Added chart versions:
codefresh/cf-runtime:
- 7.4.2
external-secrets/external-secrets:
- 0.13.0
jfrog/artifactory-ha:
- 107.98.14
jfrog/artifactory-jcr:
- 107.98.14
kuma/kuma:
- 2.9.3
new-relic/nri-bundle:
- 5.0.107
percona/psmdb-db:
- 1.19.0
percona/psmdb-operator:
- 1.19.0
speedscale/speedscale-operator:
- 2.3.134
pull/1102/head
github-actions[bot]
parent
83d5fbbdbe
commit
4516e2f443
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,3 @@
|
|||
tests/
|
||||
.ci/
|
||||
test-values/
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
annotations:
|
||||
artifacthub.io/changes: |
|
||||
- kind: fixed
|
||||
description: "reverted engine version back to 1.176.3"
|
||||
artifacthub.io/containsSecurityUpdates: "false"
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: Codefresh
|
||||
catalog.cattle.io/kube-version: '>=1.18-0'
|
||||
catalog.cattle.io/release-name: ""
|
||||
apiVersion: v2
|
||||
dependencies:
|
||||
- name: cf-common
|
||||
repository: oci://quay.io/codefresh/charts
|
||||
version: 0.21.0
|
||||
description: A Helm chart for Codefresh Runner
|
||||
home: https://codefresh.io/
|
||||
icon: file://assets/icons/cf-runtime.png
|
||||
keywords:
|
||||
- codefresh
|
||||
- runner
|
||||
kubeVersion: '>=1.18-0'
|
||||
maintainers:
|
||||
- name: codefresh
|
||||
url: https://codefresh-io.github.io/
|
||||
name: cf-runtime
|
||||
sources:
|
||||
- https://github.com/codefresh-io/venona
|
||||
version: 7.4.2
|
||||
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "AGENT_NAME: ${AGENT_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "AGENT: ${AGENT}"
|
||||
echo "AGENT_SECRET_NAME: ${AGENT_SECRET_NAME}"
|
||||
echo "DIND_SECRET_NAME: ${DIND_SECRET_NAME}"
|
||||
echo "-----"
|
||||
|
||||
auth() {
|
||||
codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
|
||||
}
|
||||
|
||||
remove_runtime() {
|
||||
if [ "$AGENT" == "true" ]; then
|
||||
codefresh delete re ${RUNTIME_NAME} || true
|
||||
else
|
||||
codefresh delete sys-re ${RUNTIME_NAME} || true
|
||||
fi
|
||||
}
|
||||
|
||||
remove_agent() {
|
||||
codefresh delete agent ${AGENT_NAME} || true
|
||||
}
|
||||
|
||||
remove_secrets() {
|
||||
kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
|
||||
kubectl delete secret $AGENT_SECRET_NAME || true
|
||||
kubectl delete secret $DIND_SECRET_NAME || true
|
||||
}
|
||||
|
||||
auth
|
||||
remove_runtime
|
||||
remove_agent
|
||||
remove_secrets
|
||||
|
|
@ -0,0 +1,132 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
#---
|
||||
fatal() {
|
||||
echo "ERROR: $1"
|
||||
exit 1
|
||||
}
|
||||
|
||||
msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
|
||||
err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
|
||||
|
||||
exit_trap () {
|
||||
local lc="$BASH_COMMAND" rc=$?
|
||||
if [ $rc != 0 ]; then
|
||||
if [[ -n "$SLEEP_ON_ERROR" ]]; then
|
||||
echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
|
||||
sleep $SLEEP_ON_ERROR
|
||||
fi
|
||||
fi
|
||||
}
|
||||
trap exit_trap EXIT
|
||||
|
||||
usage() {
|
||||
echo "Usage:
|
||||
$0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
|
||||
|
||||
Example:
|
||||
$0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
|
||||
|
||||
"
|
||||
}
|
||||
|
||||
# Args
|
||||
while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
|
||||
do
|
||||
key=$1
|
||||
value=$2
|
||||
|
||||
case $key in
|
||||
-h|--help)
|
||||
usage
|
||||
exit
|
||||
;;
|
||||
-n|--namespace)
|
||||
NAMESPACE="$value"
|
||||
shift
|
||||
;;
|
||||
--server-cert-cn)
|
||||
SERVER_CERT_CN="$value"
|
||||
shift
|
||||
;;
|
||||
--server-cert-extra-sans)
|
||||
SERVER_CERT_EXTRA_SANS="$value"
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
shift # past argument or value
|
||||
done
|
||||
|
||||
API_HOST=${1:-"$CF_API_HOST"}
|
||||
API_TOKEN=${2:-"$CF_API_TOKEN"}
|
||||
|
||||
[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
|
||||
[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
|
||||
|
||||
|
||||
API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
|
||||
|
||||
NAMESPACE=${NAMESPACE:-default}
|
||||
RELEASE=${RELEASE:-cf-runtime}
|
||||
|
||||
DIR=$(dirname $0)
|
||||
TMPDIR=/tmp/codefresh/
|
||||
|
||||
TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
|
||||
TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
|
||||
CERTS_DIR=$TMPDIR/ssl
|
||||
SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
|
||||
SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
|
||||
SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
|
||||
SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
|
||||
CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
|
||||
CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
|
||||
mkdir -p $TMPDIR $CERTS_DIR
|
||||
|
||||
K8S_CERT_SECRET_NAME=codefresh-certs-server
|
||||
echo -e "\n------------------\nGenerating server tls certificates ... "
|
||||
|
||||
SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
|
||||
SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
|
||||
###
|
||||
|
||||
openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
|
||||
openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR || fatal "Failed to generate openssl csr "
|
||||
GENERATE_CERTS=true
|
||||
CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
|
||||
|
||||
SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
|
||||
if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
|
||||
SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
|
||||
fi
|
||||
echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
|
||||
|
||||
rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
|
||||
|
||||
SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
|
||||
-o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
|
||||
|
||||
echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
|
||||
if [[ $SIGN_STATUS != 200 ]]; then
|
||||
echo "ERROR: Cannot sign certificates"
|
||||
if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
|
||||
mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
|
||||
cat ${TMP_CERTS_FILE_ZIP}.error
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
unzip -o -d ${CERTS_DIR}/ ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
|
||||
cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
|
||||
cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
|
||||
|
||||
|
||||
echo -e "\n------------------\nCreating certificate secret "
|
||||
|
||||
kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
|
||||
--from-file=$SRV_TLS_CA_CERT \
|
||||
--from-file=$SRV_TLS_KEY \
|
||||
--from-file=$SRV_TLS_CERT \
|
||||
--dry-run=client -o yaml | kubectl apply --overwrite -f -
|
||||
kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
|
||||
kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'
|
||||
|
|
@ -0,0 +1,80 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "AGENT_NAME: ${AGENT_NAME}"
|
||||
echo "KUBE_CONTEXT: ${KUBE_CONTEXT}"
|
||||
echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}"
|
||||
echo "OWNER_NAME: ${OWNER_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "SECRET_NAME: ${SECRET_NAME}"
|
||||
echo "-----"
|
||||
|
||||
create_agent_secret() {
|
||||
|
||||
kubectl apply -f - <<EOF
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: ${SECRET_NAME}
|
||||
namespace: ${KUBE_NAMESPACE}
|
||||
labels:
|
||||
codefresh.io/internal: "true"
|
||||
finalizers:
|
||||
- kubernetes
|
||||
ownerReferences:
|
||||
- apiVersion: apps/v1
|
||||
kind: Deploy
|
||||
name: ${OWNER_NAME}
|
||||
uid: ${OWNER_UID}
|
||||
stringData:
|
||||
agent-codefresh-token: ${1}
|
||||
EOF
|
||||
|
||||
}
|
||||
|
||||
OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
|
||||
echo "got owner uid: ${OWNER_UID}"
|
||||
|
||||
if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
|
||||
echo "-----"
|
||||
echo "runtime and agent are already initialized"
|
||||
echo "-----"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
|
||||
echo "using existing agentToken value"
|
||||
create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
|
||||
echo "-----"
|
||||
echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
|
||||
echo "-----"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
|
||||
|
||||
# AGENT_TOKEN might be empty, in which case it will be returned by the call
|
||||
RES=$(codefresh install agent \
|
||||
--name ${AGENT_NAME} \
|
||||
--kube-context-name ${KUBE_CONTEXT} \
|
||||
--kube-namespace ${KUBE_NAMESPACE} \
|
||||
--agent-kube-namespace ${KUBE_NAMESPACE} \
|
||||
--install-runtime \
|
||||
--runtime-name ${RUNTIME_NAME} \
|
||||
--skip-cluster-creation \
|
||||
--platform-only)
|
||||
|
||||
AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
|
||||
echo "generated agent + runtime in platform"
|
||||
|
||||
create_agent_secret $AGENT_CODEFRESH_TOKEN
|
||||
|
||||
echo "-----"
|
||||
echo "done initializing runtime and agent"
|
||||
echo "-----"
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
echo "-----"
|
||||
echo "API_HOST: ${API_HOST}"
|
||||
echo "KUBE_CONTEXT: ${KUBE_CONTEXT}"
|
||||
echo "KUBE_NAMESPACE: ${KUBE_NAMESPACE}"
|
||||
echo "OWNER_NAME: ${OWNER_NAME}"
|
||||
echo "RUNTIME_NAME: ${RUNTIME_NAME}"
|
||||
echo "CONFIGMAP_NAME: ${CONFIGMAP_NAME}"
|
||||
echo "RECONCILE_INTERVAL: ${RECONCILE_INTERVAL}"
|
||||
echo "-----"
|
||||
|
||||
msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
|
||||
err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
|
||||
|
||||
|
||||
if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
|
||||
err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
|
||||
|
||||
while true; do
|
||||
msg "Reconciling ${RUNTIME_NAME} runtime"
|
||||
|
||||
sleep $RECONCILE_INTERVAL
|
||||
|
||||
codefresh get re \
|
||||
--name ${RUNTIME_NAME} \
|
||||
-o yaml \
|
||||
| yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
|
||||
|
||||
kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
|
||||
| yq 'del(.metadata.resourceVersion, .metadata.uid)' \
|
||||
| yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
|
||||
| kubectl apply -f -
|
||||
done
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
{{- define "app-proxy.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: app-proxy
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include "app-proxy.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
{{- define "app-proxy.environment-variables.defaults" }}
|
||||
PORT: 3000
|
||||
{{- end }}
|
||||
|
||||
{{- define "app-proxy.environment-variables.calculated" }}
|
||||
CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
{{- with .Values.ingress.pathPrefix }}
|
||||
API_PATH_PREFIX: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "app-proxy.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "app-proxy.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "app-proxy.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "app-proxy.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: app-proxy
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "app-proxy.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: app-proxy
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "app-proxy.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
{{- define "app-proxy.resources.ingress" -}}
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels: {{- include "app-proxy.labels" . | nindent 4 }}
|
||||
{{- with .Values.ingress.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
ingressClassName: {{ .Values.ingress.class }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.tlsSecret }}
|
||||
tls:
|
||||
- hosts:
|
||||
- {{ .Values.ingress.host }}
|
||||
secretName: {{ .Values.ingress.tlsSecret }}
|
||||
{{- end }}
|
||||
rules:
|
||||
- host: {{ .Values.ingress.host }}
|
||||
http:
|
||||
paths:
|
||||
- path: {{ .Values.ingress.pathPrefix | default "/" }}
|
||||
pathType: ImplementationSpecific
|
||||
backend:
|
||||
service:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
port:
|
||||
number: 80
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "app-proxy.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "app-proxy.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "app-proxy.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "app-proxy.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "app-proxy.fullname" . }}
|
||||
labels:
|
||||
{{- include "app-proxy.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 3000
|
||||
selector:
|
||||
{{- include "app-proxy.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
{{- define "event-exporter.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: event-exporter
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
args: [--running-in-cluster=true]
|
||||
env:
|
||||
{{- include "event-exporter.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9102
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- define "event-exporter.environment-variables.defaults" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "event-exporter.environment-variables.calculated" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "event-exporter.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "event-exporter.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "event-exporter.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "event-exporter.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
app: event-exporter
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "event-exporter.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
app: event-exporter
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "event-exporter.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "event-exporter.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "event-exporter.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: [events]
|
||||
verbs: [get, list, watch]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "event-exporter.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "event-exporter.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: metrics
|
||||
port: 9102
|
||||
targetPort: metrics
|
||||
protocol: TCP
|
||||
selector:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
{{- define "event-exporter.resources.serviceMonitor" -}}
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: {{ include "event-exporter.fullname" . }}
|
||||
labels:
|
||||
{{- include "event-exporter.labels" . | nindent 4 }}
|
||||
spec:
|
||||
endpoints:
|
||||
- port: metrics
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "event-exporter.selectorLabels" . | nindent 6 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
{{- define "monitor.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "monitor.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "monitor.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "monitor.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: monitor
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include "monitor.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 9020
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /api/ping
|
||||
port: 9020
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,26 @@
|
|||
{{- define "monitor.environment-variables.defaults" }}
|
||||
SERVICE_NAME: {{ include "monitor.fullname" . }}
|
||||
PORT: 9020
|
||||
HELM3: true
|
||||
NODE_OPTIONS: "--max_old_space_size=4096"
|
||||
{{- end }}
|
||||
|
||||
{{- define "monitor.environment-variables.calculated" }}
|
||||
API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
|
||||
ACCOUNT_ID: {{ .Values.global.accountId }}
|
||||
NAMESPACE: {{ .Release.Namespace }}
|
||||
{{- if .Values.rbac.namespaced }}
|
||||
ROLE_BINDING: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "monitor.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "monitor.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "monitor.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "monitor.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "monitor.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "monitor.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
{{- define "monitor.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "monitor.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods" ]
|
||||
verbs: [ "get", "list", "watch", "create", "deletecollection" ]
|
||||
- apiGroups: [ "extensions" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "apps" ]
|
||||
resources: [ "*" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "monitor.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{{- define "monitor.resources.service" -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
protocol: TCP
|
||||
targetPort: 9020
|
||||
selector:
|
||||
{{- include "monitor.selectorLabels" . | nindent 4 }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,103 @@
|
|||
{{- define "runner.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "runner.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "runner.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "runner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
initContainers:
|
||||
- name: init
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
{{- include "runner-init.environment-variables" . | nindent 8 }}
|
||||
{{- with .Values.init.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: runner
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
|
||||
env:
|
||||
{{- include "runner.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
readinessProbe:
|
||||
initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
|
||||
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
|
||||
timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
|
||||
successThreshold: {{ .Values.readinessProbe.successThreshold }}
|
||||
failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
{{- with .Values.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
volumeMounts:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.sidecar.enabled }}
|
||||
- name: reconcile-runtime
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
|
||||
command:
|
||||
- /bin/bash
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
{{- include "runner-sidecar.environment-variables" . | nindent 8 }}
|
||||
{{- with .Values.sidecar.resources }}
|
||||
resources:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
volumes:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "runner.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "runner.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "runner.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: runner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "runner.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: runner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "runner.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
{{- define "runner.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runner.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods", "persistentvolumeclaims" ]
|
||||
verbs: [ "get", "create", "delete", patch ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "configmaps", "secrets" ]
|
||||
verbs: [ "get", "create", "update", patch ]
|
||||
- apiGroups: [ "apps" ]
|
||||
resources: [ "deployments" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runner.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: {{ include "runner.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
{{- define "runner-init.environment-variables.defaults" }}
|
||||
HOME: /tmp
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-init.environment-variables.calculated" }}
|
||||
AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
AGENT_CODEFRESH_TOKEN:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
key: agent-codefresh-token
|
||||
optional: true
|
||||
EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
|
||||
KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
KUBE_NAMESPACE: {{ .Release.Namespace }}
|
||||
OWNER_NAME: {{ include "runner.fullname" . }}
|
||||
RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
SECRET_NAME: {{ include "runner.fullname" . }}
|
||||
USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-init.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
{{- define "runner.environment-variables.defaults" }}
|
||||
AGENT_MODE: InCluster
|
||||
SELF_DEPLOYMENT_NAME:
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner.environment-variables.calculated" }}
|
||||
AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
CODEFRESH_TOKEN:
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runner.fullname" . }}
|
||||
key: agent-codefresh-token
|
||||
DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
|
||||
RUNTIME_CHART_VERSION: {{ .Chart.Version }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{{- define "runner-sidecar.environment-variables.defaults" }}
|
||||
HOME: /tmp
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-sidecar.environment-variables.calculated" }}
|
||||
API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
|
||||
KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
KUBE_NAMESPACE: {{ .Release.Namespace }}
|
||||
OWNER_NAME: {{ include "runner.fullname" . }}
|
||||
RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "runner-sidecar.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.sidecar.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
{{- define "dind-volume-provisioner.resources.cronjob" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- if not (eq .Values.storage.backend "local") }}
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: {{ include "dind-volume-cleanup.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-cleanup.labels" . | nindent 4 }}
|
||||
spec:
|
||||
concurrencyPolicy: {{ .Values.concurrencyPolicy }}
|
||||
schedule: {{ .Values.schedule | quote }}
|
||||
successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
|
||||
failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
|
||||
{{- with .Values.suspend }}
|
||||
suspend: {{ . }}
|
||||
{{- end }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
|
||||
{{- end }}
|
||||
restartPolicy: {{ .Values.restartPolicy | default "Never" }}
|
||||
containers:
|
||||
- name: dind-volume-cleanup
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
env:
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
|
||||
- name: PROVISIONED_BY
|
||||
value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 14 }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 10 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,98 @@
|
|||
{{- define "dind-volume-provisioner.resources.daemonset" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir }}
|
||||
{{- if eq .Values.storage.backend "local" }}
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: {{ include "dind-lv-monitor.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-lv-monitor.labels" . | nindent 4 }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.volumePermissions.enabled }}
|
||||
initContainers:
|
||||
- name: volume-permissions
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
chown -R {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ $localVolumeParentDir }}
|
||||
name: dind-volume-dir
|
||||
{{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
|
||||
{{- else }}
|
||||
securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.volumePermissions.resources | nindent 10 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: dind-lv-monitor
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
{{- if .Values.containerSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
|
||||
{{- end }}
|
||||
command:
|
||||
- /home/dind-volume-utils/bin/local-volumes-agent
|
||||
env:
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
|
||||
- name: NODE_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: spec.nodeName
|
||||
- name: VOLUME_PARENT_DIR
|
||||
value: {{ $localVolumeParentDir }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 10 }}
|
||||
volumeMounts:
|
||||
- mountPath: {{ $localVolumeParentDir }}
|
||||
readOnly: false
|
||||
name: dind-volume-dir
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: dind-volume-dir
|
||||
hostPath:
|
||||
path: {{ $localVolumeParentDir }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
{{- define "dind-volume-provisioner.resources.deployment" -}}
|
||||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicasCount }}
|
||||
strategy:
|
||||
type: {{ .Values.updateStrategy.type }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
|
||||
serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
{{- if .Values.podSecurityContext.enabled }}
|
||||
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: dind-volume-provisioner
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- /usr/local/bin/dind-volume-provisioner
|
||||
- -v=4
|
||||
- --resync-period=50s
|
||||
env:
|
||||
{{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
volumeMounts:
|
||||
{{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
|
||||
{{- with .Values.extraVolumeMounts }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
{{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
|
||||
{{- with .Values.extraVolumes }}
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,88 @@
|
|||
{{- define "dind-volume-provisioner.environment-variables.defaults" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.environment-variables.calculated" }}
|
||||
DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
|
||||
PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
|
||||
{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
|
||||
AWS_ACCESS_KEY_ID:
|
||||
{{- if .Values.storage.ebs.accessKeyId }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
key: aws_access_key_id
|
||||
{{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
|
||||
AWS_SECRET_ACCESS_KEY:
|
||||
{{- if .Values.storage.ebs.secretAccessKey }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
key: aws_secret_access_key
|
||||
{{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
|
||||
{{- end }}
|
||||
|
||||
{{- if and .Values.storage.mountAzureJson }}
|
||||
AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
|
||||
CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
|
||||
{{- end }}
|
||||
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.environment-variables" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
|
||||
{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
|
||||
{{- $overrides := .Values.env }}
|
||||
{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
|
||||
{{- end }}
|
||||
|
||||
|
||||
{{- define "dind-volume-provisioner.volumes.calculated" }}
|
||||
{{- if .Values.storage.gcedisk.serviceAccountJson }}
|
||||
- name: credentials
|
||||
secret:
|
||||
secretName: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
optional: true
|
||||
{{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
- name: credentials
|
||||
secret:
|
||||
secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
|
||||
optional: true
|
||||
{{- end }}
|
||||
{{- if .Values.storage.mountAzureJson }}
|
||||
- name: azure-json
|
||||
hostPath:
|
||||
path: /etc/kubernetes/azure.json
|
||||
type: File
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
|
||||
{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
|
||||
- name: credentials
|
||||
readOnly: true
|
||||
mountPath: "/etc/dind-volume-provisioner/credentials"
|
||||
{{- end }}
|
||||
{{- if .Values.storage.mountAzureJson }}
|
||||
- name: azure-json
|
||||
readOnly: true
|
||||
mountPath: "/etc/kubernetes/azure.json"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.name" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-cleanup.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-lv-monitor.fullname" -}}
|
||||
{{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Provisioner name for storage class
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.volumeProvisionerName" }}
|
||||
{{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-lv-monitor
|
||||
*/}}
|
||||
{{- define "dind-lv-monitor.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: lv-monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels for dind-lv-monitor
|
||||
*/}}
|
||||
{{- define "dind-lv-monitor.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: lv-monitor
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-provisioner
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: volume-provisioner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels for dind-volume-provisioner
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: volume-provisioner
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-cleanup
|
||||
*/}}
|
||||
{{- define "dind-volume-cleanup.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: pv-cleanup
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels for dind-volume-cleanup
|
||||
*/}}
|
||||
{{- define "dind-volume-cleanup.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: pv-cleanup
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "dind-volume-provisioner.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{- define "dind-volume-provisioner.storageClassName" }}
|
||||
{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,71 @@
|
|||
{{- define "dind-volume-provisioner.resources.rbac" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if .Values.rbac.create }}
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "persistentvolumes" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "persistentvolumeclaims" ]
|
||||
verbs: [ "get", "list", "watch", "update", "delete" ]
|
||||
- apiGroups: [ "storage.k8s.io" ]
|
||||
resources: [ "storageclasses" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "events" ]
|
||||
verbs: [ "list", "watch", "create", "update", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get", "list" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "nodes" ]
|
||||
verbs: [ "get", "list", "watch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "pods" ]
|
||||
verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "endpoints" ]
|
||||
verbs: [ "get", "list", "watch", "create", "update", "delete" ]
|
||||
- apiGroups: [ "coordination.k8s.io" ]
|
||||
resources: [ "leases" ]
|
||||
verbs: [ "get", "create", "update" ]
|
||||
{{- with .Values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
{{- define "dind-volume-provisioner.resources.secret" -}}
|
||||
{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ include "dind-volume-provisioner.fullname" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
stringData:
|
||||
{{- with .Values.storage.gcedisk.serviceAccountJson }}
|
||||
google-service-account.json: |
|
||||
{{- . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.accessKeyId }}
|
||||
aws_access_key_id: {{ . }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.secretAccessKey }}
|
||||
aws_secret_access_key: {{ . }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,47 @@
|
|||
{{- define "dind-volume-provisioner.resources.storageclass" -}}
|
||||
kind: StorageClass
|
||||
apiVersion: storage.k8s.io/v1
|
||||
metadata:
|
||||
{{/* has to be exactly that */}}
|
||||
name: {{ include "dind-volume-provisioner.storageClassName" . }}
|
||||
labels:
|
||||
{{- include "dind-volume-provisioner.labels" . | nindent 4 }}
|
||||
provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
|
||||
parameters:
|
||||
{{- if eq .Values.storage.backend "local" }}
|
||||
volumeBackend: local
|
||||
volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
|
||||
{{- else if eq .Values.storage.backend "gcedisk" }}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
|
||||
zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
|
||||
AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
|
||||
{{- with .Values.storage.ebs.kmsKeyId }}
|
||||
kmsKeyId: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.iops }}
|
||||
iops: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.ebs.throughput }}
|
||||
throughput: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
|
||||
volumeBackend: {{ .Values.storage.backend }}
|
||||
kind: managed
|
||||
skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
|
||||
fsType: {{ .Values.storage.fsType | default "ext4" }}
|
||||
cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
|
||||
{{- with .Values.storage.azuredisk.availabilityZone }}
|
||||
availabilityZone: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- with .Values.storage.azuredisk.resourceGroup }}
|
||||
resourceGroup: {{ . | quote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "cf-runtime.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "cf-runtime.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "cf-runtime.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "cf-runtime.labels" -}}
|
||||
helm.sh/chart: {{ include "cf-runtime.chart" . }}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "cf-runtime.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.deployment" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.ingress" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.rbac" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $appProxyContext := deepCopy . }}
|
||||
{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
|
||||
{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $appProxyContext.Values.enabled }}
|
||||
{{- include "app-proxy.resources.service" $appProxyContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.deployment" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.rbac" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $eventExporterContext := deepCopy . }}
|
||||
{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
|
||||
{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $eventExporterContext.Values.enabled }}
|
||||
{{- include "event-exporter.resources.service" $eventExporterContext }}
|
||||
---
|
||||
{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
|
||||
{{- range .Values.extraResources }}
|
||||
---
|
||||
{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,19 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.engine.runtimeImages }}
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
{{- /* dummy template just to list runtime images */}}
|
||||
name: {{ include "runtime.fullname" . }}-images
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
images: |
|
||||
{{- range $key, $val := $values }}
|
||||
image: {{ $val }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,18 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if $values.enabled }}
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-spec
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
data:
|
||||
runtime.yaml: |
|
||||
{{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.gencerts }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: post-install,post-upgrade
|
||||
helm.sh/hook-weight: "3"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- if $values.rbac.enabled }}
|
||||
serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: gencerts-dind
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
|
||||
env:
|
||||
- name: NAMESPACE
|
||||
value: {{ .Release.Namespace }}
|
||||
- name: RELEASE
|
||||
value: {{ .Release.Name }}
|
||||
- name: CF_API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
- name: CF_API_TOKEN
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-patch
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: post-install,post-upgrade
|
||||
helm.sh/hook-weight: "5"
|
||||
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-patch
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: patch-runtime
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
codefresh auth create-context --api-key $API_KEY --url $API_HOST
|
||||
cat /usr/share/extras/runtime.yaml
|
||||
codefresh get re
|
||||
{{- if .Values.runtime.agent }}
|
||||
codefresh patch re -f /usr/share/extras/runtime.yaml
|
||||
{{- else }}
|
||||
codefresh patch sys-re -f /usr/share/extras/runtime.yaml
|
||||
{{- end }}
|
||||
env:
|
||||
- name: API_KEY
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
- name: API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /usr/share/extras/runtime.yaml
|
||||
subPath: runtime.yaml
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ include "runtime.fullname" . }}-spec
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.gencerts }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- secrets
|
||||
- configmaps
|
||||
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runtime.fullname" . }}-gencerts-dind
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
|
|
@ -0,0 +1,73 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: Job
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
helm.sh/hook: pre-delete
|
||||
helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
|
||||
{{- with $values.annotations }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
{{- with $values.ttlSecondsAfterFinished }}
|
||||
ttlSecondsAfterFinished: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $values.backoffLimit }}
|
||||
backoffLimit: {{ . | int }}
|
||||
{{- end }}
|
||||
template:
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- if $values.rbac.enabled }}
|
||||
serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml $values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: cleanup
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
|
||||
imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- "/bin/bash"
|
||||
args:
|
||||
- -ec
|
||||
- | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
|
||||
env:
|
||||
- name: AGENT_NAME
|
||||
value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
|
||||
- name: RUNTIME_NAME
|
||||
value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
- name: API_HOST
|
||||
value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
|
||||
- name: API_TOKEN
|
||||
{{- include "runtime.installation-token-env-var-value" . | indent 10}}
|
||||
- name: AGENT
|
||||
value: {{ .Values.runtime.agent | quote }}
|
||||
- name: AGENT_SECRET_NAME
|
||||
value: {{ include "runner.fullname" . }}
|
||||
- name: DIND_SECRET_NAME
|
||||
value: codefresh-certs-server
|
||||
{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
|
||||
{{- with $values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with $values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
restartPolicy: OnFailure
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,46 @@
|
|||
{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{ $values := .Values.runtime.patch }}
|
||||
{{- if and $values.enabled }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
rules:
|
||||
- apiGroups:
|
||||
- "*"
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- "*"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
annotations:
|
||||
"helm.sh/hook": pre-delete
|
||||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ include "runtime.fullname" . }}-cleanup
|
||||
namespace: {{ .Release.Namespace }}
|
||||
{{ end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.deployment" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.rbac" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $monitorContext := deepCopy . }}
|
||||
{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
|
||||
{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $monitorContext.Values.enabled }}
|
||||
{{- include "monitor.resources.service" $monitorContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
|
||||
{{- include $templateName . -}}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $runnerContext := deepCopy . }}
|
||||
{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
|
||||
{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
|
||||
{{- include "runner.resources.deployment" $runnerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $runnerContext := deepCopy . }}
|
||||
{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
|
||||
{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
|
||||
{{- include "runner.resources.rbac" $runnerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,123 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "runtime.name" -}}
|
||||
{{- printf "%s" (include "cf-runtime.name" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "runtime.fullname" -}}
|
||||
{{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "runtime.labels" -}}
|
||||
{{ include "cf-runtime.labels" . }}
|
||||
codefresh.io/application: runtime
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "runtime.selectorLabels" -}}
|
||||
{{ include "cf-runtime.selectorLabels" . }}
|
||||
codefresh.io/application: runtime
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Return runtime image (classic runtime) with private registry prefix
|
||||
*/}}
|
||||
{{- define "runtime.runtimeImageName" -}}
|
||||
{{- if .registry -}}
|
||||
{{- $imageName := (trimPrefix "quay.io/" .imageFullName) -}}
|
||||
{{- printf "%s/%s" .registry $imageName -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s" .imageFullName -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Environment variable value of Codefresh installation token
|
||||
*/}}
|
||||
{{- define "runtime.installation-token-env-var-value" -}}
|
||||
{{- if .Values.global.codefreshToken }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: {{ include "runtime.installation-token-secret-name" . }}
|
||||
key: codefresh-api-token
|
||||
{{- else if .Values.global.codefreshTokenSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Environment variable value of Codefresh agent token
|
||||
*/}}
|
||||
{{- define "runtime.agent-token-env-var-value" -}}
|
||||
{{- if .Values.global.agentToken }}
|
||||
{{- printf "%s" .Values.global.agentToken | toYaml }}
|
||||
{{- else if .Values.global.agentTokenSecretKeyRef }}
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
{{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print Codefresh API token secret name
|
||||
*/}}
|
||||
{{- define "runtime.installation-token-secret-name" }}
|
||||
{{- print "codefresh-user-token" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print Codefresh host
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.codefresh-host" }}
|
||||
{{- if and (not .Values.global.codefreshHost) }}
|
||||
{{- fail "ERROR: .global.codefreshHost is required" }}
|
||||
{{- else }}
|
||||
{{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print runtime-environment name
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.runtime-name" }}
|
||||
{{- if and (not .Values.global.runtimeName) }}
|
||||
{{- printf "%s/%s" .Values.global.context .Release.Namespace }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.runtimeName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print agent name
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.agent-name" }}
|
||||
{{- if and (not .Values.global.agentName) }}
|
||||
{{- printf "%s_%s" .Values.global.context .Release.Namespace }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.agentName }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Print context
|
||||
*/}}
|
||||
{{- define "runtime.runtime-environment-spec.context-name" }}
|
||||
{{- if and (not .Values.global.context) }}
|
||||
{{- fail "ERROR: .global.context is required" }}
|
||||
{{- else }}
|
||||
{{- printf "%s" .Values.global.context }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
{{- /* has to be a constant */}}
|
||||
name: codefresh-dind-config
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
data:
|
||||
daemon.json: |
|
||||
{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
{{ $values := .Values.runtime }}
|
||||
---
|
||||
{{- if or $values.serviceAccount.create }}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
{{- /* has to be a constant */}}
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
{{- with $values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if $values.rbac.create }}
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
rules:
|
||||
- apiGroups: [ "" ]
|
||||
resources: [ "secrets" ]
|
||||
verbs: [ "get" ]
|
||||
{{- with $values.rbac.rules }}
|
||||
{{ toYaml . | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
---
|
||||
{{- if and $values.serviceAccount.create $values.rbac.create }}
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: codefresh-engine
|
||||
labels:
|
||||
{{- include "runner.labels" . | nindent 4 }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: codefresh-engine
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: codefresh-engine
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
{{- end }}
|
||||
|
||||
|
|
@ -0,0 +1,235 @@
|
|||
{{- define "runtime.runtime-environment-spec.template" }}
|
||||
{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
|
||||
{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
|
||||
{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
|
||||
{{- $engineContext := .Values.runtime.engine -}}
|
||||
{{- $dindContext := .Values.runtime.dind -}}
|
||||
{{- $imageRegistry := .Values.global.imageRegistry -}}
|
||||
metadata:
|
||||
name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
|
||||
agent: {{ .Values.runtime.agent }}
|
||||
runtimeScheduler:
|
||||
type: KubernetesPod
|
||||
{{- if $engineContext.image }}
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ $engineContext.image.pullPolicy }}
|
||||
{{- with $engineContext.command }}
|
||||
command: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
envVars:
|
||||
{{- with $engineContext.env }}
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
|
||||
CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
|
||||
DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
|
||||
DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
|
||||
DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
|
||||
DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
|
||||
FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
|
||||
GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
|
||||
KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
|
||||
PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
|
||||
TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
|
||||
CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
|
||||
GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
|
||||
COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }}
|
||||
RUNTIME_CHART_VERSION: {{ .Chart.Version }}
|
||||
{{- with $engineContext.userEnvVars }}
|
||||
userEnvVars: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.workflowLimits }}
|
||||
workflowLimits: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
cluster:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
serviceAccount: {{ $engineContext.serviceAccount }}
|
||||
{{- if .Values.runtime.agent }}
|
||||
clusterProvider:
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
{{- else }}
|
||||
{{- if .Values.runtime.inCluster }}
|
||||
inCluster: true
|
||||
kubeconfigFilePath: null
|
||||
{{- else }}
|
||||
name: {{ $name }}
|
||||
kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.nodeSelector }}
|
||||
nodeSelector: {{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.affinity }}
|
||||
affinity: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.tolerations }}
|
||||
tolerations: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.podAnnotations }}
|
||||
annotations:
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.podLabels }}
|
||||
labels: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $engineContext.schedulerName }}
|
||||
schedulerName: {{ $engineContext.schedulerName }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- if $engineContext.resources}}
|
||||
{{- toYaml $engineContext.resources | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $engineContext.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ . }}
|
||||
{{- end }}
|
||||
dockerDaemonScheduler:
|
||||
type: DindKubernetesPod
|
||||
{{- if $dindContext.image }}
|
||||
dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
|
||||
{{- end }}
|
||||
imagePullPolicy: {{ $dindContext.image.pullPolicy }}
|
||||
{{- with $dindContext.userAccess }}
|
||||
userAccess: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.env }}
|
||||
envVars:
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
cluster:
|
||||
namespace: {{ .Release.Namespace }}
|
||||
serviceAccount: {{ $dindContext.serviceAccount }}
|
||||
{{- if .Values.runtime.agent }}
|
||||
clusterProvider:
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
|
||||
{{- else }}
|
||||
{{- if .Values.runtime.inCluster }}
|
||||
inCluster: true
|
||||
kubeconfigFilePath: null
|
||||
{{- else }}
|
||||
name: {{ $name }}
|
||||
kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.nodeSelector }}
|
||||
nodeSelector: {{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.affinity }}
|
||||
affinity: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.tolerations }}
|
||||
tolerations: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.podAnnotations }}
|
||||
annotations:
|
||||
{{- range $key, $val := . }}
|
||||
{{ $key }}: {{ $val | squote }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.podLabels }}
|
||||
labels: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $dindContext.schedulerName }}
|
||||
schedulerName: {{ $dindContext.schedulerName }}
|
||||
{{- end }}
|
||||
{{- if $dindContext.pvcs }}
|
||||
pvcs:
|
||||
{{- range $index, $pvc := $dindContext.pvcs }}
|
||||
- name: {{ $pvc.name }}
|
||||
reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
|
||||
reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
|
||||
storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
|
||||
volumeSize: {{ $pvc.volumeSize }}
|
||||
{{- with $pvc.annotations }}
|
||||
annotations: {{ . | toYaml | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
defaultDindResources:
|
||||
{{- with $dindContext.resources }}
|
||||
{{- if not .requests }}
|
||||
limits: {{- toYaml .limits | nindent 6 }}
|
||||
requests: null
|
||||
{{- else }}
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.terminationGracePeriodSeconds }}
|
||||
terminationGracePeriodSeconds: {{ . }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.userVolumeMounts }}
|
||||
userVolumeMounts: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.userVolumes }}
|
||||
userVolumes: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if and (not .Values.runtime.agent) }}
|
||||
clientCertPath: /etc/ssl/cf/
|
||||
volumeMounts:
|
||||
codefresh-certs-server:
|
||||
name: codefresh-certs-server
|
||||
mountPath: /etc/ssl/cf
|
||||
readOnly: false
|
||||
volumes:
|
||||
codefresh-certs-server:
|
||||
name: codefresh-certs-server
|
||||
secret:
|
||||
secretName: codefresh-certs-server
|
||||
{{- end }}
|
||||
{{- with $dindContext.podSecurityContext }}
|
||||
podSecurityContext: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- with $dindContext.containerSecurityContext }}
|
||||
containerSecurityContext: {{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- if $dindContext.volumePermissions.enabled }}
|
||||
initContainers:
|
||||
- name: volume-permissions
|
||||
image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.volumePermissions.image "context" .) }}
|
||||
imagePullPolicy: {{ $dindContext.volumePermissions.image.pullPolicy | default "Always" }}
|
||||
command:
|
||||
- /bin/sh
|
||||
args:
|
||||
- -ec
|
||||
- |
|
||||
chown -R {{ $dindContext.containerSecurityContext.runAsUser }}:{{ $dindContext.podSecurityContext.fsGroup }} /home/rootless/.local/share/docker
|
||||
volumeMounts:
|
||||
- mountPath: /home/rootless/.local/share/docker
|
||||
name: dind
|
||||
{{- if eq ( toString ( $dindContext.volumePermissions.securityContext.runAsUser )) "auto" }}
|
||||
securityContext: {{- omit $dindContext.volumePermissions.securityContext "runAsUser" | toYaml | nindent 6 }}
|
||||
{{- else }}
|
||||
securityContext: {{- $dindContext.volumePermissions.securityContext | toYaml | nindent 6 }}
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml $dindContext.volumePermissions.resources | nindent 6 }}
|
||||
{{- end }}
|
||||
extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
|
||||
{{- if .Values.runtime.description }}
|
||||
description: {{ .Values.runtime.description }}
|
||||
{{- else }}
|
||||
description: null
|
||||
{{- end }}
|
||||
{{- if .Values.global.accountId }}
|
||||
accountId: {{ .Values.global.accountId }}
|
||||
{{- end }}
|
||||
{{- if not .Values.runtime.agent }}
|
||||
accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
|
||||
{{- end }}
|
||||
{{- if .Values.appProxy.enabled }}
|
||||
appProxy:
|
||||
externalIP: >-
|
||||
{{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
|
||||
{{- end }}
|
||||
{{- if not .Values.runtime.agent }}
|
||||
systemHybrid: true
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- if and .Values.global.codefreshToken }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: {{ include "runtime.installation-token-secret-name" . }}
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
stringData:
|
||||
codefresh-api-token: {{ .Values.global.codefreshToken }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
labels:
|
||||
{{- include "runtime.labels" . | nindent 4 }}
|
||||
app: dind
|
||||
{{/* has to be a constant */}}
|
||||
name: dind
|
||||
spec:
|
||||
ports:
|
||||
- name: "dind-port"
|
||||
port: 1300
|
||||
protocol: TCP
|
||||
clusterIP: None
|
||||
selector:
|
||||
app: dind
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
{{- $volumeProvisionerContext := deepCopy . }}
|
||||
{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
|
||||
{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
|
||||
|
||||
{{- if $volumeProvisionerContext.Values.enabled }}
|
||||
{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,38 @@
|
|||
volumeProvisioner:
|
||||
env:
|
||||
IS_ROOTLESS: true
|
||||
# -- Only if local volumes are used as backend storage (ignored for ebs/ebs-csi disks)
|
||||
dind-lv-monitor:
|
||||
image:
|
||||
tag: 1.30.0-rootless
|
||||
digest: sha256:712e549e6e843b04684647f17e0973f8047e0d60e6e8b38a693ea64dc75b0479
|
||||
containerSecurityContext:
|
||||
runAsUser: 1000
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
# -- Enable initContainer to run chmod for /var/lib/codefresh/dind-volumes on host nodes
|
||||
volumePermissions:
|
||||
enabled: false
|
||||
|
||||
runtime:
|
||||
dind:
|
||||
image:
|
||||
tag: 26.1.4-1.28.10-rootless
|
||||
digest: sha256:59dfc004eb22a8f09c8a3d585271a055af9df4591ab815bca418c24a2077f5c8
|
||||
userVolumeMounts:
|
||||
dind:
|
||||
name: dind
|
||||
mountPath: /home/rootless/.local/share/docker
|
||||
containerSecurityContext:
|
||||
privileged: true
|
||||
runAsUser: 1000
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#configure-volume-permission-and-ownership-change-policy-for-pods
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
# -- Enable initContainer to run chmod for /home/rootless in DinD pod
|
||||
# !!! Will slow down dind pod startup
|
||||
volumePermissions:
|
||||
enabled: true
|
||||
|
|
@ -0,0 +1,916 @@
|
|||
# -- String to partially override cf-runtime.fullname template (will maintain the release name)
|
||||
nameOverride: ""
|
||||
# -- String to fully override cf-runtime.fullname template
|
||||
fullnameOverride: ""
|
||||
# -- Global parameters
|
||||
# @default -- See below
|
||||
global:
|
||||
# -- Global Docker image registry
|
||||
imageRegistry: ""
|
||||
# -- Global Docker registry secret names as array
|
||||
imagePullSecrets: []
|
||||
# -- URL of Codefresh Platform (required!)
|
||||
codefreshHost: "https://g.codefresh.io"
|
||||
# -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
|
||||
# Ref: https://g.codefresh.io/user/settings (see API Keys)
|
||||
# Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
|
||||
codefreshToken: ""
|
||||
# -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
|
||||
codefreshTokenSecretKeyRef: {}
|
||||
# E.g.
|
||||
# codefreshTokenSecretKeyRef:
|
||||
# name: my-codefresh-api-token
|
||||
# key: codefresh-api-token
|
||||
|
||||
# -- Account ID (required!)
|
||||
# Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
|
||||
accountId: ""
|
||||
# -- K8s context name (required!)
|
||||
context: ""
|
||||
# E.g.
|
||||
# context: prod-ue1-runtime-1
|
||||
|
||||
# -- Agent Name (optional!)
|
||||
# If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
|
||||
agentName: ""
|
||||
# E.g.
|
||||
# agentName: prod-ue1-runtime-1
|
||||
|
||||
# -- Runtime name (optional!)
|
||||
# If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
|
||||
runtimeName: ""
|
||||
# E.g.
|
||||
# runtimeName: prod-ue1-runtime-1/namespace
|
||||
|
||||
# -- DEPRECATED Agent token in plain text.
|
||||
# !!! MUST BE provided if migrating from < 6.x chart version
|
||||
agentToken: ""
|
||||
# -- DEPRECATED Agent token that references an existing secret containing API key.
|
||||
# !!! MUST BE provided if migrating from < 6.x chart version
|
||||
agentTokenSecretKeyRef: {}
|
||||
# E.g.
|
||||
# agentTokenSecretKeyRef:
|
||||
# name: my-codefresh-agent-secret
|
||||
# key: codefresh-agent-token
|
||||
# DEPRECATED -- Use `.Values.global.imageRegistry` instead
|
||||
dockerRegistry: ""
|
||||
# DEPRECATED -- Use `.Values.runtime` instead
|
||||
re: {}
|
||||
# -- Runner parameters
|
||||
# @default -- See below
|
||||
runner:
|
||||
# -- Enable the runner
|
||||
enabled: true
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/venona
|
||||
tag: 2.0.0
|
||||
digest: sha256:bcc6e7495186f1f9c3e885afa891a3bda11b5374a577f069f34ddc75142342ef
|
||||
# -- Init container
|
||||
init:
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cli
|
||||
tag: 0.88.4-rootless
|
||||
digest: sha256:b256d150ff8a636851ddc1d5fb0490114d5036cc5bff357eac6a9899fea87562
|
||||
resources:
|
||||
limits:
|
||||
memory: 512Mi
|
||||
cpu: '1'
|
||||
requests:
|
||||
memory: 256Mi
|
||||
cpu: '0.2'
|
||||
# -- Sidecar container
|
||||
# Reconciles runtime spec from Codefresh API for drift detection
|
||||
sidecar:
|
||||
enabled: false
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/kubectl
|
||||
tag: 1.31.2
|
||||
digest: sha256:a30a8810dde249d0198f67792ed9696363f15c8cecbac955ee9bd267b5454ee7
|
||||
env:
|
||||
RECONCILE_INTERVAL: 300
|
||||
resources: {}
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# E.g.
|
||||
# env:
|
||||
# WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 10001
|
||||
runAsGroup: 10001
|
||||
fsGroup: 10001
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
# -- Set requests and limits
|
||||
resources: {}
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Volume Provisioner parameters
|
||||
# @default -- See below
|
||||
volumeProvisioner:
|
||||
# -- Enable volume-provisioner
|
||||
enabled: true
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-provisioner
|
||||
tag: 1.35.2
|
||||
digest: sha256:ede6f663c912a08b7d335b5ec5518ccc266b27c431d0854d22971005992adc5d
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# E.g.
|
||||
# env:
|
||||
# THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
|
||||
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# serviceAccount:
|
||||
# annotations:
|
||||
# eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
runAsUser: 3000
|
||||
runAsGroup: 3000
|
||||
fsGroup: 3000
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- `dind-lv-monitor` DaemonSet parameters
|
||||
# (local volumes cleaner)
|
||||
# @default -- See below
|
||||
dind-lv-monitor:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-utils
|
||||
tag: 1.30.0
|
||||
digest: sha256:506915ccb63481cd6b249e9068235100ea2ae39d4c811c3e49851c20cbe5ee6f
|
||||
podAnnotations: {}
|
||||
podSecurityContext:
|
||||
enabled: false
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
containerSecurityContext: {}
|
||||
env: {}
|
||||
resources: {}
|
||||
nodeSelector: {}
|
||||
tolerations:
|
||||
- key: 'codefresh/dind'
|
||||
operator: 'Exists'
|
||||
effect: 'NoSchedule'
|
||||
volumePermissions:
|
||||
enabled: false
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: alpine
|
||||
tag: 3.18
|
||||
digest: sha256:dd60c75fba961ecc5e918961c713f3c42dd5665171c58f9b2ef5aafe081ad5a0
|
||||
resources: {}
|
||||
securityContext:
|
||||
runAsUser: 0 # auto
|
||||
# `dind-volume-cleanup` CronJob parameters
|
||||
# (external volumes cleaner)
|
||||
# @default -- See below
|
||||
dind-volume-cleanup:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind-volume-cleanup
|
||||
tag: 1.2.0
|
||||
digest: sha256:1af3e3ecc87bf2e26ba07ecef68f54ad100d7e3b5fcf074099f627fd5d917369
|
||||
env: {}
|
||||
concurrencyPolicy: Forbid
|
||||
schedule: "*/10 * * * *"
|
||||
successfulJobsHistory: 3
|
||||
failedJobsHistory: 1
|
||||
suspend: false
|
||||
podAnnotations: {}
|
||||
podSecurityContext:
|
||||
enabled: true
|
||||
fsGroup: 3000
|
||||
runAsGroup: 3000
|
||||
runAsUser: 3000
|
||||
nodeSelector: {}
|
||||
affinity: {}
|
||||
tolerations: []
|
||||
# Storage parameters for volume-provisioner
|
||||
# @default -- See below
|
||||
storage:
|
||||
# -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
|
||||
backend: local
|
||||
# -- Set filesystem type (`ext4`/`xfs`)
|
||||
fsType: "ext4"
|
||||
# Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
|
||||
# https://kubernetes.io/docs/concepts/storage/volumes/#local
|
||||
# @default -- See below
|
||||
local:
|
||||
# -- Set volume path on the host filesystem
|
||||
volumeParentDir: /var/lib/codefresh/dind-volumes
|
||||
# Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
|
||||
# https://aws.amazon.com/ebs/
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
|
||||
# @default -- See below
|
||||
ebs:
|
||||
# -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
|
||||
volumeType: "gp2"
|
||||
# -- Set EBS volumes availability zone (required)
|
||||
availabilityZone: "us-east-1a"
|
||||
# -- Enable encryption (optional)
|
||||
encrypted: "false"
|
||||
# -- Set KMS encryption key ID (optional)
|
||||
kmsKeyId: ""
|
||||
# -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
|
||||
accessKeyId: ""
|
||||
# -- Existing secret containing AWS_ACCESS_KEY_ID.
|
||||
accessKeyIdSecretKeyRef: {}
|
||||
# E.g.
|
||||
# accessKeyIdSecretKeyRef:
|
||||
# name:
|
||||
# key:
|
||||
|
||||
# -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
|
||||
secretAccessKey: ""
|
||||
# -- Existing secret containing AWS_SECRET_ACCESS_KEY
|
||||
secretAccessKeySecretKeyRef: {}
|
||||
# E.g.
|
||||
# secretAccessKeySecretKeyRef:
|
||||
# name:
|
||||
# key:
|
||||
# E.g.
|
||||
# ebs:
|
||||
# volumeType: gp3
|
||||
# availabilityZone: us-east-1c
|
||||
# encrypted: false
|
||||
# iops: "5000"
|
||||
# # I/O operations per second. Only effetive when gp3 volume type is specified.
|
||||
# # Default value - 3000.
|
||||
# # Max - 16,000
|
||||
# throughput: "500"
|
||||
# # Throughput in MiB/s. Only effective when gp3 volume type is specified.
|
||||
# # Default value - 125.
|
||||
# # Max - 1000.
|
||||
# ebs:
|
||||
# volumeType: gp2
|
||||
# availabilityZone: us-east-1c
|
||||
# encrypted: true
|
||||
# kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
|
||||
# accessKeyId: "MYKEYID"
|
||||
# secretAccessKey: "MYACCESSKEY"
|
||||
|
||||
# Storage parameters example for gce disks
|
||||
# https://cloud.google.com/compute/docs/disks#pdspecs
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
|
||||
# @default -- See below
|
||||
gcedisk:
|
||||
# -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
|
||||
volumeType: "pd-ssd"
|
||||
# -- Set GCP volume availability zone
|
||||
availabilityZone: "us-west1-a"
|
||||
# -- Set Google SA JSON key for volume-provisioner (optional)
|
||||
serviceAccountJson: ""
|
||||
# -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
|
||||
serviceAccountJsonSecretKeyRef: {}
|
||||
# E.g.
|
||||
# gcedisk:
|
||||
# volumeType: pd-ssd
|
||||
# availabilityZone: us-central1-c
|
||||
# serviceAccountJson: |-
|
||||
# {
|
||||
# "type": "service_account",
|
||||
# "project_id": "...",
|
||||
# "private_key_id": "...",
|
||||
# "private_key": "...",
|
||||
# "client_email": "...",
|
||||
# "client_id": "...",
|
||||
# "auth_uri": "...",
|
||||
# "token_uri": "...",
|
||||
# "auth_provider_x509_cert_url": "...",
|
||||
# "client_x509_cert_url": "..."
|
||||
# }
|
||||
# Storage parameters example for Azure Disks
|
||||
# https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
|
||||
# @default -- See below
|
||||
azuredisk:
|
||||
# -- Set storage type (`Premium_LRS`)
|
||||
skuName: Premium_LRS
|
||||
cachingMode: None
|
||||
# availabilityZone: northeurope-1
|
||||
# resourceGroup:
|
||||
# DiskIOPSReadWrite: 500
|
||||
# DiskMBpsReadWrite: 100
|
||||
mountAzureJson: false
|
||||
# -- Set runtime parameters
|
||||
# @default -- See below
|
||||
runtime:
|
||||
# -- Set annotation on engine Service Account
|
||||
# Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
|
||||
serviceAccount:
|
||||
create: true
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# serviceAccount:
|
||||
# annotations:
|
||||
# eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
|
||||
# -- Set parent runtime to inherit.
|
||||
# Should not be changes. Parent runtime is controlled from Codefresh side.
|
||||
runtimeExtends:
|
||||
- system/default/hybrid/k8s_low_limits
|
||||
# -- Runtime description
|
||||
description: ""
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the engine role
|
||||
rules: []
|
||||
# -- (for On-Premise only) Enable agent
|
||||
agent: true
|
||||
# -- (for On-Premise only) Set inCluster runtime
|
||||
inCluster: true
|
||||
# -- (for On-Premise only) Assign accounts to runtime (list of account ids)
|
||||
accounts: []
|
||||
# -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
|
||||
dind:
|
||||
# -- Set dind image.
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/dind
|
||||
tag: 26.1.4-1.28.8 # use `latest-rootless/rootless/26.1.4-1.28.8-rootless` tags for rootless-dind
|
||||
pullPolicy: IfNotPresent
|
||||
digest: sha256:33c343dd01e8a24f0b4a872bbe62884320719f9d9dc27b7a8fed9f7e9fc7e80e
|
||||
# -- Set dind resources.
|
||||
resources:
|
||||
requests: null
|
||||
limits:
|
||||
cpu: 400m
|
||||
memory: 800Mi
|
||||
# -- Set termination grace period.
|
||||
terminationGracePeriodSeconds: 30
|
||||
# -- PV claim spec parametes.
|
||||
pvcs:
|
||||
# -- Default dind PVC parameters
|
||||
dind:
|
||||
# -- PVC name prefix.
|
||||
# Keep `dind` as default! Don't change!
|
||||
name: dind
|
||||
# -- PVC storage class name.
|
||||
# Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
|
||||
storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
|
||||
# -- PVC size.
|
||||
volumeSize: 16Gi
|
||||
# -- PV reuse selector.
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
|
||||
reuseVolumeSelector: codefresh-app,io.codefresh.accountName
|
||||
reuseVolumeSortOrder: pipeline_id
|
||||
# -- PV annotations.
|
||||
annotations: {}
|
||||
# E.g.:
|
||||
# annotations:
|
||||
# codefresh.io/volume-retention: 7d
|
||||
# -- Set additional env vars.
|
||||
env:
|
||||
DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
|
||||
# -- Set pod annotations.
|
||||
podAnnotations: {}
|
||||
# -- Set pod labels.
|
||||
podLabels: {}
|
||||
# -- Set node selector.
|
||||
nodeSelector: {}
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Set tolerations.
|
||||
tolerations: []
|
||||
# -- Set security context for the pod.
|
||||
podSecurityContext: {}
|
||||
# -- Set container security context.
|
||||
containerSecurityContext: {}
|
||||
# -- Set scheduler name.
|
||||
schedulerName: ""
|
||||
# -- Set service account for pod.
|
||||
serviceAccount: codefresh-engine
|
||||
# -- Keep `true` as default!
|
||||
userAccess: true
|
||||
# -- Add extra volumes
|
||||
userVolumes: {}
|
||||
# E.g.:
|
||||
# userVolumes:
|
||||
# regctl-docker-registry:
|
||||
# name: regctl-docker-registry
|
||||
# secret:
|
||||
# items:
|
||||
# - key: .dockerconfigjson
|
||||
# path: config.json
|
||||
# secretName: regctl-docker-registry
|
||||
# optional: true
|
||||
# -- Add extra volume mounts
|
||||
userVolumeMounts: {}
|
||||
# E.g.:
|
||||
# userVolumeMounts:
|
||||
# regctl-docker-registry:
|
||||
# name: regctl-docker-registry
|
||||
# mountPath: /home/appuser/.docker/
|
||||
# readOnly: true
|
||||
volumePermissions:
|
||||
enabled: false
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: alpine
|
||||
tag: 3.18
|
||||
digest: sha256:dd60c75fba961ecc5e918961c713f3c42dd5665171c58f9b2ef5aafe081ad5a0
|
||||
resources: {}
|
||||
securityContext:
|
||||
runAsUser: 0 # auto
|
||||
# -- Parameters for Engine pod (aka "pipeline" orchestrator).
|
||||
engine:
|
||||
# -- Set image.
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/engine
|
||||
tag: 1.176.3
|
||||
pullPolicy: IfNotPresent
|
||||
digest: sha256:f814ae79c68405e00819458e050b58f0b4cb6db7635961c239beec2fc1f90785
|
||||
# -- Set container command.
|
||||
command:
|
||||
- npm
|
||||
- run
|
||||
- start
|
||||
# -- Set resources.
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
memory: 128Mi
|
||||
limits:
|
||||
cpu: 1000m
|
||||
memory: 2048Mi
|
||||
# -- Set termination grace period.
|
||||
terminationGracePeriodSeconds: 180
|
||||
# -- Set system(base) runtime images.
|
||||
# @default -- See below.
|
||||
runtimeImages:
|
||||
COMPOSE_IMAGE: quay.io/codefresh/compose:v2.32.2-1.5.2@sha256:9177054614f6db006a3500d2b9b8d2cafac4073ce891929d93e117714fccbd4b
|
||||
CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.8@sha256:db1e1e7f038262cb6051b01c20cde276150ae731479e5d1e0aef39d08fc72ae5
|
||||
DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.4.1@sha256:d0e4b679ac83d092bc9424d49741ac6153521b4ab72bf6f7603b70de4b7afd12
|
||||
DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.18@sha256:1a15c3ae0952d3986de7866a3def8ac7e3e39f668fe87fd46c63d886ca06c6d7
|
||||
DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16@sha256:05efc1af8b1196f1b9b3f0781b4dcc1aa2cdd0ffc1347ee5fa81b16d029ec5c2
|
||||
DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.15@sha256:3a3e90cd10801c7ec0d3cf3816d0dcc90894d5d1771448c43f67215d90da5eca
|
||||
FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.7@sha256:1e98266ba808f059005e94e8ae072522aeaff632730a8425b8b8849fce8eabd4
|
||||
GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.2.0@sha256:a3ec854823f17d0fd817d978219122e644b1abd6db778fd835688fcb6d88c515
|
||||
KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11@sha256:b6b3fc6cc5fad3ba9e36055278ce99a74a86876be116574503c6fbb4c1b4aa76
|
||||
PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.7@sha256:3391822b7ad9835cc2a3a0ce5aaa55774ca110a8682d9512205dea24f438718a
|
||||
TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1@sha256:fb7173cfed7536f7de68e75996106e2ce3a0a204e6c5609cba0d7eb62c9db9e1
|
||||
CR_6177_FIXER: alpine:edge@sha256:115729ec5cb049ba6359c3ab005ac742012d92bbaa5b8bc1a878f1e8f62c0cb8
|
||||
GC_BUILDER_IMAGE: quay.io/codefresh/cf-gc-builder:0.5.3@sha256:33ac914e6b844909f188a208cf90e569358cafa5aaa60f49848f49d99bcaf875
|
||||
COSIGN_IMAGE_SIGNER_IMAGE: quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2@sha256:5e0993207aa809c25ed70cf89af444d9720892fb4a29deb82db45618b0cae4a9
|
||||
# -- Set additional env vars.
|
||||
env:
|
||||
# -- Interval to check the exec status in the container-logger
|
||||
CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
|
||||
# -- Timeout while doing requests to the Docker daemon
|
||||
DOCKER_REQUEST_TIMEOUT_MS: 30000
|
||||
# -- If "true", composition images will be pulled sequentially
|
||||
FORCE_COMPOSE_SERIAL_PULL: false
|
||||
# -- Level of logging for engine
|
||||
LOGGER_LEVEL: debug
|
||||
# -- Enable debug-level logging of outgoing HTTP/HTTPS requests
|
||||
LOG_OUTGOING_HTTP_REQUESTS: false
|
||||
# -- Enable emitting metrics from engine
|
||||
METRICS_PROMETHEUS_ENABLED: true
|
||||
# -- Enable legacy metrics
|
||||
METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
|
||||
# -- Enable collecting process metrics
|
||||
METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
|
||||
# -- Host for Prometheus metrics server
|
||||
METRICS_PROMETHEUS_HOST: '0.0.0.0'
|
||||
# -- Port for Prometheus metrics server
|
||||
METRICS_PROMETHEUS_PORT: 9100
|
||||
# -- The timeout till the engine waits for Prometheus to pull the latest metrics before engine shuts down (in milliseconds)
|
||||
METRICS_PROMETHEUS_SCRAPE_TIMEOUT: '15000'
|
||||
# -- Trusted QEMU images used for docker builds - when left blank only 'tonistiigi/binfmt' is trusted.
|
||||
TRUSTED_QEMU_IMAGES: ''
|
||||
# -- Set workflow limits.
|
||||
workflowLimits:
|
||||
# -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
|
||||
MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
|
||||
# -- Maximum time for workflow execution; seconds.
|
||||
MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
|
||||
# -- Maximum time allowed to workflow to spend in "elected" state; seconds.
|
||||
MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
|
||||
# -- Maximum retry attempts allowed for workflow.
|
||||
MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
|
||||
# -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
|
||||
MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
|
||||
# -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
|
||||
MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
|
||||
# -- Time since the last health check report after which workflow is terminated; seconds.
|
||||
TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
|
||||
# -- Time since the last health check report after which the engine is considered unhealthy; seconds.
|
||||
TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
|
||||
# -- Time since the last workflow logs activity after which workflow is terminated; seconds.
|
||||
TIME_INACTIVE_UNTIL_TERMINATION: 2700
|
||||
# -- Set pod annotations.
|
||||
podAnnotations: {}
|
||||
# -- Set pod labels.
|
||||
podLabels: {}
|
||||
# -- Set node selector.
|
||||
nodeSelector: {}
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Set tolerations.
|
||||
tolerations: []
|
||||
# -- Set scheduler name.
|
||||
schedulerName: ""
|
||||
# -- Set service account for pod.
|
||||
serviceAccount: codefresh-engine
|
||||
# -- Set extra env vars
|
||||
userEnvVars: []
|
||||
# E.g.
|
||||
# userEnvVars:
|
||||
# - name: GITHUB_TOKEN
|
||||
# valueFrom:
|
||||
# secretKeyRef:
|
||||
# name: github-token
|
||||
# key: token
|
||||
# -- Parameters for `runtime-patch` post-upgrade/install hook
|
||||
# @default -- See below
|
||||
patch:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cli
|
||||
tag: 0.88.4-rootless
|
||||
digest: sha256:b256d150ff8a636851ddc1d5fb0490114d5036cc5bff357eac6a9899fea87562
|
||||
rbac:
|
||||
enabled: true
|
||||
annotations: {}
|
||||
affinity: {}
|
||||
nodeSelector: {}
|
||||
podSecurityContext: {}
|
||||
resources: {}
|
||||
tolerations: []
|
||||
ttlSecondsAfterFinished: 180
|
||||
env:
|
||||
HOME: /tmp
|
||||
# -- Parameters for `gencerts-dind` post-upgrade/install hook
|
||||
# @default -- See below
|
||||
gencerts:
|
||||
enabled: true
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/kubectl
|
||||
tag: 1.31.2
|
||||
digest: sha256:a30a8810dde249d0198f67792ed9696363f15c8cecbac955ee9bd267b5454ee7
|
||||
rbac:
|
||||
enabled: true
|
||||
annotations: {}
|
||||
affinity: {}
|
||||
nodeSelector: {}
|
||||
podSecurityContext: {}
|
||||
resources: {}
|
||||
tolerations: []
|
||||
ttlSecondsAfterFinished: 180
|
||||
# -- DinD pod daemon config
|
||||
# @default -- See below
|
||||
dindDaemon:
|
||||
hosts:
|
||||
- unix:///var/run/docker.sock
|
||||
- tcp://0.0.0.0:1300
|
||||
tlsverify: true
|
||||
tls: true
|
||||
tlscacert: /etc/ssl/cf-client/ca.pem
|
||||
tlscert: /etc/ssl/cf/server-cert.pem
|
||||
tlskey: /etc/ssl/cf/server-key.pem
|
||||
insecure-registries:
|
||||
- 192.168.99.100:5000
|
||||
metrics-addr: 0.0.0.0:9323
|
||||
experimental: true
|
||||
# App-Proxy parameters
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
|
||||
# @default -- See below
|
||||
appProxy:
|
||||
# -- Enable app-proxy
|
||||
enabled: false
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cf-app-proxy
|
||||
tag: 0.0.47
|
||||
digest: sha256:324a9b89924152cce195c7239ddd8501c8aa5f901d19bc4d9f3936cbe5dac14f
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# Set app-proxy ingress parameters
|
||||
# @default -- See below
|
||||
ingress:
|
||||
# -- Set path prefix for ingress (keep empty for default `/` path)
|
||||
pathPrefix: ""
|
||||
# -- Set ingress class
|
||||
class: ""
|
||||
# -- Set DNS hostname the ingress will use
|
||||
host: ""
|
||||
# -- Set k8s tls secret for the ingress object
|
||||
tlsSecret: ""
|
||||
# -- Set extra annotations for ingress object
|
||||
annotations: {}
|
||||
# E.g.
|
||||
# ingress:
|
||||
# pathPrefix: "/cf-app-proxy"
|
||||
# class: "nginx"
|
||||
# host: "mydomain.com"
|
||||
# tlsSecret: "tls-cert-app-proxy"
|
||||
# annotations:
|
||||
# nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
# -- Set security context for the pod
|
||||
podSecurityContext: {}
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
# -- Set requests and limits
|
||||
resources: {}
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# Monitor parameters
|
||||
# @default -- See below
|
||||
monitor:
|
||||
# -- Enable monitor
|
||||
# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
|
||||
enabled: false
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: RollingUpdate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
# -- Set image
|
||||
image:
|
||||
registry: quay.io
|
||||
repository: codefresh/cf-k8s-agent
|
||||
tag: 1.3.19
|
||||
digest: sha256:5be2b798d583abdae68271f57724dd7f2b0251a238845c466fa7b67f078f59ad
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Use Role(true)/ClusterRole(true)
|
||||
namespaced: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
# -- Readiness probe configuration
|
||||
# @default -- See below
|
||||
readinessProbe:
|
||||
failureThreshold: 5
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 5
|
||||
successThreshold: 1
|
||||
timeoutSeconds: 5
|
||||
podSecurityContext: {}
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Add serviceMonitor
|
||||
# @default -- See below
|
||||
serviceMonitor:
|
||||
main:
|
||||
# -- Enable service monitor for dind pods
|
||||
enabled: false
|
||||
nameOverride: dind
|
||||
selector:
|
||||
matchLabels:
|
||||
app: dind
|
||||
endpoints:
|
||||
- path: /metrics
|
||||
targetPort: 9100
|
||||
relabelings:
|
||||
- action: labelmap
|
||||
regex: __meta_kubernetes_pod_label_(.+)
|
||||
# -- Add podMonitor (for engine pods)
|
||||
# @default -- See below
|
||||
podMonitor:
|
||||
main:
|
||||
# -- Enable pod monitor for engine pods
|
||||
enabled: false
|
||||
nameOverride: engine
|
||||
selector:
|
||||
matchLabels:
|
||||
app: runtime
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 9100
|
||||
runner:
|
||||
# -- Enable pod monitor for runner pod
|
||||
enabled: false
|
||||
nameOverride: runner
|
||||
selector:
|
||||
matchLabels:
|
||||
codefresh.io/application: runner
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 8080
|
||||
volume-provisioner:
|
||||
# -- Enable pod monitor for volumeProvisioner pod
|
||||
enabled: false
|
||||
nameOverride: volume-provisioner
|
||||
selector:
|
||||
matchLabels:
|
||||
codefresh.io/application: volume-provisioner
|
||||
podMetricsEndpoints:
|
||||
- path: /metrics
|
||||
targetPort: 8080
|
||||
# -- Event exporter parameters
|
||||
# @default -- See below
|
||||
event-exporter:
|
||||
# -- Enable event-exporter
|
||||
enabled: false
|
||||
# -- Set number of pods
|
||||
replicasCount: 1
|
||||
# -- Upgrade strategy
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
# -- Set pod annotations
|
||||
podAnnotations: {}
|
||||
# -- Set image
|
||||
image:
|
||||
registry: docker.io
|
||||
repository: codefresh/k8s-event-exporter
|
||||
tag: latest
|
||||
digest: sha256:cf52048f1378fb6659dffd1394d68fdf23a7ea709585dc14b5007f3e5a1b7584
|
||||
# -- Add additional env vars
|
||||
env: {}
|
||||
# -- Service Account parameters
|
||||
serviceAccount:
|
||||
# -- Create service account
|
||||
create: true
|
||||
# -- Override service account name
|
||||
name: ""
|
||||
# -- Additional service account annotations
|
||||
annotations: {}
|
||||
# -- RBAC parameters
|
||||
rbac:
|
||||
# -- Create RBAC resources
|
||||
create: true
|
||||
# -- Add custom rule to the role
|
||||
rules: []
|
||||
# -- Set security context for the pod
|
||||
# @default -- See below
|
||||
podSecurityContext:
|
||||
enabled: false
|
||||
# -- Set node selector
|
||||
nodeSelector: {}
|
||||
# -- Set resources
|
||||
resources: {}
|
||||
# -- Set tolerations
|
||||
tolerations: []
|
||||
# -- Set affinity
|
||||
affinity: {}
|
||||
# -- Array of extra objects to deploy with the release
|
||||
extraResources: []
|
||||
# E.g.
|
||||
# extraResources:
|
||||
# - apiVersion: rbac.authorization.k8s.io/v1
|
||||
# kind: ClusterRole
|
||||
# metadata:
|
||||
# name: codefresh-role
|
||||
# rules:
|
||||
# - apiGroups: [ "*"]
|
||||
# resources: ["*"]
|
||||
# verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
|
||||
# - apiVersion: v1
|
||||
# kind: ServiceAccount
|
||||
# metadata:
|
||||
# name: codefresh-user
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# - apiVersion: rbac.authorization.k8s.io/v1
|
||||
# kind: ClusterRoleBinding
|
||||
# metadata:
|
||||
# name: codefresh-user
|
||||
# roleRef:
|
||||
# apiGroup: rbac.authorization.k8s.io
|
||||
# kind: ClusterRole
|
||||
# name: codefresh-role
|
||||
# subjects:
|
||||
# - kind: ServiceAccount
|
||||
# name: codefresh-user
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# - apiVersion: v1
|
||||
# kind: Secret
|
||||
# type: kubernetes.io/service-account-token
|
||||
# metadata:
|
||||
# name: codefresh-user-token
|
||||
# namespace: "{{ .Release.Namespace }}"
|
||||
# annotations:
|
||||
# kubernetes.io/service-account.name: "codefresh-user"
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
dependencies:
|
||||
- name: bitwarden-sdk-server
|
||||
repository: oci://ghcr.io/external-secrets/charts
|
||||
version: v0.3.1
|
||||
digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
|
||||
generated: "2024-09-20T12:57:07.63511+02:00"
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
annotations:
|
||||
catalog.cattle.io/certified: partner
|
||||
catalog.cattle.io/display-name: External Secrets Operator
|
||||
catalog.cattle.io/kube-version: '>= 1.19.0-0'
|
||||
catalog.cattle.io/release-name: external-secrets
|
||||
apiVersion: v2
|
||||
appVersion: v0.13.0
|
||||
dependencies:
|
||||
- condition: bitwarden-sdk-server.enabled
|
||||
name: bitwarden-sdk-server
|
||||
repository: oci://ghcr.io/external-secrets/charts
|
||||
version: v0.3.1
|
||||
description: External secret management for Kubernetes
|
||||
home: https://github.com/external-secrets/external-secrets
|
||||
icon: file://assets/icons/external-secrets.png
|
||||
keywords:
|
||||
- kubernetes-external-secrets
|
||||
- secrets
|
||||
kubeVersion: '>= 1.19.0-0'
|
||||
maintainers:
|
||||
- email: kellinmcavoy@gmail.com
|
||||
name: mcavoyk
|
||||
name: external-secrets
|
||||
type: application
|
||||
version: 0.13.0
|
||||
|
|
@ -0,0 +1,226 @@
|
|||
# External Secrets
|
||||
|
||||
<p><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x" alt="external-secrets"></p>
|
||||
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
 
|
||||
|
||||
External secret management for Kubernetes
|
||||
|
||||
## TL;DR
|
||||
```bash
|
||||
helm repo add external-secrets https://charts.external-secrets.io
|
||||
helm install external-secrets external-secrets/external-secrets
|
||||
```
|
||||
|
||||
## Installing the Chart
|
||||
To install the chart with the release name `external-secrets`:
|
||||
```bash
|
||||
helm install external-secrets external-secrets/external-secrets
|
||||
```
|
||||
|
||||
### Custom Resources
|
||||
By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
|
||||
|
||||
## Uninstalling the Chart
|
||||
To uninstall the `external-secrets` deployment:
|
||||
```bash
|
||||
helm uninstall external-secrets
|
||||
```
|
||||
The command removes all the Kubernetes components associated with the chart and deletes the release.
|
||||
|
||||
## Values
|
||||
|
||||
| Key | Type | Default | Description |
|
||||
|-----|------|---------|-------------|
|
||||
| affinity | object | `{}` | |
|
||||
| bitwarden-sdk-server.enabled | bool | `false` | |
|
||||
| certController.affinity | object | `{}` | |
|
||||
| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
|
||||
| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| certController.extraArgs | object | `{}` | |
|
||||
| certController.extraEnv | list | `[]` | |
|
||||
| certController.extraVolumeMounts | list | `[]` | |
|
||||
| certController.extraVolumes | list | `[]` | |
|
||||
| certController.fullnameOverride | string | `""` | |
|
||||
| certController.hostNetwork | bool | `false` | Run the certController on the host network |
|
||||
| certController.image.flavour | string | `""` | |
|
||||
| certController.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
|
||||
| certController.image.tag | string | `""` | |
|
||||
| certController.imagePullSecrets | list | `[]` | |
|
||||
| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
|
||||
| certController.metrics.listen.port | int | `8080` | |
|
||||
| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
|
||||
| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
|
||||
| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
|
||||
| certController.nameOverride | string | `""` | |
|
||||
| certController.nodeSelector | object | `{}` | |
|
||||
| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
|
||||
| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
| certController.podLabels | object | `{}` | |
|
||||
| certController.podSecurityContext.enabled | bool | `true` | |
|
||||
| certController.priorityClassName | string | `""` | Pod priority class name. |
|
||||
| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
||||
| certController.readinessProbe.address | string | `""` | Address for readiness probe |
|
||||
| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
|
||||
| certController.replicaCount | int | `1` | |
|
||||
| certController.requeueInterval | string | `"5m"` | |
|
||||
| certController.resources | object | `{}` | |
|
||||
| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| certController.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| certController.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| certController.securityContext.enabled | bool | `true` | |
|
||||
| certController.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| certController.securityContext.runAsNonRoot | bool | `true` | |
|
||||
| certController.securityContext.runAsUser | int | `1000` | |
|
||||
| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
|
||||
| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
||||
| certController.tolerations | list | `[]` | |
|
||||
| certController.topologySpreadConstraints | list | `[]` | |
|
||||
| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
|
||||
| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
|
||||
| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
|
||||
| crds.annotations | object | `{}` | |
|
||||
| crds.conversion.enabled | bool | `true` | If webhook is set to false this also needs to be set to false otherwise the kubeapi will be hammered because the conversion is looking for a webhook endpoint. |
|
||||
| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
|
||||
| crds.createClusterGenerator | bool | `true` | If true, create CRDs for Cluster Generator. |
|
||||
| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
|
||||
| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
|
||||
| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
|
||||
| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
|
||||
| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
|
||||
| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
|
||||
| extraArgs | object | `{}` | |
|
||||
| extraContainers | list | `[]` | |
|
||||
| extraEnv | list | `[]` | |
|
||||
| extraObjects | list | `[]` | |
|
||||
| extraVolumeMounts | list | `[]` | |
|
||||
| extraVolumes | list | `[]` | |
|
||||
| fullnameOverride | string | `""` | |
|
||||
| global.affinity | object | `{}` | |
|
||||
| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
|
||||
| global.nodeSelector | object | `{}` | |
|
||||
| global.tolerations | list | `[]` | |
|
||||
| global.topologySpreadConstraints | list | `[]` | |
|
||||
| hostNetwork | bool | `false` | Run the controller on the host network |
|
||||
| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
|
||||
| image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
|
||||
| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
|
||||
| imagePullSecrets | list | `[]` | |
|
||||
| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
|
||||
| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
|
||||
| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
|
||||
| metrics.listen.port | int | `8080` | |
|
||||
| metrics.service.annotations | object | `{}` | Additional service annotations |
|
||||
| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
|
||||
| metrics.service.port | int | `8080` | Metrics service port to scrape |
|
||||
| nameOverride | string | `""` | |
|
||||
| namespaceOverride | string | `""` | |
|
||||
| nodeSelector | object | `{}` | |
|
||||
| podAnnotations | object | `{}` | Annotations to add to Pod |
|
||||
| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
| podLabels | object | `{}` | |
|
||||
| podSecurityContext.enabled | bool | `true` | |
|
||||
| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
|
||||
| priorityClassName | string | `""` | Pod priority class name. |
|
||||
| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
|
||||
| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
|
||||
| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
|
||||
| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
||||
| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
|
||||
| replicaCount | int | `1` | |
|
||||
| resources | object | `{}` | |
|
||||
| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
|
||||
| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
|
||||
| securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| securityContext.enabled | bool | `true` | |
|
||||
| securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| securityContext.runAsNonRoot | bool | `true` | |
|
||||
| securityContext.runAsUser | int | `1000` | |
|
||||
| securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
|
||||
| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
|
||||
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
|
||||
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
||||
| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
|
||||
| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
|
||||
| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
|
||||
| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
|
||||
| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
|
||||
| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
|
||||
| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
|
||||
| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
|
||||
| tolerations | list | `[]` | |
|
||||
| topologySpreadConstraints | list | `[]` | |
|
||||
| webhook.affinity | object | `{}` | |
|
||||
| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
|
||||
| webhook.certDir | string | `"/tmp/certs"` | |
|
||||
| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
|
||||
| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
|
||||
| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
|
||||
| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
|
||||
| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
|
||||
| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
|
||||
| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
|
||||
| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
|
||||
| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
|
||||
| webhook.extraArgs | object | `{}` | |
|
||||
| webhook.extraEnv | list | `[]` | |
|
||||
| webhook.extraVolumeMounts | list | `[]` | |
|
||||
| webhook.extraVolumes | list | `[]` | |
|
||||
| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
|
||||
| webhook.fullnameOverride | string | `""` | |
|
||||
| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
|
||||
| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
|
||||
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
|
||||
| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` | |
|
||||
| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
|
||||
| webhook.imagePullSecrets | list | `[]` | |
|
||||
| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
|
||||
| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
|
||||
| webhook.metrics.listen.port | int | `8080` | |
|
||||
| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
|
||||
| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
|
||||
| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
|
||||
| webhook.nameOverride | string | `""` | |
|
||||
| webhook.nodeSelector | object | `{}` | |
|
||||
| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
|
||||
| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
|
||||
| webhook.podLabels | object | `{}` | |
|
||||
| webhook.podSecurityContext.enabled | bool | `true` | |
|
||||
| webhook.port | int | `10250` | The port the webhook will listen to |
|
||||
| webhook.priorityClassName | string | `""` | Pod priority class name. |
|
||||
| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
|
||||
| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
|
||||
| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
|
||||
| webhook.replicaCount | int | `1` | |
|
||||
| webhook.resources | object | `{}` | |
|
||||
| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
|
||||
| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
|
||||
| webhook.securityContext.allowPrivilegeEscalation | bool | `false` | |
|
||||
| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` | |
|
||||
| webhook.securityContext.enabled | bool | `true` | |
|
||||
| webhook.securityContext.readOnlyRootFilesystem | bool | `true` | |
|
||||
| webhook.securityContext.runAsNonRoot | bool | `true` | |
|
||||
| webhook.securityContext.runAsUser | int | `1000` | |
|
||||
| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | |
|
||||
| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
|
||||
| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
|
||||
| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
|
||||
| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
|
||||
| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
|
||||
| webhook.tolerations | list | `[]` | |
|
||||
| webhook.topologySpreadConstraints | list | `[]` | |
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
**External Secrets Operator** is a Kubernetes operator that integrates external secret management systems like [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/), [HashiCorp Vault](https://www.vaultproject.io/), [Google Secrets Manager](https://cloud.google.com/secret-manager), [Azure Key Vault](https://azure.microsoft.com/en-us/services/key-vault/) and many more.
|
||||
The operator reads information from external APIs and automatically injects the values into a [Kubernetes Secret](https://kubernetes.io/docs/concepts/configuration/secret/).
|
||||
|
||||
### What is the goal of External Secrets Operator?
|
||||
|
||||
The goal of External Secrets Operator is to synchronize secrets from external APIs into Kubernetes. ESO is a collection of custom API resources - `ExternalSecret`, `SecretStore` and `ClusterSecretStore` that provide a user-friendly abstraction for the external API that stores and manages the lifecycle of the secrets for you.
|
||||
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*.orig
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
||||
.vscode/
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v2
|
||||
appVersion: v0.3.1
|
||||
description: A Helm chart for Kubernetes
|
||||
name: bitwarden-sdk-server
|
||||
type: application
|
||||
version: v0.3.1
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
1. Get the application URL by running these commands:
|
||||
{{- if .Values.ingress.enabled }}
|
||||
{{- range $host := .Values.ingress.hosts }}
|
||||
{{- range .paths }}
|
||||
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- else if contains "NodePort" .Values.service.type }}
|
||||
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bitwarden-sdk-server.fullname" . }})
|
||||
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
|
||||
echo http://$NODE_IP:$NODE_PORT
|
||||
{{- else if contains "LoadBalancer" .Values.service.type }}
|
||||
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
|
||||
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "bitwarden-sdk-server.fullname" . }}'
|
||||
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bitwarden-sdk-server.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
|
||||
echo http://$SERVICE_IP:{{ .Values.service.port }}
|
||||
{{- else if contains "ClusterIP" .Values.service.type }}
|
||||
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "bitwarden-sdk-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
|
||||
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
|
||||
echo "Visit http://127.0.0.1:8080 to use your application"
|
||||
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,62 @@
|
|||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.fullname" -}}
|
||||
{{- if .Values.fullnameOverride }}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride }}
|
||||
{{- if contains $name .Release.Name }}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
|
||||
{{- else }}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Common labels
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.labels" -}}
|
||||
helm.sh/chart: {{ include "bitwarden-sdk-server.chart" . }}
|
||||
{{ include "bitwarden-sdk-server.selectorLabels" . }}
|
||||
{{- if .Chart.AppVersion }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Selector labels
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.selectorLabels" -}}
|
||||
app.kubernetes.io/name: {{ include "bitwarden-sdk-server.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Create the name of the service account to use
|
||||
*/}}
|
||||
{{- define "bitwarden-sdk-server.serviceAccountName" -}}
|
||||
{{- if .Values.serviceAccount.create }}
|
||||
{{- default (include "bitwarden-sdk-server.fullname" .) .Values.serviceAccount.name }}
|
||||
{{- else }}
|
||||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,77 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: {{ include "bitwarden-sdk-server.fullname" . }}
|
||||
labels:
|
||||
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
|
||||
spec:
|
||||
replicas: {{ .Values.replicaCount }}
|
||||
selector:
|
||||
matchLabels:
|
||||
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 6 }}
|
||||
template:
|
||||
metadata:
|
||||
{{- with .Values.podAnnotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 8 }}
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
serviceAccountName: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.podSecurityContext | nindent 8 }}
|
||||
containers:
|
||||
- name: {{ .Chart.Name }}
|
||||
{{- if not .Values.image.tls.enabled }}
|
||||
args:
|
||||
- --insecure
|
||||
{{- end }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.securityContext | nindent 12 }}
|
||||
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
|
||||
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
||||
{{- if .Values.image.tls.enabled }}
|
||||
volumeMounts:
|
||||
{{- toYaml .Values.image.tls.volumeMounts | nindent 10 }}
|
||||
{{- end}}
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: {{ .Values.service.port }}
|
||||
protocol: TCP
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /live
|
||||
port: http
|
||||
{{- if .Values.image.tls.enabled }}
|
||||
scheme: HTTPS
|
||||
{{- end }}
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: http
|
||||
{{- if .Values.image.tls.enabled }}
|
||||
scheme: HTTPS
|
||||
{{- end }}
|
||||
resources:
|
||||
{{- toYaml .Values.resources | nindent 12 }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.affinity }}
|
||||
affinity:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.image.tls.enabled }}
|
||||
volumes:
|
||||
{{- toYaml .Values.image.tls.volumes | nindent 8 }}
|
||||
{{- end}}
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "bitwarden-sdk-server.fullname" . }}
|
||||
labels:
|
||||
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: {{ .Values.service.type }}
|
||||
ports:
|
||||
- port: {{ .Values.service.port }}
|
||||
targetPort: http
|
||||
name: http
|
||||
selector:
|
||||
{{- include "bitwarden-sdk-server.selectorLabels" . | nindent 4 }}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
{{- if .Values.serviceAccount.create -}}
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ include "bitwarden-sdk-server.serviceAccountName" . }}
|
||||
labels:
|
||||
{{- include "bitwarden-sdk-server.labels" . | nindent 4 }}
|
||||
{{- with .Values.serviceAccount.annotations }}
|
||||
annotations:
|
||||
{{- toYaml . | nindent 4 }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -0,0 +1,60 @@
|
|||
deployment should match snapshot:
|
||||
1: |
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: bitwarden-sdk-server
|
||||
app.kubernetes.io/version: 1.16.0
|
||||
helm.sh/chart: bitwarden-sdk-server-0.1.0
|
||||
name: bitwarden-sdk-server
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/name: bitwarden-sdk-server
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/name: bitwarden-sdk-server
|
||||
spec:
|
||||
containers:
|
||||
- image: ghcr.io/external-secrets/bitwarden-sdk-server:v0.8.0
|
||||
imagePullPolicy: IfNotPresent
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /live
|
||||
port: http
|
||||
scheme: HTTPS
|
||||
name: bitwarden-sdk-server
|
||||
ports:
|
||||
- containerPort: 9998
|
||||
name: http
|
||||
protocol: TCP
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /ready
|
||||
port: http
|
||||
scheme: HTTPS
|
||||
resources: {}
|
||||
securityContext: {}
|
||||
volumeMounts:
|
||||
- mountPath: /certs
|
||||
name: bitwarden-tls-certs
|
||||
securityContext: {}
|
||||
serviceAccountName: bitwarden-sdk-server
|
||||
volumes:
|
||||
- name: bitwarden-tls-certs
|
||||
secret:
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: cert.pem
|
||||
- key: tls.key
|
||||
path: key.pem
|
||||
- key: ca.crt
|
||||
path: ca.pem
|
||||
secretName: bitwarden-tls-certs
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
suite: test deployment
|
||||
templates:
|
||||
- deployment.yaml
|
||||
tests:
|
||||
- it: deployment should match snapshot
|
||||
set:
|
||||
image.tag: v0.8.0
|
||||
asserts:
|
||||
- matchSnapshot: {}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue