andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Updated:
  argo/argo-cd:
    - 5.39.0
  asserts/asserts:
    - 1.45.0
  avesha/kubeslice-controller:
    - 1.1.1
  avesha/kubeslice-worker:
    - 1.1.1
  bitnami/airflow:
    - 14.3.3
  bitnami/kafka:
    - 23.0.4
  bitnami/mariadb:
    - 12.2.8
  bitnami/spark:
    - 7.1.1
  bitnami/wordpress:
    - 16.1.26
  datadog/datadog:
    - 3.33.1
  gluu/gluu:
    - 5.0.19
  haproxy/haproxy:
    - 1.32.1
  jenkins/jenkins:
    - 4.4.0
  jfrog/artifactory-ha:
    - 107.63.5
  jfrog/artifactory-jcr:
    - 107.63.5
  weka/csi-wekafsplugin:
    - 2.2.0
```
pull/829/head
github-actions[bot] 2023-07-14 17:11:00 +00:00
parent 566e9abd4c
commit 456c3a5657
320 changed files with 17452 additions and 6693 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/argo/argo-cd-5.38.1.tgz
View File

Binary file not shown.

BIN
assets/argo/argo-cd-5.39.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/asserts/asserts-1.45.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/avesha/kubeslice-controller-1.1.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/avesha/kubeslice-worker-1.1.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/airflow-14.3.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/kafka-23.0.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/mariadb-12.2.8.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/spark-7.1.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/bitnami/wordpress-16.1.26.tgz Normal file
View File

Binary file not shown.

BIN
assets/datadog/datadog-3.33.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/gluu/gluu-5.0.18.tgz
View File

Binary file not shown.

BIN
assets/gluu/gluu-5.0.19.tgz Normal file
View File

Binary file not shown.

BIN
assets/haproxy/haproxy-1.32.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/jenkins/jenkins-4.4.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-ha-107.63.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/jfrog/artifactory-jcr-107.63.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/weka/csi-wekafsplugin-2.2.0.tgz Normal file
View File

Binary file not shown.

4
charts/argo/argo-cd/Chart.yaml
View File

@ -1,7 +1,7 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: Adding the option to set `annotations` for `Certificate` resources
description: Allow configuring Dex's init image resources separately
artifacthub.io/signKey: |
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
@ -33,4 +33,4 @@ name: argo-cd
sources:
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
- https://github.com/argoproj/argo-cd
version: 5.38.1
version: 5.39.0

1
charts/argo/argo-cd/README.md
View File

@ -864,6 +864,7 @@ server:
| dex.initContainers | list | `[]` | Init containers to add to the dex pod |
| dex.initImage.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Argo CD init image imagePullPolicy |
| dex.initImage.repository | string | `""` (defaults to global.image.repository) | Argo CD init image repository |
| dex.initImage.resources | object | `{}` (defaults to dex.resources) | Argo CD init image resources |
| dex.initImage.tag | string | `""` (defaults to global.image.tag) | Argo CD init image tag |
| dex.livenessProbe.enabled | bool | `false` | Enable Kubernetes liveness probe for Dex >= 2.28.0 |
| dex.livenessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |

2
charts/argo/argo-cd/templates/dex/deployment.yaml
View File

@ -149,7 +149,7 @@ spec:
- mountPath: /tmp
name: dexconfig
resources:
{{- toYaml .Values.dex.resources | nindent 10 }}
{{- toYaml (default .Values.dex.resources .Values.dex.initImage.resources) | nindent 10 }}
{{- with .Values.dex.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}

9
charts/argo/argo-cd/values.yaml
View File

@ -951,6 +951,15 @@ dex:
# -- Argo CD init image imagePullPolicy
# @default -- `""` (defaults to global.image.imagePullPolicy)
imagePullPolicy: ""
# -- Argo CD init image resources
# @default -- `{}` (defaults to dex.resources)
resources: {}
# requests:
# cpu: 5m
# memory: 96Mi
# limits:
# cpu: 10m
# memory: 144Mi
# -- Environment variables to pass to the Dex server
env: []

2
charts/asserts/asserts/Chart.yaml
View File

@ -58,4 +58,4 @@ maintainers:
url: https://github.com/asserts
name: asserts
type: application
version: 1.44.0
version: 1.45.0

21
charts/asserts/asserts/templates/server/configmap.yaml
View File

@ -269,13 +269,19 @@ data:
name: CONFIG_OTEL_COLLECTOR
- description: Can write otel collector config
name: WRITE_OTEL_COLLECTOR
- description: Can read versioned Alert Manager config
name: READ_TENANT_AM_CONFIG
- description: Can read Alertmanager config
name: CONFIG_ALERTMANAGER
- description: Can write Alertmanager config
name: WRITE_ALERTMANAGER
roleToPermissionMap:
API_INTEGRATION: "{OWNER}, {KNOWLEDGE_SENSOR}"
ASSERTS: "{OWNER}, {KNOWLEDGE_SENSOR}, RULE_GENERATOR, TENANT_MANAGER, GENERATE_SLO_RULES"
ASSERTS_READONLY: "{VIEWER}"
KNOWLEDGE_SENSOR: "READ_TENANT_RULES"
OWNER: "{EDITOR}, MANAGE_USER_ROLES, DISABLE_PROM_RULES, INVITE_USERS, GRAFANA_ADMIN, CONFIG_AWS_CLOUDWATCH, WRITE_AWS_CLOUDWATCH, CONFIG_AUTH, WRITE_AUTH, MANAGE_LICENSE_INFO, CONFIG_PROMETHEUS, WRITE_PROMETHEUS, READ_TENANT_RULES, CONFIG_TENANT_CREDENTIAL, DELETE_USER"
KNOWLEDGE_SENSOR: "READ_TENANT_RULES, READ_TENANT_AM_CONFIG"
OWNER: "{EDITOR}, MANAGE_USER_ROLES, DISABLE_PROM_RULES, INVITE_USERS, GRAFANA_ADMIN, CONFIG_AWS_CLOUDWATCH, WRITE_AWS_CLOUDWATCH, CONFIG_AUTH, WRITE_AUTH, MANAGE_LICENSE_INFO, CONFIG_PROMETHEUS, WRITE_PROMETHEUS, READ_TENANT_RULES, CONFIG_TENANT_CREDENTIAL, DELETE_USER, CONFIG_ALERTMANAGER, WRITE_ALERTMANAGER, READ_TENANT_AM_CONFIG"
EDITOR: "{VIEWER}, RULE_THRESHOLD, MANAGE_ALERTS, WRITE_ALERTS, CUSTOM_DASHBOARD, MANAGE_SLO, MANAGE_INTEGRATIONS, LIST_USERS, CONFIG_PROM_RULES, ACCESS_KEY_ALLOWED, CONFIG_RELABEL_RULES, CONFIG_AWS_EXPORTER, CONFIG_MODEL_RULES, WRITE_MODEL_RULES, WRITE_PROM_RULES, WRITE_RELABEL_RULES, WRITE_AWS_EXPORTER, WRITE_INTEGRATIONS, WRITE_SLO, WRITE_RULE_THRESHOLD, READ_TRACE_CONFIG, WRITE_TRACE_CONFIG, IMPORT_CONFIG, EXPORT_CONFIG, VIEW_LICENSE_USAGE, CONFIG_OTEL_COLLECTOR, WRITE_OTEL_COLLECTOR"
VIEWER: "USER"
roles:
@ -356,6 +362,9 @@ data:
default: {{ .Values.server.graphRetentionDays }}
prometheus:
alertmanager:
template:
url: {{ "http://asserts-server.asserts.svc.cluster.local:8030/api-server/v4/prometheus-alerts?tenant={{ tenantId }}" }}
client:
timeout: 30s
metric:
@ -376,5 +385,11 @@ data:
config:
root: file:///opt/asserts/api-server/conf/
aws_exporter:
tenant_mode: multi-tenant
deployment_mode: multi-tenant-single-instance
enabled: false
hekate:
enable: false

4
charts/avesha/kubeslice-controller/Chart.yaml
View File

@ -5,7 +5,7 @@ annotations:
catalog.cattle.io/namespace: kubeslice-controller
catalog.cattle.io/release-name: kubeslice-controller
apiVersion: v2
appVersion: 1.0.0
appVersion: 1.1.1
description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking
tool for efficient, secure, policy-enforced connectivity and true multi-tenancy
capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure
@ -39,4 +39,4 @@ maintainers:
name: Avesha
name: kubeslice-controller
type: application
version: 1.0.0
version: 1.1.1

8
charts/avesha/kubeslice-controller/Readme.MD
View File

@ -1,13 +1,13 @@
# Kubeslice Enterprise Controller Helm Charts
## Prerequisites
📖 Follow the overview and registration [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/)
📖 Follow the overview and registration [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/)
- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher)
- Create and configure the controller cluster following instructions in the prerequisites section [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher)
- Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade]
- Click on the download chart link from the upper right hand section of this page, save it to location available from command prompt
- Untar the chart to get the values.yaml file, update values.yaml with the follwing information
- cluster end point [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint)
- cluster end point [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher#getting-the-controller-cluster-endpoint)
- helm repository username, password and email [From registration]
@ -32,7 +32,7 @@ helm upgrade --history-max=5 --namespace=kubeslice-controller kubeslice-controll
```
### Uninstall KubeSlice Controller
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/uninstalling-the-kubeslice-controller/)
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/getting-started-with-cloud-clusters/uninstalling-kubeslice/uninstalling-the-kubeslice-controller/)
```console
export KUBECONFIG=<CONTROLLER CLUSTER KUBECONFIG>

6
charts/avesha/kubeslice-controller/questions.yml
View File

@ -2,7 +2,7 @@
questions:
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/#registering-to-access-the-enterprise-helm-chart"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/#registering-to-access-the-enterprise-helm-chart"
group: "Global Settings"
label: "Registered Username"
required: true
@ -18,7 +18,7 @@ questions:
variable: imagePullSecrets.password
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher/#getting-the-controller-cluster-endpoint"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-kubeslice-controller-on-rancher/#getting-the-controller-cluster-endpoint"
group: "Controller Settings"
label: "Controller Endpoint"
required: true
@ -50,7 +50,7 @@ questions:
variable: kubeslice.uiproxy.service.type
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/reference/configuration-parameters/#license-parameters"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/reference/configuration-parameters/#license-parameters"
group: "Controller Settings"
label: "Customer Name for generating Trial License"
required: false

6
charts/avesha/kubeslice-controller/values.schema.json
View File

@ -158,6 +158,12 @@
"tag": {"type": "string"},
"pullPolicy": {"type": "string"}
}
},
"prometheus": {
"type": "object",
"properties": {
"url": {"type": "string"}
}
}
}
},

13
charts/avesha/kubeslice-controller/values.yaml
View File

@ -9,7 +9,7 @@ kubeslice:
projectnsPrefix: kubeslice
endpoint:
image: aveshasystems/kubeslice-controller-ent
tag: 1.0.0
tag: 1.1.1
pullPolicy: IfNotPresent
ovpnJob:
image: aveshasystems/gateway-certs-generator
@ -31,11 +31,11 @@ kubeslice:
# Kubeslice UI settings
ui:
image: aveshasystems/kubeslice-ui-ent
tag: 1.0.0
tag: 1.1.1
pullPolicy: IfNotPresent
uiv2:
image: aveshasystems/kubeslice-ui-v2-ent
tag: 1.0.1
tag: 1.1.1
pullPolicy: IfNotPresent
dashboard:
image: aveshasystems/kubeslice-kubernetes-dashboard
@ -43,7 +43,7 @@ kubeslice:
pullPolicy: IfNotPresent
uiproxy:
image: aveshasystems/kubeslice-ui-proxy
tag: 1.2.0
tag: 1.3.0
pullPolicy: IfNotPresent
service:
## For kind, set this to NodePort, elsewhere use LoadBalancer or NodePort
@ -54,14 +54,13 @@ kubeslice:
# nodePort:
apigw:
image: aveshasystems/kubeslice-api-gw-ent
tag: 1.8.2
tag: 1.9.0
pullPolicy: IfNotPresent
workerinstaller:
image: aveshasystems/worker-installer
tag: 1.1.9
pullPolicy: Always
pullPolicy: Always
# username & password & email values for imagePullSecrets has to provided to create a secret
imagePullSecrets:
repository: https://index.docker.io/v1/

4
charts/avesha/kubeslice-worker/Chart.yaml
View File

@ -5,7 +5,7 @@ annotations:
catalog.cattle.io/namespace: kubeslice-system
catalog.cattle.io/release-name: kubeslice-worker
apiVersion: v2
appVersion: 1.0.0
appVersion: 1.1.1
description: Multi cloud networking (MCN), multi cluster, hybrid cloud networking
tool for efficient, secure, policy-enforced connectivity and true multi-tenancy
capabilities. KubeSlice enables enterprise platform teams to reduce infrastructure
@ -39,4 +39,4 @@ maintainers:
name: Avesha
name: kubeslice-worker
type: application
version: 1.0.0
version: 1.1.1

4
charts/avesha/kubeslice-worker/Readme.MD
View File

@ -2,7 +2,7 @@
## Prerequisites
- KubeSlice Controller needs to be installed
- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher)
- Create and configure the worker cluster following instructions in prerequisites and "registering the worker cluster" sections [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher)
- Copy the chart version from the upper right hand section of this page [VERSION parameter need during install and upgrade]
- Click on the download link from the upper right hand section of this page, save it to location available from command prompt <LOCATION OF DOWNLOADED CHART.tgz>
- Untar the chart to get the values.yaml file and edit the following fields
@ -34,7 +34,7 @@ helm upgrade --history-max=5 --namespace=kubeslice-system kubeslice-worker kubes
```
### Uninstall Kubeslice Worker
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/1.0.0/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster)
- Follow instructions [documentation](https://docs.avesha.io/documentation/enterprise/1.1.1/getting-started-with-cloud-clusters/uninstalling-kubeslice/deregistering-the-worker-cluster)
```console
export KUBECONFIG=<WORKER CLUSTER KUBECONFIG>

BIN
charts/avesha/kubeslice-worker/charts/nsm/.DS_Store vendored
View File

Binary file not shown.

4
charts/avesha/kubeslice-worker/charts/nsm/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 0.6.1
appVersion: 0.6.3
description: Basic Network Service Mesh Infrastructure
name: nsm
version: 0.6.2
version: 0.6.3

4
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: 0.2.0
appVersion: 0.3.1
description: A Helm chart for Kubernetes
name: admission-webhook
version: 0.2.0
version: 0.3.1

4
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/templates/admission-webhook.yaml
View File

@ -40,8 +40,6 @@ spec:
fieldPath: metadata.namespace
- name: NSM_ANNOTATION
value: networkservicemesh.io
{{/* - name: NSM_CONTAINER_IMAGES*/}}
{{/* value: ghcr.io/networkservicemesh/cmd-nsc:v1.5.0*/}}
- name: NSM_CONTAINER_IMAGES
value: "{{ .Values.nsmInjectContainerImageRegistry }}:{{ .Values.nsmInjectContainerImageTag }}"
- name: NSM_INIT_CONTAINER_IMAGES
@ -49,4 +47,4 @@ spec:
- name: NSM_LABELS
value: spiffe.io/spiffe-id:true
- name: NSM_ENVS
value: NSM_LOG_LEVEL=TRACE,NSM_LIVENESSCHECKENABLED=false
value: NSM_CONNECT_TO=tcp://nsmgr.kubeslice-system.svc.cluster.local:5001,NSM_LOG_LEVEL=TRACE,NSM_LIVENESSCHECKENABLED=false

10
charts/avesha/kubeslice-worker/charts/nsm/charts/admission-webhook/values.yaml
View File

@ -4,10 +4,10 @@
# Declare variables to be passed into your templates.
webhookImageRegistry: docker.io/aveshasystems/cmd-admission-webhook-k8s
webhookImageTag: 1.6.1
webhookImageTag: 1.6.2
nsmInjectContainerImageRegistry: aveshasystems/cmd-nsc
nsmInjectContainerImageTag: 1.5.4
nsmInjectContainerImageRegistry: docker.io/aveshasystems/cmd-nsc
nsmInjectContainerImageTag: 1.5.6
nsmInjectInitContainerImageRegistry: aveshasystems/cmd-nsc-init
nsmInjectInitContainerImageTag: 1.5.3
nsmInjectInitContainerImageRegistry: docker.io/aveshasystems/cmd-nsc-init
nsmInjectInitContainerImageTag: 1.5.5

4
charts/avesha/kubeslice-worker/charts/nsm/charts/config/Chart.yaml
View File

@ -1,5 +1,5 @@
apiVersion: v1
appVersion: "1.0"
appVersion: 1.0.1
description: A Helm chart for Kubernetes
name: config
version: 0.1.0
version: 1.0.1

6
charts/avesha/kubeslice-worker/charts/nsm/charts/config/templates/cluster-role-admin.yaml
View File

@ -16,8 +16,8 @@ rules:
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list", "watch", "update", "read", "write"]
resources: ["configmaps", "services", "pods"]
verbs: ["patch", "get", "list", "watch", "create", "update", "delete", "read", "write"]
- apiGroups: [""]
resources: ["nodes", "services", "namespaces"]
resources: ["nodes", "namespaces"]
verbs: ["get", "list", "watch"]

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/.helmignore → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/.helmignore
View File

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/Chart.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v2
appVersion: 0.2.3
description: A Helm chart to install the SPIFFE CSI driver.
name: spiffe-csi-driver
type: application
version: 0.1.0

1
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
SPIFFE CSI Driver installed…

78
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,78 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "spiffe-csi-driver.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "spiffe-csi-driver.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Allow the release namespace to be overridden for multi-namespace deployments in combined charts
*/}}
{{- define "spiffe-csi-driver.namespace" -}}
{{- if .Values.namespaceOverride -}}
{{- .Values.namespaceOverride -}}
{{- else -}}
{{- .Release.Namespace -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "spiffe-csi-driver.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "spiffe-csi-driver.labels" -}}
helm.sh/chart: {{ include "spiffe-csi-driver.chart" . }}
{{ include "spiffe-csi-driver.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "spiffe-csi-driver.selectorLabels" -}}
app.kubernetes.io/name: {{ include "spiffe-csi-driver.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "spiffe-csi-driver.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "spiffe-csi-driver.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{- define "spiffe-csi-driver.agent-socket-path" -}}
{{- print .Values.agentSocketPath }}
{{- end }}

115
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/templates/daemonset.yaml Normal file
View File

@ -0,0 +1,115 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: spiffe-csi-driver
namespace: spire
spec:
selector:
matchLabels:
app.kubernetes.io/name: spiffe-csi-driver
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
app.kubernetes.io/name: spiffe-csi-driver
spec:
serviceAccountName: spiffe-csi-driver
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
# This is the container which runs the SPIFFE CSI driver.
- name: spiffe-csi-driver
image: {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
args: [
"-workload-api-socket-dir", "/spire-agent-socket",
"-plugin-name", "{{ .Values.pluginName }}",
"-csi-socket-path", "/spiffe-csi/csi.sock",
]
env:
# The CSI driver needs a unique node ID. The node name can be
# used for this purpose.
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
# The volume containing the SPIRE agent socket. The SPIFFE CSI
# driver will mount this directory into containers.
- mountPath: /spire-agent-socket
name: spire-agent-socket-dir
readOnly: true
# The volume that will contain the CSI driver socket shared
# with the kubelet and the driver registrar.
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The volume containing mount points for containers.
- mountPath: {{ .Values.kubeletPath }}/pods
mountPropagation: Bidirectional
name: mountpoint-dir
securityContext:
readOnlyRootFilesystem: true
capabilities:
drop:
- all
privileged: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
# This container runs the CSI Node Driver Registrar which takes care
# of all the little details required to register a CSI driver with
# the kubelet.
- name: node-driver-registrar
image: {{ .Values.nodeDriverRegistrar.image.registry }}/{{ .Values.nodeDriverRegistrar.image.repository }}:{{ .Values.nodeDriverRegistrar.image.tag }}
imagePullPolicy: {{ .Values.nodeDriverRegistrar.image.pullPolicy }}
args: [
"-csi-address", "/spiffe-csi/csi.sock",
"-kubelet-registration-path", "{{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}/csi.sock",
"-health-port", "{{ .Values.healthChecks.port }}"
]
volumeMounts:
# The registrar needs access to the SPIFFE CSI driver socket
- mountPath: /spiffe-csi
name: spiffe-csi-socket-dir
# The registrar needs access to the Kubelet plugin registration
# directory
- name: kubelet-plugin-registration-dir
mountPath: /registration
ports:
- containerPort: {{ .Values.healthChecks.port }}
name: healthz
livenessProbe:
httpGet:
path: /healthz
port: healthz
{{- toYaml .Values.livenessProbe | nindent 12 }}
resources:
{{- toYaml .Values.nodeDriverRegistrar.resources | nindent 12 }}
volumes:
- name: spire-agent-socket-dir
hostPath:
path: {{ include "spiffe-csi-driver.agent-socket-path" . | dir }}
type: DirectoryOrCreate
# This volume is where the socket for kubelet->driver communication lives
- name: spiffe-csi-socket-dir
hostPath:
path: {{ .Values.kubeletPath }}/plugins/{{ .Values.pluginName }}
type: DirectoryOrCreate
# This volume is where the SPIFFE CSI driver mounts volumes
- name: mountpoint-dir
hostPath:
path: {{ .Values.kubeletPath }}/pods
type: Directory
# This volume is where the node-driver-registrar registers the plugin
# with kubelet
- name: kubelet-plugin-registration-dir
hostPath:
path: {{ .Values.kubeletPath }}/plugins_registry
type: Directory

13
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: spiffe-csi-driver
namespace: spire
labels:
app.kubernetes.io/name: spiffe-csi-driver
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

20
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/templates/spiffe-csi-driver.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: {{ .Values.pluginName | quote }}
spec:
# Only ephemeral, inline volumes are supported. There is no need for a
# controller to provision and attach volumes.
attachRequired: false
# Request the pod information which the CSI driver uses to verify that an
# ephemeral mount was requested.
podInfoOnMount: true
# Don't change ownership on the contents of the mount since the Workload API
# Unix Domain Socket is typically open to all (i.e. 0777).
fsGroupPolicy: None
# Declare support for ephemeral volumes only.
volumeLifecycleModes:
- Ephemeral

96
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spiffe-csi-driver/values.yaml Normal file
View File

@ -0,0 +1,96 @@
# -- Set the csi driver name deployed to Kubernetes.
pluginName: csi.spiffe.io
image:
# -- The OCI registry to pull the image from
registry: ghcr.io
# -- The repository within the registry
repository: spiffe/spiffe-csi-driver
# -- The image pull policy
pullPolicy: IfNotPresent
# -- This value is deprecated in favor of tag. (Will be removed in a future release)
version: ""
# -- Overrides the image tag whose default is the chart appVersion
tag: 0.2.3
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# requests:
# cpu: 50m
# memory: 32Mi
# limits:
# cpu: 100m
# memory: 64Mi
healthChecks:
port: 9809
livenessProbe:
# -- Initial delay seconds for livenessProbe
initialDelaySeconds: 5
# -- Timeout value in seconds for livenessProbe
timeoutSeconds: 5
imagePullSecrets: []
nameOverride: ""
namespaceOverride: ""
fullnameOverride: ""
serviceAccount:
# -- Specifies whether a service account should be created
create: true
# -- Annotations to add to the service account
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
readOnlyRootFilesystem: true
privileged: true
# runAsNonRoot: true
# runAsUser: 1000
# capabilities:
# drop:
# - ALL
nodeSelector: {}
nodeDriverRegistrar:
image:
# -- The OCI registry to pull the image from
registry: registry.k8s.io
# -- The repository within the registry
repository: sig-storage/csi-node-driver-registrar
# -- The image pull policy
pullPolicy: IfNotPresent
# -- This value is deprecated in favor of tag. (Will be removed in a future release)
version: ""
# -- Overrides the image tag
tag: v2.8.0
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# requests:
# cpu: 50m
# memory: 32Mi
# limits:
# cpu: 100m
# memory: 64Mi
# -- The unix socket path to the spire-agent
agentSocketPath: /run/spire/sockets/agent.sock
kubeletPath: /var/lib/kubelet
# -- Priority class assigned to daemonset pods
priorityClassName: ""

4
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/Chart.yaml
View File

@ -1,6 +1,6 @@
apiVersion: v2
appVersion: 1.16.0
appVersion: 1.17.0
description: A Helm chart for Kubernetes
name: spire-server
type: application
version: 0.1.0
version: 1.17.0

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/Chart.yaml
View File

@ -1,6 +0,0 @@
apiVersion: v2
appVersion: 1.16.0
description: A Helm chart for Kubernetes
name: spire-config
type: application
version: 0.1.0

107
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/crds/k8s-workload-registrar-crd.yaml
View File

@ -1,107 +0,0 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.2.4
name: spiffeids.spiffeid.spiffe.io
spec:
group: spiffeid.spiffe.io
names:
kind: SpiffeID
listKind: SpiffeIDList
plural: spiffeids
singular: spiffeid
scope: Namespaced
versions:
- name: v1beta1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
description: SpiffeID is the Schema for the spiffeid API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: SpiffeIDSpec defines the desired state of SpiffeID
properties:
dnsNames:
items:
type: string
type: array
federatesWith:
items:
type: string
type: array
parentId:
type: string
selector:
properties:
arbitrary:
description: Arbitrary selectors
items:
type: string
type: array
containerImage:
description: Container image to match for this spiffe ID
type: string
containerName:
description: Container name to match for this spiffe ID
type: string
namespace:
description: Namespace to match for this spiffe ID
type: string
nodeName:
description: Node name to match for this spiffe ID
type: string
podLabel:
additionalProperties:
type: string
description: Pod label name/value to match for this spiffe ID
type: object
podName:
description: Pod name to match for this spiffe ID
type: string
podUid:
description: Pod UID to match for this spiffe ID
type: string
serviceAccount:
description: ServiceAccount to match for this spiffe ID
type: string
cluster:
description: The k8s_psat cluster name
type: string
agent_node_uid:
description: UID of the node
type: string
type: object
spiffeId:
type: string
required:
- parentId
- selector
- spiffeId
type: object
status:
description: SpiffeIDStatus defines the observed state of SpiffeID
properties:
entryId:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state
of cluster Important: Run "make" to regenerate code after modifying
this file'
type: string
type: object
type: object

30
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar-cluster-role.yaml
View File

@ -1,30 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: k8s-workload-registrar-role
rules:
- apiGroups: [""]
resources: ["endpoints", "nodes", "pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
verbs: ["get", "patch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: k8s-workload-registrar-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: k8s-workload-registrar-role
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire

19
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/k8s-workload-registrar.yaml
View File

@ -1,19 +0,0 @@
---
apiVersion: v1
data:
k8s-workload-registrar.conf: |-
log_level = "debug"
trust_domain = "example.org"
agent_socket_path = "/run/spire/sockets/agent.sock"
server_socket_path = "/tmp/spire-server/private/api.sock"
cluster = "nsm-cluster"
pod_controller = true
add_svc_dns_names = true
mode = "crd"
webhook_enabled = true
identity_template = "ns/{{ printf "{{.Pod.Namespace}}" }}/pod/{{ printf "{{.Pod.Name}}" }}"
identity_template_label = "spiffe.io/spiffe-id"
kind: ConfigMap
metadata:
name: k8s-workload-registrar
namespace: spire

42
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-agent.yaml
View File

@ -1,42 +0,0 @@
---
apiVersion: v1
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "example.org"
}
plugins {
NodeAttestor "k8s_psat" {
plugin_data {
# NOTE: Change this to your cluster name
cluster = "nsm-cluster"
}
}
KeyManager "memory" {
plugin_data {}
}
WorkloadAttestor "k8s" {
plugin_data {
# Defaults to the secure kubelet port by default.
# Minikube does not have a cert in the cluster CA bundle that
# can authenticate the kubelet cert, so skip validation.
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {}
}
}
kind: ConfigMap
metadata:
name: spire-agent
namespace: spire

55
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-server.yaml
View File

@ -1,55 +0,0 @@
---
apiVersion: v1
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
trust_domain = "example.org"
data_dir = "/run/spire/data"
log_level = "DEBUG"
#AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
default_svid_ttl = "1h"
ca_subject = {
country = ["US"],
organization = ["SPIFFE"],
common_name = "",
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
# NOTE: Change this to your cluster name
"nsm-cluster" = {
use_token_review_api_validation = true
service_account_allow_list = ["spire:spire-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
webhook_label = "spiffe.io/webhook"
}
}
}
kind: ConfigMap
metadata:
name: spire-server
namespace: spire

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/values.yaml
View File

15
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-service.yaml
View File

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: k8s-workload-registrar
namespace: spire
spec:
type: ClusterIP
ports:
- name: webhook
protocol: TCP
port: 443
targetPort: 9443
selector:
app: spire-server

22
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/k8s-workload-registrar-validating-webhook-configuration.yaml
View File

@ -1,22 +0,0 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: k8s-workload-registrar
labels:
spiffe.io/webhook: "true"
webhooks:
- name: k8s-workload-registrar.spire.svc
admissionReviewVersions: ["v1", "v1beta1"]
clientConfig:
service:
name: k8s-workload-registrar
namespace: spire
path: "/validate-spiffeid-spiffe-io-v1beta1-spiffeid"
rules:
- apiGroups: ["spiffeid.spiffe.io"]
apiVersions: ["v1beta1"]
operations: ["CREATE", "UPDATE", "DELETE"]
resources: ["spiffeids"]
scope: Namespaced
sideEffects: None

17
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/leader_election_role.yaml Normal file
View File

@ -0,0 +1,17 @@
---
# permissions to do leader election.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: leader-election-role
namespace: spire
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]

14
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/leader_election_role_binding.yaml Normal file
View File

@ -0,0 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: leader-election-rolebinding
namespace: spire
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: leader-election-role
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire

39
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/role.yaml Normal file
View File

@ -0,0 +1,39 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: manager-role
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterfederatedtrustdomains/status"]
verbs: ["get", "patch", "update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/finalizers"]
verbs: ["update"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/status"]
verbs: ["get", "patch", "update"]

13
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/role_binding.yaml Normal file
View File

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-account.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-account.yaml
View File

10
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/server-cluster-role.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-cluster-role.yaml
View File

@ -8,15 +8,9 @@ metadata:
rules:
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "patch", "watch"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["patch", "get", "list"]
- apiGroups: [""]
resources: ["pods", "nodes"]
resources: ["nodes"]
verbs: ["get"]
---

35
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-role.yaml Normal file
View File

@ -0,0 +1,35 @@
---
# Role for the SPIRE server
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: spire
name: spire-server-role
rules:
# allow "get" access to pods (to resolve selectors for PSAT attestation)
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
# allow access to "get" and "patch" the spire-bundle ConfigMap (for SPIRE
# agent bootstrapping, see the spire-bundle ConfigMap below)
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["spire-bundle"]
verbs: ["get", "patch"]
---
# RoleBinding granting the spire-server-role to the SPIRE server
# service account.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-role-binding
namespace: spire
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire
roleRef:
kind: Role
name: spire-server-role
apiGroup: rbac.authorization.k8s.io

17
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-service.yaml
View File

@ -11,9 +11,18 @@ spec:
port: 8081
targetPort: 8081
protocol: TCP
- name: spire-federation
port: 8443
targetPort: 8443
protocol: TCP
selector:
app: spire-server
---
apiVersion: v1
kind: Service
metadata:
name: spire-controller-manager-webhook-service
namespace: spire
spec:
ports:
- port: 443
protocol: TCP
targetPort: 9443
selector:
app: spire-server

52
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/server-statefulset.yaml
View File

@ -32,9 +32,8 @@ spec:
- name: spire-config
mountPath: /run/spire/config
readOnly: true
- name: spire-registration-socket
mountPath: /tmp
readOnly: false
- name: spire-server-socket
mountPath: /tmp/spire-server/private
livenessProbe:
exec:
command:
@ -47,47 +46,26 @@ spec:
readinessProbe:
exec:
command: ["/opt/spire/bin/spire-server", "healthcheck", "--shallow"]
# This is a workaround for https://github.com/spiffe/spire/issues/2872
# that prevents k8s-workload-registrar container restarts until
# https://github.com/spiffe/spire/pull/2921 will come with SPIRE 1.3.0.
lifecycle:
postStart:
exec:
command: ["sleep", "2"]
- name: k8s-workload-registrar
image: {{ .Values.spireServer.k8sWorkloadRegistrarImageRegistry }}:{{ .Values.spireServer.k8sWorkloadRegistrarImageTag }}
args:
- -config
- /run/spire/config/k8s-workload-registrar.conf
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: spire-controller-manager
image: ghcr.io/spiffe/spire-controller-manager:0.2.2
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9443
name: webhook
protocol: TCP
args:
- "--config=spire-controller-manager-config.yaml"
volumeMounts:
- mountPath: /run/spire/config
name: k8s-workload-registrar-config
readOnly: true
- mountPath: /run/spire/sockets
name: spire-agent-socket
name: spire-server-socket
readOnly: true
- name: spire-registration-socket
mountPath: /tmp
readOnly: false
- name: spire-controller-manager-config
mountPath: /spire-controller-manager-config.yaml
subPath: spire-controller-manager-config.yaml
volumes:
- name: spire-config
configMap:
name: spire-server
- name: spire-agent-socket
hostPath:
path: /run/spire/sockets
type: DirectoryOrCreate
- name: k8s-workload-registrar-config
configMap:
name: k8s-workload-registrar
- name: spire-registration-socket
- name: spire-server-socket
emptyDir: {}
- name: spire-controller-manager-config
configMap:
name: spire-controller-manager-config

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-bundle.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/spire-bundle-configmap.yaml
View File

26
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/spire-controller-manager-config.yaml Normal file
View File

@ -0,0 +1,26 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-controller-manager-config
namespace: spire
data:
spire-controller-manager-config.yaml: |
apiVersion: spire.spiffe.io/v1alpha1
kind: ControllerManagerConfig
metrics:
bindAddress: 127.0.0.1:8082
healthProbe:
bindAddress: 127.0.0.1:8083
leaderElection:
leaderElect: true
resourceName: 98c9c988.spiffe.io
resourceNamespace: spire
clusterName: k8s-nsm-cluster
trustDomain: k8s.nsm
spireServerSocketPath: /run/spire/sockets/api.sock
ignoreNamespaces:
- kube-system
- kube-public
- spire
- local-path-storage

20
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/spire-controller-manager-webhook.yaml Normal file
View File

@ -0,0 +1,20 @@
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: spire-controller-manager-webhook
webhooks:
- admissionReviewVersions: ["v1"]
clientConfig:
service:
name: spire-controller-manager-webhook-service
namespace: spire
path: /validate-spire-spiffe-io-v1alpha1-clusterspiffeid
failurePolicy: Fail
name: vclusterspiffeid.kb.io
rules:
- apiGroups: ["spire.spiffe.io"]
apiVersions: ["v1alpha1"]
operations: ["CREATE", "UPDATE"]
resources: ["clusterspiffeids"]
sideEffects: None

70
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/templates/spire-server-config.yaml Normal file
View File

@ -0,0 +1,70 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-server
namespace: spire
data:
server.conf: |
server {
bind_address = "0.0.0.0"
bind_port = "8081"
trust_domain = "k8s.nsm"
data_dir = "/run/spire/data"
log_level = "DEBUG"
#AWS requires the use of RSA. EC cryptography is not supported
ca_key_type = "rsa-2048"
default_x509_svid_ttl = "1h"
default_jwt_svid_ttl = "1h"
ca_subject = {
country = ["US"],
organization = ["SPIFFE"],
common_name = "",
}
# Federation config was added here for unification of Spire setups
# This config will do nothing until Spiffe Federation bundles are configured manually
federation {
bundle_endpoint {
address = "0.0.0.0"
port = 8443
}
federates_with "docker.nsm" {
bundle_endpoint_url = "https://spire-server.spire.docker.nsm:8443"
bundle_endpoint_profile "https_spiffe" {
endpoint_spiffe_id = "spiffe://docker.nsm/spire/server"
}
}
}
}
plugins {
DataStore "sql" {
plugin_data {
database_type = "sqlite3"
connection_string = "/run/spire/data/datastore.sqlite3"
}
}
NodeAttestor "k8s_psat" {
plugin_data {
clusters = {
# NOTE: Change this to your cluster name
"k8s-nsm-cluster" = {
use_token_review_api_validation = true
service_account_allow_list = ["spire:spire-agent"]
}
}
}
}
KeyManager "disk" {
plugin_data {
keys_path = "/run/spire/data/keys.json"
}
}
Notifier "k8sbundle" {
plugin_data {
webhook_label = "spiffe.io/webhook"
}
}
}

6
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/values.yaml
View File

@ -4,10 +4,8 @@
# Variables added
spireServer:
imageRegistry: gcr.io/spiffe-io/spire-server
imageTag: 1.5.1
k8sWorkloadRegistrarImageRegistry: gcr.io/spiffe-io/k8s-workload-registrar
k8sWorkloadRegistrarImageTag: 1.5.1
imageRegistry: ghcr.io/spiffe/spire-server
imageTag: 1.6.1
# TODO: check and remove unneeded values

90
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/crds/spire.spiffe.io_clusterfederatedtrustdomains.yaml Normal file
View File

@ -0,0 +1,90 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: clusterfederatedtrustdomains.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterFederatedTrustDomain
listKind: ClusterFederatedTrustDomainList
plural: clusterfederatedtrustdomains
singular: clusterfederatedtrustdomain
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.trustDomain
name: Trust Domain
type: string
- jsonPath: .spec.bundleEndpointURL
name: Endpoint URL
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterFederatedTrustDomainSpec defines the desired state
of ClusterFederatedTrustDomain
properties:
bundleEndpointProfile:
description: BundleEndpointProfile is the profile for the bundle endpoint.
properties:
endpointSPIFFEID:
description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
It is required for the "https_spiffe" profile.
type: string
type:
description: Type is the type of the bundle endpoint profile.
enum:
- https_spiffe
- https_web
type: string
required:
- type
type: object
bundleEndpointURL:
description: BundleEndpointURL is the URL of the bundle endpoint.
It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
type: string
trustDomain:
description: TrustDomain is the name of the trust domain to federate
with (e.g. example.org)
pattern: '[a-z0-9._-]{1,255}'
type: string
trustDomainBundle:
description: TrustDomainBundle is the contents of the bundle for the
referenced trust domain. This field is optional when the resource
is created.
type: string
required:
- bundleEndpointProfile
- bundleEndpointURL
- trustDomain
type: object
status:
description: ClusterFederatedTrustDomainStatus defines the observed state
of ClusterFederatedTrustDomain
type: object
type: object
served: true
storage: true
subresources:
status: {}

221
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/crds/spire.spiffe.io_clusterspiffeids.yaml Normal file
View File

@ -0,0 +1,221 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: clusterspiffeids.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterSPIFFEID
listKind: ClusterSPIFFEIDList
plural: clusterspiffeids
singular: clusterspiffeid
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
properties:
admin:
description: Admin indicates whether or not the SVID can be used to
access the SPIRE administrative APIs. Extra care should be taken
to only apply this SPIFFE ID to admin workloads.
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
downstream:
description: Downstream indicates that the entry describes a downstream
SPIRE server.
type: boolean
federatesWith:
description: FederatesWith is a list of trust domain names that workloads
that obtain this SPIFFE ID will federate with.
items:
type: string
type: array
namespaceSelector:
description: NamespaceSelector selects the namespaces that are targeted
by this CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: PodSelector selects the pods that are targeted by this
CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
spiffeIDTemplate:
description: SPIFFEID is the SPIFFE ID template. The node and pod
spec are made available to the template under .NodeSpec, .PodSpec
respectively.
type: string
ttl:
description: TTL indicates an upper-bound time-to-live for SVIDs minted
for this ClusterSPIFFEID. If unset, a default will be chosen.
type: string
workloadSelectorTemplates:
description: WorkloadSelectorTemplates are templates to produce arbitrary
workload selectors that apply to a given workload before it will
receive this SPIFFE ID. The rendered value is interpreted by SPIRE
and are of the form type:value, where the value may, and often does,
contain semicolons, .e.g., k8s:container-image:docker/hello-world
The node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
required:
- spiffeIDTemplate
type: object
status:
description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
properties:
stats:
description: Stats produced by the last entry reconciliation run
properties:
entriesMasked:
description: How many entries were masked by entries for other
ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
produce an entry for the same pod with the same set of workload
selectors.
type: integer
entriesToSet:
description: How many entries are to be set for this ClusterSPIFFEID.
In nominal conditions, this should reflect the number of pods
selected, but not always if there were problems encountered
rendering an entry for the pod (RenderFailures) or entries are
masked (EntriesMasked).
type: integer
entryFailures:
description: How many entries were unable to be set due to failures
to create or update the entries via the SPIRE Server API.
type: integer
namespacesIgnored:
description: How many (selected) namespaces were ignored (based
on configuration).
type: integer
namespacesSelected:
description: How many namespaces were selected.
type: integer
podEntryRenderFailures:
description: How many failures were encountered rendering an entry
selected pods. This could be due to either a bad template in
the ClusterSPIFFEID or Pod metadata that when applied to the
template did not produce valid entry values.
type: integer
podsSelected:
description: How many pods were selected out of the namespaces.
type: integer
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-account.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-account.yaml
View File

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/agent-cluster-role.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-cluster-role.yaml
View File

43
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-config.yaml Normal file
View File

@ -0,0 +1,43 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-agent
namespace: spire
data:
agent.conf: |
agent {
data_dir = "/run/spire"
log_level = "DEBUG"
server_address = "spire-server"
server_port = "8081"
socket_path = "/run/spire/sockets/agent.sock"
trust_bundle_path = "/run/spire/bundle/bundle.crt"
trust_domain = "k8s.nsm"
}
plugins {
NodeAttestor "k8s_psat" {
plugin_data {
# NOTE: Change this to your cluster name
cluster = "k8s-nsm-cluster"
}
}
KeyManager "memory" {
plugin_data {}
}
WorkloadAttestor "k8s" {
plugin_data {
# Defaults to the secure kubelet port by default.
# Minikube does not have a cert in the cluster CA bundle that
# can authenticate the kubelet cert, so skip validation.
skip_kubelet_verification = true
}
}
WorkloadAttestor "unix" {
plugin_data {}
}
}

11
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/agent-daemonset.yaml
View File

@ -25,19 +25,22 @@ spec:
# This is a small image with wait-for-it, choose whatever image
# you prefer that waits for a service to be up. This image is built
# from https://github.com/lqhl/wait-for-it
image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }}
image: gcr.io/spiffe-io/wait-for-it
imagePullPolicy: IfNotPresent
args: ["-t", "30", "spire-server:8081"]
- name: init-bundle
# Additional init container with the same wait-for-it image to
# provide workaround for https://github.com/spiffe/spire/issues/3032
# It checks if the bundle is in place and ready to be parsed or not.
image: {{ .Values.spireAgent.waitForItImageRegistry }}:{{ .Values.spireAgent.waitForItImageTag }}
image: gcr.io/spiffe-io/wait-for-it
imagePullPolicy: IfNotPresent
command: ['sh', '-c', "t=0; until [ -f /run/spire/bundle/bundle.crt 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 1; done"]
command: ['sh', '-c', "t=0; until [ -f /run/spire/bundle/bundle.crt 2>&1 ] || [ $t -eq 60 ]; do t=`expr $t + 1`; sleep 1; done"]
volumeMounts:
- name: spire-bundle
mountPath: /run/spire/bundle
containers:
- name: spire-agent
image: {{ .Values.spireAgent.imageRegistry }}:{{ .Values.spireAgent.imageTag }}
image: ghcr.io/spiffe/spire-agent:1.6.1
args: ["-config", "/run/spire/config/agent.conf"]
volumeMounts:
- name: spire-config

432
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/spire-crd-upgrade-preinstall-hook.yaml Normal file
View File

@ -0,0 +1,432 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-install-crds
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-install-crds
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-install-crds
subjects:
- kind: ServiceAccount
name: spire-install-crds
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-install-crds
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- get
- list
- patch
- update
- create
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-crd-install
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
data:
crds.yaml: |
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: clusterspiffeids.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterSPIFFEID
listKind: ClusterSPIFFEIDList
plural: clusterspiffeids
singular: clusterspiffeid
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterSPIFFEID is the Schema for the clusterspiffeids API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterSPIFFEIDSpec defines the desired state of ClusterSPIFFEID
properties:
admin:
description: Admin indicates whether or not the SVID can be used to
access the SPIRE administrative APIs. Extra care should be taken
to only apply this SPIFFE ID to admin workloads.
type: boolean
dnsNameTemplates:
description: DNSNameTemplate represents templates for extra DNS names
that are applicable to SVIDs minted for this ClusterSPIFFEID. The
node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
downstream:
description: Downstream indicates that the entry describes a downstream
SPIRE server.
type: boolean
federatesWith:
description: FederatesWith is a list of trust domain names that workloads
that obtain this SPIFFE ID will federate with.
items:
type: string
type: array
namespaceSelector:
description: NamespaceSelector selects the namespaces that are targeted
by this CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: PodSelector selects the pods that are targeted by this
CRD.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements.
The requirements are ANDed.
items:
description: A label selector requirement is a selector that
contains values, a key, and an operator that relates the key
and values.
properties:
key:
description: key is the label key that the selector applies
to.
type: string
operator:
description: operator represents a key's relationship to
a set of values. Valid operators are In, NotIn, Exists
and DoesNotExist.
type: string
values:
description: values is an array of string values. If the
operator is In or NotIn, the values array must be non-empty.
If the operator is Exists or DoesNotExist, the values
array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single
{key,value} in the matchLabels map is equivalent to an element
of matchExpressions, whose key field is "key", the operator
is "In", and the values array contains only "value". The requirements
are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
spiffeIDTemplate:
description: SPIFFEID is the SPIFFE ID template. The node and pod
spec are made available to the template under .NodeSpec, .PodSpec
respectively.
type: string
ttl:
description: TTL indicates an upper-bound time-to-live for SVIDs minted
for this ClusterSPIFFEID. If unset, a default will be chosen.
type: string
workloadSelectorTemplates:
description: WorkloadSelectorTemplates are templates to produce arbitrary
workload selectors that apply to a given workload before it will
receive this SPIFFE ID. The rendered value is interpreted by SPIRE
and are of the form type:value, where the value may, and often does,
contain semicolons, .e.g., k8s:container-image:docker/hello-world
The node and pod spec are made available to the template under .NodeSpec,
.PodSpec respectively.
items:
type: string
type: array
required:
- spiffeIDTemplate
type: object
status:
description: ClusterSPIFFEIDStatus defines the observed state of ClusterSPIFFEID
properties:
stats:
description: Stats produced by the last entry reconciliation run
properties:
entriesMasked:
description: How many entries were masked by entries for other
ClusterSPIFFEIDs. This happens when one or more ClusterSPIFFEIDs
produce an entry for the same pod with the same set of workload
selectors.
type: integer
entriesToSet:
description: How many entries are to be set for this ClusterSPIFFEID.
In nominal conditions, this should reflect the number of pods
selected, but not always if there were problems encountered
rendering an entry for the pod (RenderFailures) or entries are
masked (EntriesMasked).
type: integer
entryFailures:
description: How many entries were unable to be set due to failures
to create or update the entries via the SPIRE Server API.
type: integer
namespacesIgnored:
description: How many (selected) namespaces were ignored (based
on configuration).
type: integer
namespacesSelected:
description: How many namespaces were selected.
type: integer
podEntryRenderFailures:
description: How many failures were encountered rendering an entry
selected pods. This could be due to either a bad template in
the ClusterSPIFFEID or Pod metadata that when applied to the
template did not produce valid entry values.
type: integer
podsSelected:
description: How many pods were selected out of the namespaces.
type: integer
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.1
creationTimestamp: null
name: clusterfederatedtrustdomains.spire.spiffe.io
spec:
group: spire.spiffe.io
names:
kind: ClusterFederatedTrustDomain
listKind: ClusterFederatedTrustDomainList
plural: clusterfederatedtrustdomains
singular: clusterfederatedtrustdomain
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.trustDomain
name: Trust Domain
type: string
- jsonPath: .spec.bundleEndpointURL
name: Endpoint URL
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: ClusterFederatedTrustDomain is the Schema for the clusterfederatedtrustdomains
API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ClusterFederatedTrustDomainSpec defines the desired state
of ClusterFederatedTrustDomain
properties:
bundleEndpointProfile:
description: BundleEndpointProfile is the profile for the bundle endpoint.
properties:
endpointSPIFFEID:
description: EndpointSPIFFEID is the SPIFFE ID of the bundle endpoint.
It is required for the "https_spiffe" profile.
type: string
type:
description: Type is the type of the bundle endpoint profile.
enum:
- https_spiffe
- https_web
type: string
required:
- type
type: object
bundleEndpointURL:
description: BundleEndpointURL is the URL of the bundle endpoint.
It must be an HTTPS URL and cannot contain userinfo (i.e. username/password).
type: string
trustDomain:
description: TrustDomain is the name of the trust domain to federate
with (e.g. example.org)
pattern: '[a-z0-9._-]{1,255}'
type: string
trustDomainBundle:
description: TrustDomainBundle is the contents of the bundle for the
referenced trust domain. This field is optional when the resource
is created.
type: string
required:
- bundleEndpointProfile
- bundleEndpointURL
- trustDomain
type: object
status:
description: ClusterFederatedTrustDomainStatus defines the observed state
of ClusterFederatedTrustDomain
type: object
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: batch/v1
kind: Job
metadata:
name: spire-install-crds
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "2"
labels:
app.kubernetes.io/name: spire
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 3
template:
metadata:
name: spire-install-crds
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: spire-install-crds
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/sh
- -c
- kubectl apply -f /tmp/crds.yaml
volumeMounts:
- mountPath: /tmp
name: crds
volumes:
- name: crds
configMap:
name: spire-crd-install
items:
- key: "crds.yaml"
path: "crds.yaml"
restartPolicy: OnFailure

130
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/spire-install-clusterspiffeid-template.yaml Normal file
View File

@ -0,0 +1,130 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: spire-install-clusterid-cr
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote}}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: spire-install-clusterid-cr
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: spire-install-clusterid-cr
subjects:
- kind: ServiceAccount
name: spire-install-clusterid-cr
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: spire-install-clusterid-cr
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
labels:
app.kubernetes.io/name: kubeslice
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
rules:
- apiGroups:
- "spire.spiffe.io"
resources:
- "clusterspiffeids"
verbs:
- get
- list
- patch
- update
- create
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-clusterid-cr-install
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "1"
data:
cr.yaml: |
---
apiVersion: spire.spiffe.io/v1alpha1
kind: ClusterSPIFFEID
metadata:
name: nsm-workloads
spec:
spiffeIDTemplate: "spiffe://k8s.nsm/ns/{{ printf "{{ .PodMeta.Namespace }}" }}/pod/{{ printf "{{ .PodMeta.Name }}" }}"
podSelector:
matchLabels:
"spiffe.io/spiffe-id": "true"
---
apiVersion: batch/v1
kind: Job
metadata:
name: spire-install-clusterid-cr
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade,pre-rollback
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook-weight": "999"
labels:
app.kubernetes.io/name: spire
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
backoffLimit: 5
template:
metadata:
name: spire-install-clusterid-cr
namespace: {{ .Release.Namespace }}
spec:
serviceAccountName: spire-install-clusterid-cr
containers:
- name: kubectl
image: "alpine/k8s:1.22.9"
command:
- /bin/sh
- -c
- kubectl apply -f /tmp/cr.yaml
volumeMounts:
- mountPath: /tmp
name: cr
volumes:
- name: cr
configMap:
name: spire-clusterid-cr-install
items:
- key: "cr.yaml"
path: "cr.yaml"
restartPolicy: OnFailure

0
charts/avesha/kubeslice-worker/charts/nsm/charts/spire/charts/spire-server/charts/spire-config/templates/spire-namespace.yaml → charts/avesha/kubeslice-worker/charts/nsm/charts/spire/templates/spire-namespace.yaml
View File

14
charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr-service.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: nsmgr
namespace: kubeslice-system
labels:
services: nsmgr
spec:
ports:
- port: 5001
name: tcp
selector:
app: nsmgr
internalTrafficPolicy: Local

63
charts/avesha/kubeslice-worker/charts/nsm/templates/nsmgr.yaml
View File

@ -1,3 +1,40 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nsmgr-cm
namespace: kubeslice-system
data:
create-nsmgr-svc.sh: |-
#!/usr/bin/env bash
#
# Service name should be an RFC-1035 label name.
# Get the md5 hash of the node name to use as the name of the
# nsmgr service.
SVC_NAME="nsm-$(echo $MY_NODE_NAME | md5sum | awk '{print $1}')"
kubectl get svc $SVC_NAME -n kubeslice-system
if [[ $? -eq 1 ]]; then
echo "Creating service $SVC_NAME"
kubectl create service clusterip $SVC_NAME --tcp=5001:5001 --save-config=true -n kubeslice-system
if [[ $? -eq 1 ]]; then
echo "Failed to create service"
exit 1
fi
fi
kubectl label po $MY_POD_NAME nsmgr-svc=$SVC_NAME --overwrite -n kubeslice-system
if [[ $? -eq 1 ]]; then
echo "Failed to label the pod"
exit 1
fi
SELECTOR="nsmgr-svc=$SVC_NAME"
kubectl get service $SVC_NAME -oyaml -n kubeslice-system | kubectl set selector --local=false -f - "$SELECTOR" -oyaml -n kubeslice-system
if [[ $? -eq 1 ]]; then
echo "Failed to set selector on the service"
exit 1
fi
---
apiVersion: apps/v1
kind: DaemonSet
@ -27,6 +64,24 @@ spec:
args: [ "-t", "120", "spire-server.spire:8081" ]
#command: ['sh', '-c', 'sleep 120']
#command: ['sh', '-c', "t=0; until [ -f /run/spire/sockets/agent.sock 2>&1 ] || [ $t -eq 5 ]; do t=`expr $t + 1`; sleep 15; done;"]
- env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
image: "alpine/k8s:1.22.9"
imagePullPolicy: IfNotPresent
name: nsmgr-init-svc-creator
command:
- /bin/bash
- /tmp/create-nsmgr-svc.sh
volumeMounts:
- mountPath: /tmp/
name: nsm-svc-config-volume
containers:
- image: {{ .Values.nsmgr.imageRegistry }}:{{ .Values.nsmgr.imageTag }}
imagePullPolicy: IfNotPresent
@ -137,10 +192,12 @@ spec:
path: /var/lib/networkservicemesh
type: DirectoryOrCreate
- name: nsm-config-volume
{{/* emptyDir:*/}}
{{/* {}*/}}
configMap:
name: nsm-config
- configMap:
defaultMode: 420
name: nsmgr-cm
name: nsm-svc-config-volume
tolerations:
- key: "kubeslice.io/node-type"
operator: "Equal"
@ -149,4 +206,4 @@ spec:
- key: "kubeslice.io/node-type"
operator: "Equal"
value: "gateway"
effect: "NoExecute"
effect: "NoExecute"

4
charts/avesha/kubeslice-worker/charts/nsm/values.yaml
View File

@ -10,11 +10,11 @@ global:
forwardingPlane:
kernelImageRegistry: docker.io/aveshasystems/cmd-forwarder-kernel
kernelImageTag: 1.0.1
kernelImageTag: 1.0.2
nsmgr:
imageRegistry: docker.io/aveshasystems/cmd-nsmgr
imageTag: 1.5.2
imageTag: 1.5.3
waitForItImageRegistry: docker.io/aveshasystems/wait-for-it
waitForItImageTag: 1.0.0
excludePrefixesImageRegistry: docker.io/aveshasystems/cmd-exclude-prefixes-k8s

10
charts/avesha/kubeslice-worker/questions.yaml
View File

@ -17,7 +17,7 @@ questions:
variable: imagePullSecrets.password
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Namespace"
required: true
@ -25,7 +25,7 @@ questions:
variable: controllerSecret.namespace
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Endpoint"
required: true
@ -33,7 +33,7 @@ questions:
variable: controllerSecret.endpoint
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller CA Cert"
required: true
@ -41,7 +41,7 @@ questions:
variable: controllerSecret.'ca.crt'
-
default: ""
description: "https://docs.avesha.io/documentation/enterprise/1.0.0/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
description: "https://docs.avesha.io/documentation/enterprise/1.1.1/deployment-partners/deploying-kubeslice-on-rancher/installing-the-worker-operator-on-rancher#getting-the-secrets-of-the-registered-cluster"
group: "Worker Secrets from Controller"
label: "Controller Token"
required: true
@ -57,7 +57,7 @@ questions:
variable: cluster.name
-
default: ""
description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/1.0.0/"
description: "Worker Cluster Endpoint,use 'kubectl cluster-info on worker cluster' or for details please follow https://docs.avesha.io/documentation/enterprise/1.1.1/"
group: "Worker Cluster Details"
label: "Cluster Endpoint"
required: true

15
charts/avesha/kubeslice-worker/templates/kubeslice-postdelete-hook.yaml
View File

@ -58,11 +58,14 @@ rules:
verbs:
- get
- list
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
- apiGroups: [""]
resources: ["services"]
verbs: ["list", "delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/status"]
verbs: ["get", "patch", "update"]
---
@ -92,12 +95,14 @@ data:
continue
fi
echo "finding and removing spiffeids in namespace $ns ..."
for item in $(kubectl get spiffeid.spiffeid.spiffe.io -n $ns -o name); do
for item in $(kubectl get clusterspiffeids.spire.spiffe.io -n $ns -o name); do
echo "removing item $item"
kubectl patch $item -p '{"metadata":{"finalizers":null}}' --type=merge -n $ns
kubectl delete $item --ignore-not-found -n $ns
done
done
echo "Deleting services from kubeslice-system namespace"
kubectl delete svc --all --ignore-not-found -n kubeslice-system
---
apiVersion: batch/v1

11
charts/avesha/kubeslice-worker/templates/operator-rbac.yaml
View File

@ -99,11 +99,14 @@ rules:
- delete
- create
- watch
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids"]
- apiGroups: ["storage.k8s.io"]
resources: ["csidrivers"]
verbs: ["delete"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["spiffeid.spiffe.io"]
resources: ["spiffeids/status"]
- apiGroups: ["spire.spiffe.io"]
resources: ["clusterspiffeids/status"]
verbs: ["get", "patch", "update"]
- apiGroups:
- networking.kubeslice.io

1
charts/avesha/kubeslice-worker/templates/preinstall-rbac.yaml
View File

@ -76,6 +76,7 @@ rules:
- get
- create
- update
- patch
- apiGroups:
- apps
resources:

1
charts/avesha/kubeslice-worker/templates/upgrade-crds.yaml
View File

@ -1387,6 +1387,7 @@ data:
plural: ""
conditions: []
storedVersions: []
---
apiVersion: batch/v1
kind: Job

6
charts/avesha/kubeslice-worker/values.yaml
View File

@ -1,6 +1,6 @@
operator:
image: aveshasystems/worker-operator-ent
tag: 1.0.0
image: docker.io/aveshasystems/worker-operator-ent
tag: 1.1.1
pullPolicy: IfNotPresent
logLevel: INFO
@ -18,7 +18,7 @@ cluster:
router:
image: docker.io/aveshasystems/cmd-nse-vl3
tag: 1.0.2
tag: 1.0.3
pullPolicy: IfNotPresent
routerSidecar:

8
charts/bitnami/airflow/Chart.lock
View File

@ -1,12 +1,12 @@
dependencies:
- name: redis
repository: oci://registry-1.docker.io/bitnamicharts
version: 17.11.7
version: 17.11.8
- name: postgresql
repository: oci://registry-1.docker.io/bitnamicharts
version: 12.6.4
version: 12.6.5
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.6.0
digest: sha256:c083881493ab4641a3977062bca8359bbba0a28e00b9c1ed1fb22b7045d6b0c4
generated: "2023-07-11T01:41:10.531492724Z"
digest: sha256:fdb95b45850349c04fa20933cee42b106c0755539838a5e350197f609be68193
generated: "2023-07-13T12:33:38.888177981Z"

2
charts/bitnami/airflow/Chart.yaml
View File

@ -37,4 +37,4 @@ maintainers:
name: airflow
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/airflow
version: 14.3.1
version: 14.3.3

60
charts/bitnami/airflow/README.md
View File

@ -76,32 +76,32 @@ The command removes all the Kubernetes components associated with the chart and
### Airflow common parameters
| Name | Description | Value |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
| `auth.username` | Username to access web UI | `user` |
| `auth.password` | Password to access web UI | `""` |
| `auth.fernetKey` | Fernet key to secure connections | `""` |
| `auth.secretKey` | Secret key to run your flask app | `""` |
| `auth.existingSecret` | Name of an existing secret to use for Airflow credentials | `""` |
| `executor` | Airflow executor. Allowed values: `SequentialExecutor`, `LocalExecutor`, `CeleryExecutor`, `KubernetesExecutor`, `CeleryKubernetesExecutor` and `LocalKubernetesExecutor` | `CeleryExecutor` |
| `loadExamples` | Switch to load some Airflow examples | `false` |
| `configuration` | Specify content for Airflow config file (auto-generated based on other env. vars otherwise) | `""` |
| `existingConfigmap` | Name of an existing ConfigMap with the Airflow config file | `""` |
| `dags.existingConfigmap` | Name of an existing ConfigMap with all the DAGs files you want to load in Airflow | `""` |
| `dags.image.registry` | Init container load-dags image registry | `docker.io` |
| `dags.image.repository` | Init container load-dags image repository | `bitnami/bitnami-shell` |
| `dags.image.tag` | Init container load-dags image tag (immutable tags are recommended) | `11-debian-11-r134` |
| `dags.image.digest` | Init container load-dags image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `dags.image.pullPolicy` | Init container load-dags image pull policy | `IfNotPresent` |
| `dags.image.pullSecrets` | Init container load-dags image pull secrets | `[]` |
| `extraEnvVars` | Add extra environment variables for all the Airflow pods | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables for all the Airflow pods | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables for all the Airflow pods | `""` |
| `extraEnvVarsSecrets` | List of secrets with extra environment variables for all the Airflow pods | `[]` |
| `sidecars` | Add additional sidecar containers to all the Airflow pods | `[]` |
| `initContainers` | Add additional init containers to all the Airflow pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for all the Airflow pods | `[]` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the all the Airflow pods | `[]` |
| Name | Description | Value |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
| `auth.username` | Username to access web UI | `user` |
| `auth.password` | Password to access web UI | `""` |
| `auth.fernetKey` | Fernet key to secure connections | `""` |
| `auth.secretKey` | Secret key to run your flask app | `""` |
| `auth.existingSecret` | Name of an existing secret to use for Airflow credentials | `""` |
| `executor` | Airflow executor. Allowed values: `SequentialExecutor`, `LocalExecutor`, `CeleryExecutor`, `KubernetesExecutor`, `CeleryKubernetesExecutor` and `LocalKubernetesExecutor` | `CeleryExecutor` |
| `loadExamples` | Switch to load some Airflow examples | `false` |
| `configuration` | Specify content for Airflow config file (auto-generated based on other env. vars otherwise) | `""` |
| `existingConfigmap` | Name of an existing ConfigMap with the Airflow config file | `""` |
| `dags.existingConfigmap` | Name of an existing ConfigMap with all the DAGs files you want to load in Airflow | `""` |
| `dags.image.registry` | Init container load-dags image registry | `docker.io` |
| `dags.image.repository` | Init container load-dags image repository | `bitnami/os-shell` |
| `dags.image.tag` | Init container load-dags image tag (immutable tags are recommended) | `11-debian-11-r2` |
| `dags.image.digest` | Init container load-dags image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `dags.image.pullPolicy` | Init container load-dags image pull policy | `IfNotPresent` |
| `dags.image.pullSecrets` | Init container load-dags image pull secrets | `[]` |
| `extraEnvVars` | Add extra environment variables for all the Airflow pods | `[]` |
| `extraEnvVarsCM` | ConfigMap with extra environment variables for all the Airflow pods | `""` |
| `extraEnvVarsSecret` | Secret with extra environment variables for all the Airflow pods | `""` |
| `extraEnvVarsSecrets` | List of secrets with extra environment variables for all the Airflow pods | `[]` |
| `sidecars` | Add additional sidecar containers to all the Airflow pods | `[]` |
| `initContainers` | Add additional init containers to all the Airflow pods | `[]` |
| `extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for all the Airflow pods | `[]` |
| `extraVolumes` | Optionally specify extra list of additional volumes for the all the Airflow pods | `[]` |
### Airflow web parameters
@ -109,7 +109,7 @@ The command removes all the Kubernetes components associated with the chart and
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------- |
| `web.image.registry` | Airflow image registry | `docker.io` |
| `web.image.repository` | Airflow image repository | `bitnami/airflow` |
| `web.image.tag` | Airflow image tag (immutable tags are recommended) | `2.6.3-debian-11-r0` |
| `web.image.tag` | Airflow image tag (immutable tags are recommended) | `2.6.3-debian-11-r2` |
| `web.image.digest` | Airflow image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `web.image.pullPolicy` | Airflow image pull policy | `IfNotPresent` |
| `web.image.pullSecrets` | Airflow image pull secrets | `[]` |
@ -238,7 +238,7 @@ The command removes all the Kubernetes components associated with the chart and
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------ |
| `worker.image.registry` | Airflow Worker image registry | `docker.io` |
| `worker.image.repository` | Airflow Worker image repository | `bitnami/airflow-worker` |
| `worker.image.tag` | Airflow Worker image tag (immutable tags are recommended) | `2.6.2-debian-11-r7` |
| `worker.image.tag` | Airflow Worker image tag (immutable tags are recommended) | `2.6.3-debian-11-r0` |
| `worker.image.digest` | Airflow Worker image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `worker.image.pullPolicy` | Airflow Worker image pull policy | `IfNotPresent` |
| `worker.image.pullSecrets` | Airflow Worker image pull secrets | `[]` |
@ -318,7 +318,7 @@ The command removes all the Kubernetes components associated with the chart and
| ------------------------------ | --------------------------------------------------------------------------------------------------- | ---------------------- |
| `git.image.registry` | Git image registry | `docker.io` |
| `git.image.repository` | Git image repository | `bitnami/git` |
| `git.image.tag` | Git image tag (immutable tags are recommended) | `2.41.0-debian-11-r13` |
| `git.image.tag` | Git image tag (immutable tags are recommended) | `2.41.0-debian-11-r14` |
| `git.image.digest` | Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `git.image.pullPolicy` | Git image pull policy | `IfNotPresent` |
| `git.image.pullSecrets` | Git image pull secrets | `[]` |
@ -410,7 +410,7 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.enabled` | Whether or not to create a standalone Airflow exporter to expose Airflow metrics | `false` |
| `metrics.image.registry` | Airflow exporter image registry | `docker.io` |
| `metrics.image.repository` | Airflow exporter image repository | `bitnami/airflow-exporter` |
| `metrics.image.tag` | Airflow exporter image tag (immutable tags are recommended) | `0.20220314.0-debian-11-r140` |
| `metrics.image.tag` | Airflow exporter image tag (immutable tags are recommended) | `0.20220314.0-debian-11-r141` |
| `metrics.image.digest` | Airflow exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Airflow exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Airflow exporter image pull secrets | `[]` |

2
charts/bitnami/airflow/charts/postgresql/Chart.yaml
View File

@ -27,4 +27,4 @@ maintainers:
name: postgresql
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/post
version: 12.6.4
version: 12.6.5

34
charts/bitnami/airflow/charts/postgresql/templates/read/statefulset.yaml
View File

@ -429,24 +429,24 @@ spec:
args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ]
{{- end }}
env:
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
{{- if .Values.auth.usePasswordFiles }}
- name: DATA_SOURCE_PASS_FILE
{{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }}
- name: DATA_SOURCE_URI
value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }}
{{- if .Values.auth.usePasswordFiles }}
- name: DATA_SOURCE_PASS_FILE
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.userPasswordKey" .) }}
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
- name: DATA_SOURCE_USER
value: {{ default "postgres" $customUser | quote }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
{{- else }}
- name: DATA_SOURCE_PASS
valueFrom:
secretKeyRef:
name: {{ include "postgresql.secretName" . }}
key: {{ include "postgresql.userPasswordKey" . }}
{{- end }}
- name: DATA_SOURCE_USER
value: {{ default "postgres" $customUser | quote }}
{{- if .Values.metrics.extraEnvVars }}
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
{{- end }}
ports:
- name: http-metrics
containerPort: {{ .Values.metrics.containerPorts.metrics }}

6
charts/bitnami/airflow/charts/redis/Chart.lock
View File

@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.4.0
digest: sha256:8c1a5dc923412d11d4d841420494b499cb707305c8b9f87f45ea1a8bf3172cb3
generated: "2023-05-21T16:05:08.152199835Z"
version: 2.6.0
digest: sha256:6ce7c85dcb43ad1fc5ff600850f28820ddc2f1a7c8cb25c5ff542fe1f852165a
generated: "2023-07-11T00:07:23.31761598Z"

4
charts/bitnami/airflow/charts/redis/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
category: Database
licenses: Apache-2.0
apiVersion: v2
appVersion: 7.0.11
appVersion: 7.0.12
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
@ -24,4 +24,4 @@ maintainers:
name: redis
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/redis
version: 17.11.7
version: 17.11.8

26
charts/bitnami/airflow/charts/redis/README.md
View File

@ -97,15 +97,15 @@ The command removes all the Kubernetes components associated with the chart and
### Redis&reg; Image parameters
| Name | Description | Value |
| ------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------- |
| `image.registry` | Redis&reg; image registry | `docker.io` |
| `image.repository` | Redis&reg; image repository | `bitnami/redis` |
| `image.tag` | Redis&reg; image tag (immutable tags are recommended) | `7.0.11-debian-11-r20` |
| `image.digest` | Redis&reg; image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Redis&reg; image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Redis&reg; image pull secrets | `[]` |
| `image.debug` | Enable image debug mode | `false` |
| Name | Description | Value |
| ------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------- |
| `image.registry` | Redis&reg; image registry | `docker.io` |
| `image.repository` | Redis&reg; image repository | `bitnami/redis` |
| `image.tag` | Redis&reg; image tag (immutable tags are recommended) | `7.0.12-debian-11-r0` |
| `image.digest` | Redis&reg; image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `image.pullPolicy` | Redis&reg; image pull policy | `IfNotPresent` |
| `image.pullSecrets` | Redis&reg; image pull secrets | `[]` |
| `image.debug` | Enable image debug mode | `false` |
### Redis&reg; common configuration parameters
@ -335,7 +335,7 @@ The command removes all the Kubernetes components associated with the chart and
| `sentinel.enabled` | Use Redis&reg; Sentinel on Redis&reg; pods. | `false` |
| `sentinel.image.registry` | Redis&reg; Sentinel image registry | `docker.io` |
| `sentinel.image.repository` | Redis&reg; Sentinel image repository | `bitnami/redis-sentinel` |
| `sentinel.image.tag` | Redis&reg; Sentinel image tag (immutable tags are recommended) | `7.0.11-debian-11-r18` |
| `sentinel.image.tag` | Redis&reg; Sentinel image tag (immutable tags are recommended) | `7.0.11-debian-11-r27` |
| `sentinel.image.digest` | Redis&reg; Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `sentinel.image.pullPolicy` | Redis&reg; Sentinel image pull policy | `IfNotPresent` |
| `sentinel.image.pullSecrets` | Redis&reg; Sentinel image pull secrets | `[]` |
@ -453,7 +453,7 @@ The command removes all the Kubernetes components associated with the chart and
| `metrics.enabled` | Start a sidecar prometheus exporter to expose Redis&reg; metrics | `false` |
| `metrics.image.registry` | Redis&reg; Exporter image registry | `docker.io` |
| `metrics.image.repository` | Redis&reg; Exporter image repository | `bitnami/redis-exporter` |
| `metrics.image.tag` | Redis&reg; Exporter image tag (immutable tags are recommended) | `1.50.0-debian-11-r21` |
| `metrics.image.tag` | Redis&reg; Exporter image tag (immutable tags are recommended) | `1.51.0-debian-11-r8` |
| `metrics.image.digest` | Redis&reg; Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `metrics.image.pullPolicy` | Redis&reg; Exporter image pull policy | `IfNotPresent` |
| `metrics.image.pullSecrets` | Redis&reg; Exporter image pull secrets | `[]` |
@ -519,7 +519,7 @@ The command removes all the Kubernetes components associated with the chart and
| `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` |
| `volumePermissions.image.registry` | Bitnami Shell image registry | `docker.io` |
| `volumePermissions.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` |
| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r125` |
| `volumePermissions.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r134` |
| `volumePermissions.image.digest` | Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `volumePermissions.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` |
| `volumePermissions.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` |
@ -529,7 +529,7 @@ The command removes all the Kubernetes components associated with the chart and
| `sysctl.enabled` | Enable init container to modify Kernel settings | `false` |
| `sysctl.image.registry` | Bitnami Shell image registry | `docker.io` |
| `sysctl.image.repository` | Bitnami Shell image repository | `bitnami/bitnami-shell` |
| `sysctl.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r125` |
| `sysctl.image.tag` | Bitnami Shell image tag (immutable tags are recommended) | `11-debian-11-r134` |
| `sysctl.image.digest` | Bitnami Shell image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `sysctl.image.pullPolicy` | Bitnami Shell image pull policy | `IfNotPresent` |
| `sysctl.image.pullSecrets` | Bitnami Shell image pull secrets | `[]` |

4
charts/bitnami/airflow/charts/redis/charts/common/Chart.yaml
View File

@ -2,7 +2,7 @@ annotations:
category: Infrastructure
licenses: Apache-2.0
apiVersion: v2
appVersion: 2.4.0
appVersion: 2.6.0
description: A Library Helm Chart for grouping common logic between bitnami charts.
This chart is not deployable by itself.
home: https://bitnami.com
@ -20,4 +20,4 @@ name: common
sources:
- https://github.com/bitnami/charts
type: library
version: 2.4.0
version: 2.6.0

6
charts/bitnami/airflow/charts/redis/charts/common/README.md
View File

@ -2,8 +2,6 @@
A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between Bitnami charts.
Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
## TL;DR
```yaml
@ -32,6 +30,8 @@ This chart provides a common template helpers which can be used to develop new c
Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
## Prerequisites
- Kubernetes 1.19+
@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
## License
Copyright &copy; 2023 Bitnami
Copyright &copy; 2023 VMware, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.

5
charts/bitnami/airflow/charts/redis/charts/common/templates/_affinities.tpl
View File

@ -1,3 +1,8 @@
{{/*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*

5
charts/bitnami/airflow/charts/redis/charts/common/templates/_capabilities.tpl
View File

@ -1,3 +1,8 @@
{{/*
Copyright VMware, Inc.
SPDX-License-Identifier: APACHE-2.0
*/}}
{{/* vim: set filetype=mustache: */}}
{{/*

Some files were not shown because too many files have changed in this diff Show More