then + echo "Skip bootstrapping because shipa is already initialized" + exit 0 +fi + +CERTIFICATES_DIRECTORY=/tmp/certs +mkdir $CERTIFICATES_DIRECTORY + +# certificate generation for default domain +sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-shipa-ca.json > $CERTIFICATES_DIRECTORY/csr-shipa-ca.json +sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-docker-cluster.json > $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-etcd.json > $CERTIFICATES_DIRECTORY/csr-etcd.json +sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-api-config.json > $CERTIFICATES_DIRECTORY/csr-api-config.json +sed "s/SHIPA_PUBLIC_IP/$NGINX_ADDRESS/g" /scripts/csr-api-server.json > $CERTIFICATES_DIRECTORY/csr-api-server.json +sed "s/ETCD_SERVICE/$ETCD_SERVICE/g" --in-place $CERTIFICATES_DIRECTORY/csr-etcd.json + +# certificate generation for CNAMES +sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-etcd.json +sed "s/SHIPA_API_CNAMES/$SHIPA_API_CNAMES/g" --in-place $CERTIFICATES_DIRECTORY/csr-api-server.json + +jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-docker-cluster.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-docker-cluster.json +jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-etcd.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-etcd.json +jq 'fromstream(tostream | select(length == 1 or .[1] != ""))' $CERTIFICATES_DIRECTORY/csr-api-server.json > file.tmp && mv file.tmp $CERTIFICATES_DIRECTORY/csr-api-server.json + +cp /scripts/csr-etcd-client.json $CERTIFICATES_DIRECTORY/csr-etcd-client.json +cp /scripts/csr-client-ca.json $CERTIFICATES_DIRECTORY/csr-client-ca.json + +cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-shipa-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/ca +cfssl gencert -initca $CERTIFICATES_DIRECTORY/csr-client-ca.json | cfssljson -bare $CERTIFICATES_DIRECTORY/client-ca + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -profile=server \ + $CERTIFICATES_DIRECTORY/csr-docker-cluster.json | cfssljson -bare $CERTIFICATES_DIRECTORY/docker-cluster + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -profile=server \ + $CERTIFICATES_DIRECTORY/csr-etcd.json | cfssljson -bare $CERTIFICATES_DIRECTORY/etcd-server + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -profile=client \ + $CERTIFICATES_DIRECTORY/csr-etcd-client.json | cfssljson -bare $CERTIFICATES_DIRECTORY/etcd-client + +cfssl gencert \ + -ca=$CERTIFICATES_DIRECTORY/ca.pem \ + -ca-key=$CERTIFICATES_DIRECTORY/ca-key.pem \ + -config=$CERTIFICATES_DIRECTORY/csr-api-config.json \ + -profile=server \ + $CERTIFICATES_DIRECTORY/csr-api-server.json | cfssljson -bare $CERTIFICATES_DIRECTORY/api-server + +rm -f $CERTIFICATES_DIRECTORY/*.csr +rm -f $CERTIFICATES_DIRECTORY/*.json + +CA_CERT=$(cat $CERTIFICATES_DIRECTORY/ca.pem | base64) +CA_KEY=$(cat $CERTIFICATES_DIRECTORY/ca-key.pem | base64) + +CLIENT_CA_CERT=$(cat $CERTIFICATES_DIRECTORY/client-ca.pem | base64) +CLIENT_CA_KEY=$(cat $CERTIFICATES_DIRECTORY/client-ca-key.pem | base64) + +DOCKER_CLUSTER_CERT=$(cat $CERTIFICATES_DIRECTORY/docker-cluster.pem | base64) +DOCKER_CLUSTER_KEY=$(cat $CERTIFICATES_DIRECTORY/docker-cluster-key.pem | base64) + +ETCD_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/etcd-server.pem | base64) +ETCD_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/etcd-server-key.pem | base64) + +ETCD_CLIENT_CERT=$(cat $CERTIFICATES_DIRECTORY/etcd-client.pem | base64) +ETCD_CLIENT_KEY=$(cat $CERTIFICATES_DIRECTORY/etcd-client-key.pem | base64) + +API_SERVER_CERT=$(cat $CERTIFICATES_DIRECTORY/api-server.pem | base64) +API_SERVER_KEY=$(cat $CERTIFICATES_DIRECTORY/api-server-key.pem | base64) + + +# FIXME: name of secret +kubectl get secrets shipa-certificates -o json \ + | jq ".data[\"ca.pem\"] |= \"$CA_CERT\"" \ + | jq ".data[\"ca-key.pem\"] |= \"$CA_KEY\"" \ + | jq ".data[\"client-ca.crt\"] |= \"$CLIENT_CA_CERT\"" \ + | jq ".data[\"client-ca.key\"] |= \"$CLIENT_CA_KEY\"" \ + | jq ".data[\"cert.pem\"] |= \"$DOCKER_CLUSTER_CERT\"" \ + | jq ".data[\"key.pem\"] |= \"$DOCKER_CLUSTER_KEY\"" \ + | jq ".data[\"etcd-server.crt\"] |= \"$ETCD_SERVER_CERT\"" \ + | jq ".data[\"etcd-server.key\"] |= \"$ETCD_SERVER_KEY\"" \ + | jq ".data[\"etcd-client.crt\"] |= \"$ETCD_CLIENT_CERT\"" \ + | jq ".data[\"etcd-client.key\"] |= \"$ETCD_CLIENT_KEY\"" \ + | jq ".data[\"api-server.crt\"] |= \"$API_SERVER_CERT\"" \ + | jq ".data[\"api-server.key\"] |= \"$API_SERVER_KEY\"" \ + | kubectl apply -f - + +echo "CA:" +openssl x509 -in $CERTIFICATES_DIRECTORY/ca.pem -text -noout + +echo "Docker cluster:" +openssl x509 -in $CERTIFICATES_DIRECTORY/docker-cluster.pem -text -noout + +echo "Etcd server:" +openssl x509 -in $CERTIFICATES_DIRECTORY/etcd-server.pem -text -noout + +echo "Etcd client:" +openssl x509 -in $CERTIFICATES_DIRECTORY/etcd-client.pem -text -noout diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-api-config.json b/charts/shipa/shipa/1.6.100/scripts/csr-api-config.json new file mode 100644 index 000000000..d6a798638 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-api-config.json @@ -0,0 +1,17 @@ +{ + "signing": { + "default": { + "expiry": "168h" + }, + "profiles": { + "server": { + "expiry": "8760h", + "usages": [ + "signing", + "key encipherment", + "server auth" + ] + } + } + } +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-api-server.json b/charts/shipa/shipa/1.6.100/scripts/csr-api-server.json new file mode 100644 index 000000000..4fe754067 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-api-server.json @@ -0,0 +1,16 @@ +{ + "CN": "Shipa", + "hosts": [ + "SHIPA_PUBLIC_IP", + "SHIPA_API_CNAMES" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-client-ca.json b/charts/shipa/shipa/1.6.100/scripts/csr-client-ca.json new file mode 100644 index 000000000..e2d36c7f8 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-client-ca.json @@ -0,0 +1,12 @@ +{ + "CN": "Shipa", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-docker-cluster.json b/charts/shipa/shipa/1.6.100/scripts/csr-docker-cluster.json new file mode 100644 index 000000000..c2854ca22 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-docker-cluster.json @@ -0,0 +1,16 @@ +{ + "CN": "Shipa docker cluster", + "hosts": [ + "SHIPA_PUBLIC_IP", + "SHIPA_API_CNAMES" + ], + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "Shipa" + } + ] +} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-etcd-client.json b/charts/shipa/shipa/1.6.100/scripts/csr-etcd-client.json new file mode 100644 index 000000000..c366103d3 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-etcd-client.json @@ -0,0 +1,15 @@ +{ + "CN": "Shipa etcd", + "hosts": [ + "" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "O": "Shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-etcd.json b/charts/shipa/shipa/1.6.100/scripts/csr-etcd.json new file mode 100644 index 000000000..f5862289c --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-etcd.json @@ -0,0 +1,17 @@ +{ + "CN": "Shipa etcd", + "hosts": [ + "SHIPA_PUBLIC_IP", + "ETCD_SERVICE", + "SHIPA_API_CNAMES" + ], + "key": { + "algo": "ecdsa", + "size": 256 + }, + "names": [ + { + "O": "Shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.6.100/scripts/csr-shipa-ca.json b/charts/shipa/shipa/1.6.100/scripts/csr-shipa-ca.json new file mode 100644 index 000000000..e2d36c7f8 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/csr-shipa-ca.json @@ -0,0 +1,12 @@ +{ + "CN": "Shipa", + "key": { + "algo": "rsa", + "size": 2048 + }, + "names": [ + { + "O": "shipa" + } + ] +} diff --git a/charts/shipa/shipa/1.6.100/scripts/init-job.sh b/charts/shipa/shipa/1.6.100/scripts/init-job.sh new file mode 100644 index 000000000..57a24a94d --- /dev/null +++ b/charts/shipa/shipa/1.6.100/scripts/init-job.sh @@ -0,0 +1,106 @@ +#!/bin/sh + +echo "Waiting for shipa api" + +until $(curl --output /dev/null --silent http://$SHIPA_ENDPOINT:$SHIPA_ENDPOINT_PORT); do + echo "." + sleep 1 +done + +SHIPA_CLIENT="/bin/shipa" +$SHIPA_CLIENT target add -s local $SHIPA_ENDPOINT --insecure --port=$SHIPA_ENDPOINT_PORT --disable-cert-validation +$SHIPA_CLIENT login < /etc/shipa/default-cluster-template-final.yaml +# append ca.crt with indentation +sed 's/^/ /g' /var/run/secrets/kubernetes.io/serviceaccount/ca.crt >> /etc/shipa/default-cluster-template-final.yaml +# append yaml tail, after CLUSTER_CACERT +grep "CLUSTER_CACERT" /etc/shipa/default-cluster-template.yaml -A 10000 | awk 'FNR>1' >> /etc/shipa/default-cluster-template-final.yaml + +$SHIPA_CLIENT cluster add --from-file /etc/shipa/default-cluster-template-final.yaml + +$SHIPA_CLIENT role add TeamAdmin team +$SHIPA_CLIENT role permission add TeamAdmin team +$SHIPA_CLIENT role permission add TeamAdmin app +$SHIPA_CLIENT role permission add TeamAdmin cluster +$SHIPA_CLIENT role permission add TeamAdmin service +$SHIPA_CLIENT role permission add TeamAdmin service-instance + +$SHIPA_CLIENT role add FrameworkAdmin framework +$SHIPA_CLIENT role permission add FrameworkAdmin framework +$SHIPA_CLIENT role permission add FrameworkAdmin node +$SHIPA_CLIENT role permission add FrameworkAdmin cluster + +$SHIPA_CLIENT role add ClusterAdmin cluster +$SHIPA_CLIENT role permission add ClusterAdmin cluster + +$SHIPA_CLIENT role add ServiceAdmin service +$SHIPA_CLIENT role add ServiceInstanceAdmin service-instance + +$SHIPA_CLIENT role default add --team-create TeamAdmin +$SHIPA_CLIENT role default add --framework-add FrameworkAdmin +$SHIPA_CLIENT role default add --cluster-add ClusterAdmin +$SHIPA_CLIENT role default add --service-add ServiceAdmin +$SHIPA_CLIENT role default add --service-instance-add ServiceInstanceAdmin + +if [ "x$DASHBOARD_ENABLED" != "xtrue" ]; then + echo "The dashboard is disabled" + exit 0 +fi + +COUNTER=0 +echo "Creating the dashboard app" +until $SHIPA_CLIENT app create dashboard \ + --framework=shipa-framework \ + --team=shipa-admin-team \ + -e SHIPA_ADMIN_USER=$USERNAME \ + -e SHIPA_CLOUD=$SHIPA_CLOUD \ + -e SHIPA_TARGETS=$SHIPA_TARGETS \ + -e SHIPA_PAY_API_HOST=$SHIPA_PAY_API_HOST \ + -e GOOGLE_RECAPTCHA_SITEKEY=$GOOGLE_RECAPTCHA_SITEKEY \ + -e SHIPA_API_INTERNAL_URL=http://$SHIPA_ENDPOINT:$SHIPA_ENDPOINT_PORT \ + -e SMARTLOOK_PROJECT_KEY=$SMARTLOOK_PROJECT_KEY; do + echo "Create dashboard failed with $?, waiting 15 seconds then trying again" + sleep 15 + let COUNTER=COUNTER+1 + if [ $COUNTER -gt 3 ]; then + echo "Failed to create dashboard three times, giving up" + exit 1 + fi +done + + +echo "Setting private envs for dashboard" +$SHIPA_CLIENT env set -a dashboard \ + SHIPA_PAY_API_TOKEN=$SHIPA_PAY_API_TOKEN \ + GOOGLE_RECAPTCHA_SECRET=$GOOGLE_RECAPTCHA_SECRET \ + LAUNCH_DARKLY_SDK_KEY=$LAUNCH_DARKLY_SDK_KEY -p + +COUNTER=0 +until $SHIPA_CLIENT app deploy -a dashboard -i $DASHBOARD_IMAGE; do + echo "Deploy dashboard failed with $?, waiting 30 seconds then trying again" + sleep 30 + let COUNTER=COUNTER+1 + if [ $COUNTER -gt 3 ]; then + echo "Failed to deploy dashboard three times, giving up" + exit 1 + fi +done diff --git a/charts/shipa/shipa/1.6.100/templates/NOTES.txt b/charts/shipa/shipa/1.6.100/templates/NOTES.txt new file mode 100644 index 000000000..ad89a5010 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/NOTES.txt @@ -0,0 +1,34 @@ + ****************************************** Thanks for choosing Shipa! ********************************************* + +1. Configured default user: + +Username: {{ .Values.auth.adminUser }} +Password: {{ .Values.auth.adminPassword }} + +2. If this is a production cluster, please configure persistent volumes. + The default reclaimPolicy for dynamically provisioned persistent volumes is "Delete" and + users are advised to change it for production + + The code snippet below can be used to set reclaimPolicy to "Retain" for all volumes: + +PVCs=$(kubectl --namespace={{ .Release.Namespace }} get pvc -l release={{ .Release.Name }} -o name) + +for pvc in $PVCs; do + volumeName=$(kubectl -n {{ .Release.Namespace }} get $pvc -o template --template=\{\{.spec.volumeName\}\}) + kubectl -n {{ .Release.Namespace }} patch pv $volumeName -p '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}' +done + +3. Set default target for shipa-client: + +export SHIPA_HOST=$(kubectl --namespace={{ .Release.Namespace }} get svc {{ template "shipa.fullname" . }}-ingress-nginx -o jsonpath="{.status.loadBalancer.ingress[0].ip}") && if [[ -z $SHIPA_HOST ]]; then export SHIPA_HOST=$(kubectl --namespace={{ .Release.Namespace }} get svc {{ template "shipa.fullname" . }}-ingress-nginx -o jsonpath="{.status.loadBalancer.ingress[0].hostname}") ; fi + +shipa target-add {{ .Release.Name }} $SHIPA_HOST -s + +shipa login {{ .Values.auth.adminUser }} +shipa node list +shipa app list + + +************************************************************************************************************************ +**** PLEASE BE PATIENT: Installing or upgrading Shipa may require downtime in order to perform database migrations. **** +************************************************************************************************************************ diff --git a/charts/shipa/shipa/1.6.100/templates/_helpers.tpl b/charts/shipa/shipa/1.6.100/templates/_helpers.tpl new file mode 100644 index 000000000..b4acd4ec1 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/_helpers.tpl @@ -0,0 +1,77 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "shipa.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "shipa.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "shipa.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "shipa.labels" -}} +helm.sh/chart: {{ include "shipa.chart" . }} +{{ include "shipa.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +release: {{ .Release.Name }} +app: {{ include "shipa.name" . }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "shipa.selectorLabels" -}} +app.kubernetes.io/name: {{ include "shipa.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "shipa.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "shipa.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* + If target CNAMEs are set by user in values.yaml, then use the first CNAME from +the list as main target since Shipa host can be only one in the shipa.conf +*/}} +{{- define "shipa.GetMainTarget" -}} +{{- if .Values.shipaApi.cnames }} +{{- index .Values.shipaApi.cnames 0 | quote -}} +{{- else -}} +{{- printf " " | quote -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/templates/clair-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/clair-configmap.yaml new file mode 100644 index 000000000..97a94abf5 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/clair-configmap.yaml @@ -0,0 +1,86 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-clair-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + config.template.yaml: |- + # + # This file is mounted to /clair-config/config.template.yaml and then processed by /entrypoint.sh + # + clair: + database: + # Database driver + type: pgsql + options: + # PostgreSQL Connection string + # https://www.postgresql.org/docs/current/static/libpq-connect.html#LIBPQ-CONNSTRING + {{- $host := (default (printf "%s-postgres.%s" (include "shipa.fullname" .) .Release.Namespace) .Values.postgres.source.host) }} + {{- $port := .Values.postgres.source.port }} + {{- $user := .Values.postgres.source.user }} + {{- $sslmode := .Values.postgres.source.sslmode }} + source: host={{ $host }} port={{ $port }} user={{ $user }} sslmode={{ $sslmode }} statement_timeout=60000 password=$POSTGRES_PASSWORD + + # Number of elements kept in the cache + # Values unlikely to change (e.g. namespaces) are cached in order to save prevent needless roundtrips to the database. + cachesize: 16384 + + # 32-bit URL-safe base64 key used to encrypt pagination tokens + # If one is not provided, it will be generated. + # Multiple clair instances in the same cluster need the same value. + paginationkey: + + api: + # v3 grpc/RESTful API server address + addr: "0.0.0.0:6060" + + # Health server address + # This is an unencrypted endpoint useful for load balancers to check to healthiness of the clair server. + healthaddr: "0.0.0.0:6061" + + # Deadline before an API request will respond with a 503 + timeout: 900s + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/coreos/etcd-ca + # https://github.com/cloudflare/cfssl + servername: + cafile: + keyfile: + certfile: + + updater: + # Frequency the database will be updated with vulnerabilities from the default data sources + # The value 0 disables the updater entirely. + interval: 2h + enabledupdaters: + - debian + - ubuntu + - rhel + - oracle + - alpine + - suse + + notifier: + # Number of attempts before the notification is marked as failed to be sent + attempts: 3 + + # Duration before a failed notification is retried + renotifyinterval: 2h + + http: + # Optional endpoint that will receive notifications via POST requests + endpoint: + + # Optional PKI configuration + # If you want to easily generate client certificates and CAs, try the following projects: + # https://github.com/cloudflare/cfssl + # https://github.com/coreos/etcd-ca + servername: + cafile: + keyfile: + certfile: + + # Optional HTTP Proxy: must be a valid URL (including the scheme). + proxy: diff --git a/charts/shipa/shipa/1.6.100/templates/clair-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/clair-deployment.yaml new file mode 100644 index 000000000..b6825725d --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/clair-deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-clair + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-clair + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-clair + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: clair + image: shipasoftware/clair:v2.1.7 + imagePullPolicy: Always + ports: + - name: clair + containerPort: 6060 + protocol: TCP + - name: health + containerPort: 6061 + protocol: TCP + volumeMounts: + - name: {{ template "shipa.fullname" . }}-clair-config + mountPath: /clair-config/ + - name: config-dir + mountPath: /etc/clair/ + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: postgres-password + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: config-dir + emptyDir: {} + - name: {{ template "shipa.fullname" . }}-clair-config + configMap: + name: {{ template "shipa.fullname" . }}-clair-config + items: + - key: config.template.yaml + path: config.template.yaml diff --git a/charts/shipa/shipa/1.6.100/templates/clair-service.yaml b/charts/shipa/shipa/1.6.100/templates/clair-service.yaml new file mode 100644 index 000000000..a0bbd8faa --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/clair-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-clair + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-clair + ports: + - port: 6060 + targetPort: 6060 + protocol: TCP + name: clair + - port: 6061 + targetPort: 6061 + protocol: TCP + name: health diff --git a/charts/shipa/shipa/1.6.100/templates/etcd-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/etcd-deployment.yaml new file mode 100644 index 000000000..3b1e81082 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/etcd-deployment.yaml @@ -0,0 +1,65 @@ +{{- if not .Values.ketch.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-etcd + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-etcd + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-etcd + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: etcd + image: "quay.io/coreos/etcd:v3.3.22" + command: ['/usr/local/bin/etcd', + {{- if .Values.etcd.debug }} + '--debug', + {{- end }} + '--listen-client-urls', 'https://0.0.0.0:2379', + '--data-dir=/var/etcd/data', + '--advertise-client-urls', 'https://0.0.0.0:2379', + '--client-cert-auth', + '--max-request-bytes', '10485760', + '--trusted-ca-file', '/certs/shipa-ca.crt', + '--cert-file', '/certs/etcd-server.crt', + '--key-file', '/certs/etcd-server.key' ] + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 2379 + protocol: TCP + env: + - name: ETCDCTL_API + value: "3" + volumeMounts: + - name: data + mountPath: /var/etcd/data + subPath: etcd + - name: certificates + mountPath: /certs/ + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ template "shipa.fullname" . }}-etcd-pvc + - name: certificates + secret: + secretName: shipa-certificates + items: + - key: ca.pem + path: shipa-ca.crt + - key: etcd-server.crt + path: etcd-server.crt + - key: etcd-server.key + path: etcd-server.key +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/etcd-pvc.yaml b/charts/shipa/shipa/1.6.100/templates/etcd-pvc.yaml new file mode 100644 index 000000000..8ad3c7b7d --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/etcd-pvc.yaml @@ -0,0 +1,20 @@ +{{- if not .Values.ketch.enabled }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-etcd-pvc + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.etcd.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.etcd.persistence.size | quote }} + {{- if .Values.etcd.persistence.storageClass }} + {{- if (eq "-" .Values.etcd.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.etcd.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/etcd-service.yaml b/charts/shipa/shipa/1.6.100/templates/etcd-service.yaml new file mode 100644 index 000000000..523c17536 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/etcd-service.yaml @@ -0,0 +1,16 @@ +{{- if not .Values.ketch.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-etcd + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-etcd + ports: + - port: 2379 + targetPort: http + protocol: TCP + name: http +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/metrics-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/metrics-configmap.yaml new file mode 100644 index 000000000..b7cd013f5 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/metrics-configmap.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-metrics-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + prometheus.yml: |- + # + # DO NOT EDIT. Can be updated by shipa helm chart + # + global: + scrape_interval: 1m + + scrape_configs: + - job_name: "pushgateway" + honor_labels: true + scheme: http + static_configs: + - targets: ['127.0.0.1:9093'] + labels: + source: pushgateway + + - job_name: "traefik" + honor_labels: true + scheme: http + static_configs: + - targets: ['{{ template "shipa.fullname" . }}-traefik-internal.{{ .Release.Namespace }}:9095'] + + {{- if .Values.metrics.extraPrometheusConfiguration }} + # + # User defined extra configuration + # + {{- range $line, $value := ( split "\n" .Values.metrics.extraPrometheusConfiguration ) }} + {{ $value }} + {{- end }} + {{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/metrics-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/metrics-deployment.yaml new file mode 100644 index 000000000..c4fdfd072 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/metrics-deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-metrics + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-metrics + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-metrics + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + # Please do not scale metrics container. It doesn't use storage lock (--storage.tsdb.no-lockfile) + - name: metrics + image: {{ .Values.metrics.image }} + imagePullPolicy: {{ .Values.metrics.pullPolicy }} + env: + - name: PROMETHEUS_ARGS + value: "--web.enable-admin-api {{ default ("--storage.tsdb.retention.time=1d") .Values.metrics.prometheusArgs }}" + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: metrics-password + ports: + - name: prometheus + containerPort: 9090 + protocol: TCP + - name: pushgateway + containerPort: 9091 + protocol: TCP + volumeMounts: + - name: "{{ template "shipa.fullname" . }}-metrics-config" + mountPath: /etc/prometheus/config + + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: {{ template "shipa.fullname" . }}-metrics-config + configMap: + name: {{ template "shipa.fullname" . }}-metrics-config + items: + - key: prometheus.yml + path: prometheus.yml diff --git a/charts/shipa/shipa/1.6.100/templates/metrics-service.yaml b/charts/shipa/shipa/1.6.100/templates/metrics-service.yaml new file mode 100644 index 000000000..2371f76bb --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/metrics-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-metrics + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-metrics + ports: + - port: 9090 + targetPort: 9090 + protocol: TCP + name: prometheus + - port: 9091 + targetPort: 9091 + protocol: TCP + name: pushgateway diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-configmap.yaml new file mode 100644 index 000000000..32cad3152 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-nginx + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +data: + {{- if .Values.service.nginx.config }} + {{- range $key, $value := .Values.service.nginx.config }} + {{ $key }}: {{ $value }} + {{- end }} + {{- else }} + proxy-body-size: "512M" + proxy-read-timeout: "300" + proxy-connect-timeout: "300" + proxy-send-timeout: "300" + upstream-keepalive-timeout: "300" + {{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-deployment.yaml new file mode 100644 index 000000000..ef79907a1 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-deployment.yaml @@ -0,0 +1,100 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" + annotations: + sidecar.istio.io/inject: "false" +spec: + replicas: 1 + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-nginx-ingress + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-nginx-ingress + annotations: + sidecar.istio.io/inject: "false" + prometheus.io/port: "10254" + prometheus.io/scrape: "true" + spec: + # wait up to 30 seconds for the drain of connections + terminationGracePeriodSeconds: 30 + serviceAccountName: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + nodeSelector: + kubernetes.io/os: linux + containers: + - name: nginx-ingress-controller + image: k8s.gcr.io/ingress-nginx/controller:v1.1.0@sha256:f766669fdcf3dc26347ed273a55e754b427eb4411ee075a53f30718b4499076a + args: + - /nginx-ingress-controller + - --election-id={{ template "shipa.fullname" . }}-leader + - --configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx + - --tcp-services-configmap=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-nginx-tcp-services + - --publish-service=$(POD_NAMESPACE)/{{ template "shipa.fullname" . }}-ingress-nginx + - --ingress-class=shipa-nginx-ingress + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + {{- if not .Values.shipaApi.secureIngressOnly }} + - name: shipa + containerPort: {{ .Values.shipaApi.port }} + protocol: TCP + {{- end }} + - name: shipa-secure + containerPort: {{ .Values.shipaApi.securePort }} + protocol: TCP + {{ if not .Values.ketch.enabled }} + - name: etcd + containerPort: 2379 + protocol: TCP + {{- end }} + {{- if .Values.ketch.enabled }} + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + {{- end }} + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 10 + lifecycle: + preStop: + exec: + command: + - /wait-shutdown diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-rbac.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-rbac.yaml new file mode 100644 index 000000000..cd93a8d26 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-rbac.yaml @@ -0,0 +1,128 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - update + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - ingresses/status + verbs: + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-role + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + - "{{ template "shipa.fullname" . }}-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-role-nisa-binding + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "shipa.fullname" . }}-nginx-ingress-role +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + namespace: {{ .Release.Namespace }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole-nisa-binding + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }}-nginx-ingress-clusterrole +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + namespace: {{ .Release.Namespace }} diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-service.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-service.yaml new file mode 100644 index 000000000..a5b35c7c1 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-service.yaml @@ -0,0 +1,62 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-ingress-nginx + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +spec: + type: "{{ .Values.service.nginx.serviceType }}" + {{- if eq .Values.service.nginx.serviceType "LoadBalancer" }} + {{- if .Values.service.nginx.ip }} + loadBalancerIP: "{{ .Values.service.nginx.ip }}" + {{- end }} + {{- end }} + {{- if eq .Values.service.nginx.serviceType "ClusterIP" }} + {{- if .Values.service.nginx.ip }} + clusterIP: "{{ .Values.service.nginx.ip }}" + {{- end }} + {{- end }} + selector: + name: {{ template "shipa.fullname" . }}-nginx-ingress + ports: + {{- if .Values.ketch.enabled }} + - name: http + port: 80 + protocol: TCP + targetPort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + {{- end }} + - port: {{ .Values.shipaApi.securePort }} + name: shipa-secure + targetPort: {{ .Values.shipaApi.securePort }} + protocol: TCP + {{- if eq .Values.service.nginx.serviceType "NodePort" }} + {{- if .Values.service.nginx.secureApiNodePort }} + nodePort: {{ .Values.service.nginx.secureApiNodePort }} + {{- end }} + {{- end }} + {{- if not .Values.shipaApi.secureIngressOnly }} + - port: {{ .Values.shipaApi.port }} + name: shipa + targetPort: {{ .Values.shipaApi.port }} + protocol: TCP + {{- if eq .Values.service.nginx.serviceType "NodePort" }} + {{- if .Values.service.nginx.apiNodePort }} + nodePort: {{ .Values.service.nginx.apiNodePort }} + {{- end }} + {{- end }} + {{- end }} + {{- if not .Values.ketch.enabled }} + - port: {{ .Values.shipaApi.etcdPort }} + name: etcd + targetPort: 2379 + protocol: TCP + {{- if eq .Values.service.nginx.serviceType "NodePort" }} + {{- if .Values.service.nginx.etcdNodePort }} + nodePort: {{ .Values.service.nginx.etcdNodePort }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-serviceaccount.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-serviceaccount.yaml new file mode 100644 index 000000000..943700b54 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-serviceaccount.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "shipa.fullname" . }}-nginx-ingress-serviceaccount + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" diff --git a/charts/shipa/shipa/1.6.100/templates/nginx-tcp-services-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/nginx-tcp-services-configmap.yaml new file mode 100644 index 000000000..48ae333af --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/nginx-tcp-services-configmap.yaml @@ -0,0 +1,14 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-nginx-tcp-services + labels: {{- include "shipa.labels" . | nindent 4 }} + shipa.io/shipa-api-ingress-controller: "true" +data: + {{ .Values.shipaApi.securePort }}: "{{ .Release.Namespace }}/{{ include "shipa.fullname" . }}-api:{{ .Values.shipaApi.securePort }}" + {{- if not .Values.shipaApi.secureIngressOnly }} + {{ .Values.shipaApi.port }}: "{{ .Release.Namespace }}/{{ include "shipa.fullname" . }}-api:{{ .Values.shipaApi.port }}" + {{- end }} + {{ if not .Values.ketch.enabled }} + 2379: "{{ .Release.Namespace }}/{{ include "shipa.fullname" . }}-etcd:2379" + {{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/postgres-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/postgres-deployment.yaml new file mode 100644 index 000000000..5c2018a6f --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/postgres-deployment.yaml @@ -0,0 +1,48 @@ +{{- if .Values.postgres.create }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "shipa.fullname" . }}-postgres + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" +spec: + selector: + matchLabels: + name: {{ template "shipa.fullname" . }}-postgres + template: + metadata: + labels: + name: {{ template "shipa.fullname" . }}-postgres + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + containers: + - name: postgres + image: postgres:13 + imagePullPolicy: IfNotPresent + ports: + - name: postgres + containerPort: 5432 + protocol: TCP + volumeMounts: + - name: data + mountPath: /var/lib/postgresql/data + subPath: postgres + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: postgres-password + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ template "shipa.fullname" . }}-postgres-pvc +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/postgres-pvc.yaml b/charts/shipa/shipa/1.6.100/templates/postgres-pvc.yaml new file mode 100644 index 000000000..caf8ef0ba --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/postgres-pvc.yaml @@ -0,0 +1,20 @@ +{{- if .Values.postgres.create }} +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-postgres-pvc + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + accessModes: + - {{ .Values.postgres.persistence.accessMode | quote }} + resources: + requests: + storage: {{ .Values.postgres.persistence.size | quote }} + {{- if .Values.postgres.persistence.storageClass }} + {{- if (eq "-" .Values.postgres.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.postgres.persistence.storageClass }}" + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/postgres-service.yaml b/charts/shipa/shipa/1.6.100/templates/postgres-service.yaml new file mode 100644 index 000000000..01ef2dd61 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/postgres-service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.postgres.create }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "shipa.fullname" . }}-postgres + labels: {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + name: {{ template "shipa.fullname" . }}-postgres + ports: + - port: 5432 + targetPort: 5432 + protocol: TCP + name: postgres +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-configmap.yaml new file mode 100644 index 000000000..64238cbf4 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-configmap.yaml @@ -0,0 +1,157 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-api-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + shipa.conf: |- + shipaVersion: {{ .Chart.Version }} + tls-listen: "0.0.0.0:{{ .Values.shipaApi.securePort }}" + listen: "0.0.0.0:{{ .Values.shipaApi.port }}" + host: https://SHIPA_PUBLIC_IP:{{ .Values.shipaApi.securePort }} + use-tls: true + shipaCloud: + enabled: {{ .Values.shipaCloud.enabled }} + tls: + server-cert: /certs/api-server.crt + server-key: /certs/api-server.key + + database: + {{- if not .Values.tags.defaultDB }} + url: {{ .Values.externalMongodb.url}} + tls: {{ .Values.externalMongodb.tls.enable }} + {{ else }} + url: {{ .Release.Name }}-mongodb-replicaset:27017 + tls: false + {{- end }} + name: shipa + username: $DB_USERNAME + password: $DB_PASSWORD + license: {{ .Values.license }} + organization: + id: SHIPA_ORGANIZATION_ID + dashboard: + enabled: $DASHBOARD_ENABLED + image: $DASHBOARD_IMAGE + envs: + SHIPA_ADMIN_USER: {{ .Values.auth.adminUser | quote }} + SHIPA_CLOUD: {{ .Values.shipaCloud.enabled | quote }} + SHIPA_TARGETS: {{ join "," .Values.shipaApi.cnames }} + SHIPA_PAY_API_HOST: {{ .Values.shipaCloud.shipaPayApi.host }} + SHIPA_PAY_API_TOKEN: {{ .Values.shipaCloud.shipaPayApi.token }} + GOOGLE_RECAPTCHA_SITEKEY: {{ .Values.shipaCloud.googleRecaptcha.sitekey }} + GOOGLE_RECAPTCHA_SECRET: {{ .Values.shipaCloud.googleRecaptcha.secret }} + SMARTLOOK_PROJECT_KEY: {{ .Values.shipaCloud.smartlook.projectKey }} + LAUNCH_DARKLY_SDK_KEY: {{ .Values.shipaCloud.launchDarkly.sdkKey }} + SHIPA_API_INTERNAL_URL: http://{{ template "shipa.fullname" . }}-api:{{ .Values.shipaApi.port }} + auth: + admin-email: {{ .Values.auth.adminUser | quote }} + dummy-domain: {{ .Values.auth.dummyDomain | quote }} + token-expire-days: 2 + hash-cost: 4 + user-registration: true + user-activation: + cert: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF6TXIwd3hETklDcm9JN3VEVkdoTgpFZytVbTdkQzk3NVZpM1l1NnJHUUdlc3ZwZTY5T2NhT0VxZHFML0NNWGVRMW1oTVFtUnplQnlxWEJ1Q2xOemphCjlEbjV2WTBlVnNIZUhuVTJ4bkkyV1dSR3JjUE1mRGJuRzlDSnNZQmdHd3A2eDcrYVR2RXZCRFBtS3YrcjdOcysKUXhhNzBFZEk4NTZLMWQyTTQ1U3RuZW1hcm51cjdOTDdGb2VsS1FWNGREd1hxU2EvVW1tdHdOOGNSTENUQ0N4NQpObkVya2UrTWo1RFFqTW5TUlRHbjFxOE91azlOUXRxNDlrbFMwMUhIQTJBWnR6ZExteTMrTktXRVZta3Z0cGgxClJseHBtZVQ5SERNbHI5aFI3U3BidnRHeVZVUG1pbXVYWFA4cXdOcHZab01Ka3hWRm4zbWNRVHRMbk8xa0Jjb1cKZVFJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== + provisioner: kubernetes + metrics: + host: {{ template "shipa.fullname" . }}-metrics + password: $METRICS_PASSWORD + + # section contains configuration of Prometheus Metrics Exporter + prometheus-metrics-exporter: + image: shipasoftware/prometheus-metrics-exporter:v0.0.7 + + docker: + cluster: + storage: mongodb + mongo-database: cluster + collection: docker + registry-scheme: https + repository-namespace: shipa + router: traefik + deploy-cmd: /var/lib/shipa/deploy + run-cmd: + bin: /var/lib/shipa/start + port: "8888" + tls: + root-path: /certs + auto-scale: + enabled: true + run-interval: $DOCKER_AUTOSCALE_RUN_INTERVAL + routers: + traefik: + type: traefik + domain: shipa.cloud + kv: + endpoint: {{ template "shipa.fullname" . }}-etcd:2379 + username: root + password: $ETCD_PASSWORD + ca: /certs/ca.pem + client-key: /certs/etcd-client.key + client-cert: /certs/etcd-client.crt + istio: + type: istio + nginx: + type: nginx + serviceType: {{ .Values.service.nginx.serviceType }} + ip: {{ .Values.service.nginx.ip }} + queue: + mongo-database: queuedb + quota: + units-per-app: 4 + apps-per-user: 8 + log: + disable-syslog: true + use-stderr: true + clair: + server: http://{{ template "shipa.fullname" . }}-clair:6060 + disabled: false + kubernetes: + # pod name is used by a leader election thing as an identifier for the current shipa-api instance + pod-name: $POD_NAME + pod-namespace: $POD_NAMESPACE + core-services-address: SHIPA_PUBLIC_IP + etcd-port: {{ .Values.shipaApi.etcdPort }} + use-pool-namespaces: true + remote-cluster-ingress: + http-port: 80 + https-port: 443 + protected-port: 31567 + service-type: LoadBalancer + ketch: + enabled: {{ .Values.ketch.enabled }} + image: {{ .Values.ketch.image }} + metrics-address: {{ .Values.ketch.metricsAddress }} + cert-manager: + install-url: {{ .Values.certManager.installUrl }} + + cluster-update: + # it's a default value that specifies if cluster-update operations can restart ingress controllers + ingress-restart-is-allowed: {{ .Values.shipaApi.allowRestartIngressControllers }} + + app-auto-discovery: + enabled: {{ .Values.shipaApi.appAutoDiscoveryEnabled }} + + debug: {{ .Values.shipaApi.debug }} + node-traefik: + image: {{ .Values.shipaNodeTraefik.image }} + user: {{ .Values.shipaNodeTraefik.user }} + password: $NODE_TRAEFIK_PASSWORD + certificates: + root: /certs/ + ca: ca.pem + ca-key: ca-key.pem + client-ca: client-ca.crt + client-ca-key: client-ca.key + is-ca-endpoint-disabled: {{ .Values.shipaApi.isCAEndpointDisabled }} + + shipa-controller: + image: {{ .Values.shipaController.image }} + + busybody: + image: {{ .Values.busybody.image }} + socket: /var/run/docker.sock + + signatures: single # multiple/single + launch-darkly: + api-key: {{ .Values.shipaCloud.launchDarkly.sdkKey }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-deployment.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-deployment.yaml new file mode 100644 index 000000000..fa3be656d --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-deployment.yaml @@ -0,0 +1,221 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "shipa.fullname" . }}-api + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + sidecar.istio.io/inject: "false" + checksum/config: {{ include (print $.Template.BasePath "/shipa-api-configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/shipa-secret.yaml") . | sha256sum }} + checksum/db-auth-secret: {{ include (print $.Template.BasePath "/shipa-db-auth-secrets.yaml") . | sha256sum }} +spec: +{{- if .Values.shipaApi.allowMigrationDowntime }} + strategy: + type: Recreate +{{- end }} + selector: + matchLabels: + {{- include "shipa.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "shipa.selectorLabels" . | nindent 8 }} + annotations: + timestamp: "{{ date "20060102150405" now }}" + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }} + {{- else }} + serviceAccountName: default + {{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 65532 + runAsGroup: 65532 + initContainers: + - name: bootstrap + image: {{ .Values.cli.image }} + command: + - /scripts/bootstrap.sh + imagePullPolicy: {{ .Values.cli.pullPolicy }} + volumeMounts: + - name: scripts + mountPath: /scripts + - name: shipa-conf + mountPath: /etc/shipa-default/ + - name: config-dir + mountPath: /etc/shipa/ + env: + - name: NGINX_SERVICE + value: {{ template "shipa.fullname" . }}-ingress-nginx + - name: ETCD_SERVICE + value: {{ template "shipa.fullname" . }}-etcd + - name: SHIPA_PORT + value: {{ .Values.shipaApi.port | quote }} + - name: SHIPA_API_CNAMES + value: {{ join "\",\"" .Values.shipaApi.cnames | quote }} + - name: SHIPA_ORGANIZATION_ID + valueFrom: + configMapKeyRef: + name: {{ template "shipa.fullname" . }}-defaults-configmap + key: shipa-org-id + - name: SHIPA_MAIN_TARGET + value: {{ template "shipa.GetMainTarget" . }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: init + image: {{ .Values.shipaApi.image }} + # this init container creates an admin user. + # Let's avoid having ENV variables with admin credentials in the main shipa container. + command: + - /bin/shipad + - root + - user + - create + - --ignore-if-exists + imagePullPolicy: {{ .Values.shipaApi.pullPolicy }} + volumeMounts: + - name: config-dir + mountPath: /etc/shipa/ + - name: certificates + mountPath: /certs/ + env: + - name: SHIPA_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: username + - name: SHIPA_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: password + {{- if not .Values.tags.defaultDB }} + {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-db-auth-secret + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-db-auth-secret + key: password + {{- end }} + {{- end }} + containers: + - name: shipa + image: {{ .Values.shipaApi.image }} + imagePullPolicy: {{ .Values.shipaApi.pullPolicy }} + env: + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: metrics-password + - name: ETCD_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: etcd-password + - name: NODE_TRAEFIK_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: node-traefik-password + - name: DASHBOARD_IMAGE + value: {{ .Values.dashboard.image }} + - name: DASHBOARD_ENABLED + value: "{{ .Values.dashboard.enabled }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- if not .Values.tags.defaultDB }} + {{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-db-auth-secret + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-db-auth-secret + key: password + {{- end }} + {{- end }} + ports: + - name: shipa + containerPort: {{ .Values.shipaApi.port }} + protocol: TCP + - name: shipa-secure + containerPort: {{ .Values.shipaApi.securePort }} + protocol: TCP + + livenessProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + periodSeconds: 2 + failureThreshold: 4 + startupProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + failureThreshold: 90 + periodSeconds: 2 + readinessProbe: + httpGet: + path: / + port: {{ .Values.shipaApi.port }} + periodSeconds: 3 + initialDelaySeconds: 5 + failureThreshold: 50 + successThreshold: 1 + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true + capabilities: + drop: + - ALL + volumeMounts: + - name: config-dir + mountPath: /etc/shipa/ + readOnly: true + - name: certificates + mountPath: /certs/ + readOnly: true + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: config-dir + emptyDir: {} + - name: shipa-conf + configMap: + name: {{ template "shipa.fullname" . }}-api-config + items: + - key: shipa.conf + path: shipa.conf + - name: certificates + secret: + secretName: shipa-certificates + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-api-init-config diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-init-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-configmap.yaml new file mode 100644 index 000000000..d5225236c --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-configmap.yaml @@ -0,0 +1,78 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-api-init-config + labels: {{- include "shipa.labels" . | nindent 4 }} +data: + init-job.sh: | +{{ .Files.Get "scripts/init-job.sh" | indent 4 }} + bootstrap.sh: | +{{ .Files.Get "scripts/bootstrap.sh" | indent 4 }} + csr-docker-cluster.json: | +{{ .Files.Get "scripts/csr-docker-cluster.json" | indent 4 }} + csr-etcd.json: | +{{ .Files.Get "scripts/csr-etcd.json" | indent 4 }} + csr-etcd-client.json: | +{{ .Files.Get "scripts/csr-etcd-client.json" | indent 4 }} + csr-shipa-ca.json: | +{{ .Files.Get "scripts/csr-shipa-ca.json" | indent 4 }} + csr-client-ca.json: | +{{ .Files.Get "scripts/csr-client-ca.json" | indent 4 }} + csr-api-config.json: | +{{ .Files.Get "scripts/csr-api-config.json" | indent 4 }} + csr-api-server.json: | +{{ .Files.Get "scripts/csr-api-server.json" | indent 4 }} + default-framework-template.yaml: | + shipaFramework: shipa-framework + resources: + general: + setup: + force: false + default: true + public: true + provisioner: kubernetes + kubeNamespace: {{ .Release.Namespace }} + security: + disableScan: true + {{ if .Values.ketch.enabled }} + router: nginx + {{- else }} + router: traefik + {{- end }} + access: + append: + - shipa-admin-team + - shipa-system-team + default-cluster-template.yaml: | + name: shipa-cluster + endpoint: + addresses: + - CLUSTER_ADDR + caCert: | + CLUSTER_CACERT + token: CLUSTER_TOKEN + resources: + frameworks: + - name: shipa-framework + ingressControllers: + {{ if .Values.ketch.enabled }} + - ingressip: {{ .Values.service.nginx.ip }} + serviceType: {{ default ( "LoadBalancer" ) .Values.service.nginx.serviceType | quote }} + type: nginx + className: shipa-nginx-ingress + {{ if .Values.shipaCluster.traefikIp }} + - ingressip: {{ .Values.shipaCluster.traefikIp }} + serviceType: {{ default ( "LoadBalancer" ) .Values.shipaCluster.traefikServiceType | quote }} + type: traefik + {{- end }} + {{- else }} + - ingressip: {{ .Values.shipaCluster.ip }} + serviceType: {{ default ( "LoadBalancer" ) .Values.shipaCluster.serviceType | quote }} + type: traefik + debug: {{ .Values.shipaCluster.debug }} + {{- end }} + {{ if .Values.shipaCluster.istioIp }} + - ingressip: {{ .Values.shipaCluster.istioIp }} + serviceType: {{ default ( "LoadBalancer" ) .Values.shipaCluster.istioServiceType | quote }} + type: istio + {{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-init-job.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-job.yaml new file mode 100644 index 000000000..7376d7157 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-job.yaml @@ -0,0 +1,103 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}" + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "post-install" + sidecar.istio.io/inject: "false" +spec: + backoffLimit: 5 + template: + metadata: + name: "{{ template "shipa.fullname" . }}-init-job-{{ .Release.Revision }}" + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + terminationGracePeriodSeconds: 3 + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }} + {{- else }} + serviceAccountName: default + {{- end }} + restartPolicy: Never + containers: + - name: migrations + image: {{ .Values.cli.image }} + command: + - /scripts/init-job.sh + imagePullPolicy: {{ .Values.cli.pullPolicy }} + env: + - name: SHIPA_ENDPOINT + value: "{{ template "shipa.fullname" . }}-api" + - name: SHIPA_ENDPOINT_PORT + value: "{{ .Values.shipaApi.port }}" + - name: USERNAME + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: username + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-api-init-secret + key: password + - name: METRICS_SERVICE + value: {{ template "shipa.fullname" . }}-metrics + - name: INGRESS_SERVICE_TYPE + value: {{ default ( "LoadBalancer" ) .Values.shipaCluster.serviceType | quote }} + - name: INGRESS_IP + value: {{ default ( "" ) .Values.shipaCluster.ip | quote }} + - name: INGRESS_DEBUG + value: {{ default ( "false" ) .Values.shipaCluster.debug | quote }} + - name: ISTIO_INGRESS_SERVICE_TYPE + value: {{ default ( "LoadBalancer" ) .Values.shipaCluster.istioServiceType | quote }} + - name: ISTIO_INGRESS_IP + value: {{ default ( "" ) .Values.shipaCluster.istioIp | quote }} + - name: DASHBOARD_IMAGE + value: {{ .Values.dashboard.image }} + - name: DASHBOARD_ENABLED + value: "{{ .Values.dashboard.enabled }}" + - name: SHIPA_CLOUD + value: {{ .Values.shipaCloud.enabled | quote }} + - name: SHIPA_PAY_API_HOST + value: {{ .Values.shipaCloud.shipaPayApi.host | quote }} + - name: SHIPA_PAY_API_TOKEN + value: {{ .Values.shipaCloud.shipaPayApi.token | quote }} + - name: GOOGLE_RECAPTCHA_SITEKEY + value: {{ .Values.shipaCloud.googleRecaptcha.sitekey | quote }} + - name: GOOGLE_RECAPTCHA_SECRET + value: {{ .Values.shipaCloud.googleRecaptcha.secret | quote }} + - name: SMARTLOOK_PROJECT_KEY + value: {{ .Values.shipaCloud.smartlook.projectKey | quote }} + - name: LAUNCH_DARKLY_SDK_KEY + value: {{ .Values.shipaCloud.launchDarkly.sdkKey | quote }} + - name: SHIPA_TARGETS + value: {{ join "," .Values.shipaApi.cnames | quote }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: METRICS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ template "shipa.fullname" . }}-secret + key: metrics-password + volumeMounts: + - name: scripts + mountPath: /scripts + - name: scripts-out + mountPath: /etc/shipa/ + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + - name: {{ .Values.imagePullSecrets }} + {{- end }} + volumes: + - name: scripts + configMap: + defaultMode: 0755 + name: {{ template "shipa.fullname" . }}-api-init-config + - name: scripts-out + emptyDir: {} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-init-secrets.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-secrets.yaml new file mode 100644 index 000000000..14ea762fe --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-init-secrets.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-api-init-secret + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + {{- if or (lt (len .Values.auth.adminPassword) 6) (gt (len .Values.auth.adminPassword) 50) }} + {{- fail "adminPassword must be between 6 and 50 characters" }} + {{- end }} + username: {{ required "Admin username is required! Use --set=auth.adminUser=..." .Values.auth.adminUser | toString | b64enc | quote }} + password: {{ required "Admin password is required! Use --set=auth.adminPassword=..." .Values.auth.adminPassword | toString | b64enc | quote }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-rbac.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-rbac.yaml new file mode 100644 index 000000000..cf2109939 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-rbac.yaml @@ -0,0 +1,98 @@ +{{- if .Values.rbac.enabled }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + - services + - extensions + - rbac.authorization.k8s.io + - apiextensions.k8s.io + - networking.k8s.io + - core + - apps + - shipa.io + - config.istio.io + - networking.istio.io + - rbac.istio.io + - authentication.istio.io + - cert-manager.io + - admissionregistration.k8s.io + - coordination.k8s.io + - theketch.io + - traefik.containo.us + resources: ["*"] + verbs: ["*"] + - apiGroups: ["*"] + resources: ["*"] + verbs: + - list + - get + - watch + - nonResourceURLs: ["*"] + verbs: + - list + - get + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "shipa.fullname" . }}-role + labels: {{- include "shipa.labels" . | nindent 4 }} +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "shipa.fullname" . }} + namespace: {{ .Release.Namespace }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }} + labels: {{- include "shipa.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "shipa.fullname" . }}-role +subjects: + - kind: ServiceAccount + name: {{ template "shipa.fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-api-service.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-api-service.yaml new file mode 100644 index 000000000..4806a790f --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-api-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "shipa.fullname" . }}-api + labels: + {{- include "shipa.labels" . | nindent 4 }} +spec: + type: ClusterIP + selector: + {{- include "shipa.selectorLabels" . | nindent 4 }} + ports: + - port: {{ .Values.shipaApi.port }} + targetPort: {{ .Values.shipaApi.port }} + protocol: TCP + name: shipa + - port: {{ .Values.shipaApi.securePort }} + targetPort: {{ .Values.shipaApi.securePort }} + protocol: TCP + name: shipa-secure diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-certificates-secret.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-certificates-secret.yaml new file mode 100644 index 000000000..6517a18b5 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-certificates-secret.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Secret +metadata: + name: shipa-certificates + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + ca.pem: "" + ca-key.pem: "" + cert.pem: "" + key.pem: "" + etcd-server.crt: "" + etcd-server.key: "" + etcd-client.crt: "" + etcd-client.key: "" + api-server.crt: "" + api-server.key: "" + client-ca.crt: "" + client-ca.key: "" diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-db-auth-secrets.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-db-auth-secrets.yaml new file mode 100644 index 000000000..41b7275f2 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-db-auth-secrets.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.tags.defaultDB }} +{{- if and ( .Values.externalMongodb.auth.username ) ( .Values.externalMongodb.auth.password ) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-db-auth-secret + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" +data: + username: {{ required "Database username is required! Use --set=externalMongodb.auth.username=..." .Values.externalMongodb.auth.username | toString | b64enc | quote }} + password: {{ required "Database password is required! Use --set=externalMongodb.auth.password=..." .Values.externalMongodb.auth.password | toString | b64enc | quote }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-defaults-configmap.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-defaults-configmap.yaml new file mode 100644 index 000000000..55245b93f --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-defaults-configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "shipa.fullname" . }}-defaults-configmap + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + shipa-org-id: {{ uuidv4 | replace "-" "" | quote }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-secret.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-secret.yaml new file mode 100644 index 000000000..d10b81fbb --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "shipa.fullname" . }}-secret + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation" +data: + metrics-password: {{ default (randAlphaNum 15) .Values.metrics.password | toString | b64enc | quote }} + etcd-password: {{ default (randAlphaNum 15) .Values.etcd.password | toString | b64enc | quote }} + postgres-password: {{ default (randAlphaNum 15) .Values.postgres.source.password | toString | b64enc | quote }} + node-traefik-password: {{ default (randAlphaNum 15) .Values.shipaNodeTraefik.password | toString | b64enc | quote }} diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-job.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-job.yaml new file mode 100644 index 000000000..4c53d04e9 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-job.yaml @@ -0,0 +1,50 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-delete + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded + sidecar.istio.io/inject: "false" +spec: + template: + metadata: + name: "{{ template "shipa.fullname" . }}-uninstall-job-{{ .Release.Revision }}" + annotations: + sidecar.istio.io/inject: "false" + spec: + nodeSelector: + kubernetes.io/os: linux + {{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "shipa.fullname" . }}-uninstall + {{- else }} + serviceAccountName: default + {{- end }} + restartPolicy: Never + containers: + - name: cleanup + image: {{ .Values.cli.image }} + command: ["/bin/sh", "-c"] + args: + - /usr/local/bin/kubectl delete ds --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete deployment --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete pod --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete services --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete sa --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete secrets --selector=$SELECTOR $NAMESPACE_MOD --ignore-not-found=true; + /usr/local/bin/kubectl delete crd apps.shipa.io --ignore-not-found=true; + /usr/local/bin/kubectl delete configmap {{ template "shipa.fullname" . }}-leader-nginx --ignore-not-found=true; + /usr/local/bin/kubectl delete namespaces --selector=$SELECTOR --ignore-not-found=true; + /usr/local/bin/kubectl delete clusterrolebindings --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD; + /usr/local/bin/kubectl delete clusterrole --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD; + /usr/local/bin/kubectl delete ingress --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD; + /usr/local/bin/kubectl delete endpoints --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD; + /usr/local/bin/kubectl delete netpol --selector=$SELECTOR --ignore-not-found=true $NAMESPACE_MOD; + imagePullPolicy: IfNotPresent + env: + - name: SELECTOR + value: "shipa.io/is-shipa=true" + - name: NAMESPACE_MOD + value: "-A" diff --git a/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-rbac.yaml b/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-rbac.yaml new file mode 100644 index 000000000..563469050 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/templates/shipa-uninstall-rbac.yaml @@ -0,0 +1,52 @@ +{{- if .Values.rbac.enabled }} +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +rules: + - apiGroups: + - "" + - services + - extensions + - rbac.authorization.k8s.io + - networking.k8s.io + - apiextensions.k8s.io + - core + - apps + - shipa.io + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "shipa.fullname" . }}-uninstall + labels: {{- include "shipa.labels" . | nindent 4 }} + annotations: + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "1" + "helm.sh/hook": post-delete +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "shipa.fullname" . }}-uninstall +subjects: +- kind: ServiceAccount + name: {{ template "shipa.fullname" . }}-uninstall + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/shipa/shipa/1.6.100/values.yaml b/charts/shipa/shipa/1.6.100/values.yaml new file mode 100644 index 000000000..d321115c7 --- /dev/null +++ b/charts/shipa/shipa/1.6.100/values.yaml @@ -0,0 +1,232 @@ +# Default values for shipa. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +auth: + dummyDomain: "@shipa.io" + +shipaApi: + port: 8080 + securePort: 8081 + etcdPort: 2379 + image: shipasoftware/api:3ff0e722daaeab89bb7bb69af1ee8035d97c27fb + pullPolicy: Always + debug: false + cnames: [] + allowRestartIngressControllers: true + allowMigrationDowntime: true + appAutoDiscoveryEnabled: true + isCAEndpointDisabled: false + secureIngressOnly: false + +license: "" + +shipaCluster: + # use debug logs in traefik ingress controller + debug: false + + # non ketch only + # kubernetes service type for traefik ingress controller (LoadBalancer/ClusterIP) + serviceType: LoadBalancer + + # non ketch only + # override traefik ingress controller ip address + # ip: 10.100.10.11 + + # use debug logs in istio ingress controller + istioDebug: false + + # kubernetes service type for istio ingress controller (LoadBalancer/ClusterIP) + istioServiceType: LoadBalancer + + # override istio ingress controller ip address + # istioIp: 10.100.10.11 + + # ketch only + # kubernetes service type for traefik ingress controller (LoadBalancer/ClusterIP) + traefikServiceType: LoadBalancer + + # ketch only + # override traefik ingress controller ip address + # traefikIp: 10.100.10.11 + +# populate with docker hub username to use authenticated user. Secrets should be added to cluster outside shipa helm chart +# imagePullSecrets: "" + +service: + nginx: + enabled: true + + # kubernetes service type for nginx ingress (LoadBalancer/ClusterIP) + serviceType: LoadBalancer + + # the following *NodePort values will be used only if serviceType is "NodePort" + # apiNodePort specifies "nodePort" for shipa-api over http + #apiNodePort: 32200 + # secureNodePort specifies "nodePort" for shipa-api over https + #secureApiNodePort: 32201 + # etcdNodePort specifies "nodePort" for etcd + #etcdNodePort: 32202 + + # override nginx ingress controller ip address based on serviceType + #ip: 10.100.10.10 + + # If set, defines nginx configuration as described in the manual: + # https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap + # there are default values, take a look at templates/nginx-configmap.yaml + #config: + # proxy-body-size: "128M" + +dashboard: + enabled: true + image: shipasoftware/dashboard:47a8552e982c578a8fba3eb24f87c3d3df246ada + +etcd: + debug: false + persistence: + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + ## storageClass: "" + accessMode: "ReadWriteOnce" + size: 10Gi + +postgres: + source: + ## Leave blank to default to {{ template "shipa.fullname" . }}-postgres.{{ .Release.Namespace }} e.g. shipa-postgres.shipa-system + host: + port: 5432 + user: postgres + ## Leave blank to generate a random value + password: + ## options for postgres.source.sslmode are "require", "verify-full", "verify-ca", or "disable + sslmode: disable + ## set postgres.create to false to avoid creating a postgres instance + create: true + persistence: + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + ## storageClass: "" + accessMode: "ReadWriteOnce" + size: 10Gi + +cli: + image: shipasoftware/cli:78310600d29393ef2c204f79d8f37237e4e9fd0c + pullPolicy: Always + +metrics: + image: shipasoftware/metrics:v0.0.7 + pullPolicy: Always + + # Extra configuration to add to prometheus.yaml + # extraPrometheusConfiguration: | + # remote_read: + # - url: http://localhost:9268/read + # remote_write: + # - url: http://localhost:9268/write + extraPrometheusConfiguration: + #password: hardcoded + prometheusArgs: "--storage.tsdb.retention.time=1d" + +busybody: + image: shipasoftware/bb:v0.0.10 + +shipaController: + image: shipasoftware/image-controller:v0.0.22 + +shipaNodeTraefik: + user: admin + +# -------------------------------------------------------------------------- + +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + +rbac: + enabled: true + +# Connect your own instance of mongodb +externalMongodb: + # url must follow Standard Connection String Format as described here: https://docs.mongodb.com/manual/reference/connection-string/#standard-connection-string-format + # For a sharded cluster it should be a comma separated list of hosts: + # e.g. "mongos0.example.com:27017,mongos1.example.com:27017,mongos2.example.com:27017" + # Due to some limitations of the dependencies, we currently do not support url with 'DNS Seed List Connection Format'. + url: < database url > + auth: + username: < username > + password: < password > + # Enable/Disable TLS when connectiong to external DB instance. + tls: + enable: true + +# tags are standard way to handle chart dependencies. +tags: + # Set defaultDB to 'false' when using external DB to not install default DB. + # It will also prevent creating Persistent Volumes. + defaultDB: true + +certManager: + installUrl: https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.yaml + +# Default DB config +mongodb-replicaset: + replicaSetName: rs0 + replicas: 1 + port: 27017 + nodeSelector: + kubernetes.io/os: linux + auth: + enabled: false + installImage: + name: k8s.gcr.io/mongodb-install + tag: 0.6 + pullPolicy: IfNotPresent + image: + name: mongo + tag: latest + pullPolicy: IfNotPresent + persistentVolume: + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + ## storageClass: "" + enabled: true + size: 10Gi + tls: + enabled: false + configmap: + +shipaCloud: + enabled: false + shipaPayApi: + host: "" + token: "" + googleRecaptcha: + sitekey: "" + secret: "" + smartlook: + projectKey: "" + launchDarkly: + sdkKey: "" + +ketch: + enabled: true + image: shipasoftware/ketch:99a7f1c5ad4b14ea0d12d8ac5e736dfaa8d5357a + metricsAddress: 127.0.0.1:8080 diff --git a/index.yaml b/index.yaml index 2111325a2..05fd8c178 100755 --- a/index.yaml +++ b/index.yaml @@ -2891,6 +2891,39 @@ entries: - assets/portworx/portworx-2.8.0.tgz version: 2.8.0 shipa: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Shipa + catalog.cattle.io/namespace: shipa-system + catalog.cattle.io/release-name: shipa + apiVersion: v2 + appVersion: 1.6.1 + created: "2022-02-15T15:20:25.077532-05:00" + dependencies: + - name: mongodb-replicaset + repository: file://./charts/mongodb-replicaset + tags: + - defaultDB + description: A Helm chart for Kubernetes to install the Shipa Control Plane + digest: 283d1fdb60a0cbeb16abf622da1265f3d712820c851c73f2aa13a140aca7dcce + home: https://www.shipa.io + icon: https://www.shipa.io/wp-content/uploads/2020/11/Shipa-banner-768x307.png + keywords: + - shipa + - deployment + - aac + kubeVersion: '>= 1.16.0-0' + maintainers: + - email: rlachhman@shipa.io + name: ravi + name: shipa + sources: + - https://github.com/shipa-corp + - https://github.com/shipa-corp/helm-chart + type: application + urls: + - assets/shipa/shipa-1.6.100.tgz + version: 1.6.100 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Shipa