Added chart versions:

codefresh/cf-runtime:
    - 6.4.1
  dell/csi-powerstore:
    - 2.11.1
  dell/csi-unity:
    - 2.11.1
  external-secrets/external-secrets:
    - 0.10.4
  speedscale/speedscale-operator:
    - 2.2.467

charts/codefresh/cf-runtime/6.4.1/.helmignore

@@ -0,0 +1,3 @@
+tests/
+.ci/
+test-values/

charts/codefresh/cf-runtime/6.4.1/Chart.yaml

@@ -0,0 +1,28 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: security
+      description: "updating k8s-agent"
+  artifacthub.io/containsSecurityUpdates: "false"
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Codefresh
+  catalog.cattle.io/kube-version: '>=1.18-0'
+  catalog.cattle.io/release-name: cf-runtime
+apiVersion: v2
+dependencies:
+- name: cf-common
+  repository: file://./charts/cf-common
+  version: 0.16.0
+description: A Helm chart for Codefresh Runner
+home: https://codefresh.io/
+icon: file://assets/icons/cf-runtime.png
+keywords:
+- codefresh
+- runner
+kubeVersion: '>=1.18-0'
+maintainers:
+- name: codefresh
+  url: https://codefresh-io.github.io/
+name: cf-runtime
+sources:
+- https://github.com/codefresh-io/venona
+version: 6.4.1

charts/codefresh/cf-runtime/6.4.1/files/cleanup-runtime.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:           ${API_HOST}"
+echo "AGENT_NAME:         ${AGENT_NAME}"
+echo "RUNTIME_NAME:       ${RUNTIME_NAME}"
+echo "AGENT:              ${AGENT}"
+echo "AGENT_SECRET_NAME:  ${AGENT_SECRET_NAME}"
+echo "DIND_SECRET_NAME:   ${DIND_SECRET_NAME}"
+echo "-----"
+
+auth() {
+  codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
+}
+
+remove_runtime() {
+  if [ "$AGENT" == "true" ]; then
+    codefresh delete re ${RUNTIME_NAME} || true
+  else
+    codefresh delete sys-re ${RUNTIME_NAME} || true
+  fi
+}
+
+remove_agent() {
+  codefresh delete agent ${AGENT_NAME} || true
+}
+
+remove_secrets() {
+  kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
+  kubectl delete secret $AGENT_SECRET_NAME || true
+  kubectl delete secret $DIND_SECRET_NAME || true
+}
+
+auth
+remove_runtime
+remove_agent
+remove_secrets

charts/codefresh/cf-runtime/6.4.1/files/configure-dind-certs.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+#
+
+#---
+fatal() {
+   echo "ERROR: $1"
+   exit 1
+}
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+exit_trap () {
+  local lc="$BASH_COMMAND" rc=$?
+  if [ $rc != 0 ]; then
+    if [[ -n "$SLEEP_ON_ERROR" ]]; then
+      echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
+      sleep $SLEEP_ON_ERROR
+    fi
+  fi
+}
+trap exit_trap EXIT
+
+usage() {
+    echo "Usage:
+    $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
+
+Example:
+   $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
+
+"
+}
+
+# Args
+while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
+do
+  key=$1
+  value=$2
+
+  case $key in
+    -h|--help)
+        usage
+        exit
+      ;;
+    -n|--namespace)
+        NAMESPACE="$value"
+        shift
+      ;;
+    --server-cert-cn)
+        SERVER_CERT_CN="$value"
+        shift
+      ;;
+    --server-cert-extra-sans)
+        SERVER_CERT_EXTRA_SANS="$value"
+        shift
+      ;;
+  esac
+  shift # past argument or value
+done
+
+API_HOST=${1:-"$CF_API_HOST"}
+API_TOKEN=${2:-"$CF_API_TOKEN"}
+
+[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
+[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
+
+
+API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
+
+NAMESPACE=${NAMESPACE:-default}
+RELEASE=${RELEASE:-cf-runtime}
+
+DIR=$(dirname $0)
+TMPDIR=/tmp/codefresh/
+
+TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
+TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
+CERTS_DIR=$TMPDIR/ssl
+SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
+SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
+SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
+SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
+CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
+CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
+mkdir -p $TMPDIR $CERTS_DIR
+
+K8S_CERT_SECRET_NAME=codefresh-certs-server
+echo -e "\n------------------\nGenerating server tls certificates ... "
+
+SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
+SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
+###
+
+  openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
+  openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR  || fatal "Failed to generate openssl csr "
+  GENERATE_CERTS=true
+  CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
+
+  SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
+  if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
+    SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
+  fi
+  echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
+
+  rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
+
+  SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
+        -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
+
+  echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
+  if [[ $SIGN_STATUS != 200 ]]; then
+     echo "ERROR: Cannot sign certificates"
+     if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
+       mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
+       cat ${TMP_CERTS_FILE_ZIP}.error
+     fi
+     exit 1
+  fi
+  unzip -o -d ${CERTS_DIR}/  ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
+  cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
+  cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
+
+
+echo -e "\n------------------\nCreating certificate secret "
+
+kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
+    --from-file=$SRV_TLS_CA_CERT \
+    --from-file=$SRV_TLS_KEY \
+    --from-file=$SRV_TLS_CERT \
+    --dry-run=client -o yaml | kubectl apply --overwrite -f -
+kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
+kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'

charts/codefresh/cf-runtime/6.4.1/files/init-runtime.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:         ${API_HOST}"
+echo "AGENT_NAME:       ${AGENT_NAME}"
+echo "KUBE_CONTEXT:     ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:   ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:       ${OWNER_NAME}"
+echo "RUNTIME_NAME:     ${RUNTIME_NAME}"
+echo "SECRET_NAME:      ${SECRET_NAME}"
+echo "-----"
+
+create_agent_secret() {
+
+  kubectl apply -f - <<EOF
+  apiVersion: v1
+  kind: Secret
+  type: Opaque
+  metadata:
+    name: ${SECRET_NAME}
+    namespace: ${KUBE_NAMESPACE}
+    labels:
+      codefresh.io/internal: "true"
+    finalizers:
+    - kubernetes
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deploy
+      name: ${OWNER_NAME}
+      uid: ${OWNER_UID}
+  stringData:
+    agent-codefresh-token: ${1}
+EOF
+
+}
+
+OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
+echo "got owner uid: ${OWNER_UID}"
+
+if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "runtime and agent are already initialized"
+    echo "-----"
+    exit 0
+fi
+
+if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "using existing agentToken value"
+    create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
+    exit 0
+fi
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    echo "-----"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+# AGENT_TOKEN might be empty, in which case it will be returned by the call
+RES=$(codefresh install agent \
+    --name ${AGENT_NAME} \
+    --kube-context-name ${KUBE_CONTEXT} \
+    --kube-namespace ${KUBE_NAMESPACE} \
+    --agent-kube-namespace ${KUBE_NAMESPACE} \
+    --install-runtime \
+    --runtime-name ${RUNTIME_NAME} \
+    --skip-cluster-creation \
+    --platform-only)
+
+AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
+echo "generated agent + runtime in platform"
+
+create_agent_secret $AGENT_CODEFRESH_TOKEN
+
+echo "-----"
+echo "done initializing runtime and agent"
+echo "-----"

charts/codefresh/cf-runtime/6.4.1/files/reconcile-runtime.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:             ${API_HOST}"
+echo "KUBE_CONTEXT:         ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:       ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:           ${OWNER_NAME}"
+echo "RUNTIME_NAME:         ${RUNTIME_NAME}"
+echo "CONFIGMAP_NAME:       ${CONFIGMAP_NAME}"
+echo "RECONCILE_INTERVAL:   ${RECONCILE_INTERVAL}"
+echo "-----"
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+while true; do
+  msg "Reconciling ${RUNTIME_NAME} runtime"
+
+  sleep $RECONCILE_INTERVAL
+
+  codefresh get re \
+      --name ${RUNTIME_NAME} \
+      -o yaml \
+      | yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
+
+  kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
+  | yq 'del(.metadata.resourceVersion, .metadata.uid)' \
+  | yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
+  | kubectl apply -f -
+done

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "app-proxy.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "app-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app-proxy.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: app-proxy
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "app-proxy.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 3000
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_env-vars.yaml

@@ -0,0 +1,19 @@
+{{- define "app-proxy.environment-variables.defaults" }}
+PORT: 3000
+{{- end }}
+
+{{- define "app-proxy.environment-variables.calculated" }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+{{- with .Values.ingress.pathPrefix }}
+API_PATH_PREFIX: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "app-proxy.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "app-proxy.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "app-proxy.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "app-proxy.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "app-proxy.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "app-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_ingress.yaml

@@ -0,0 +1,32 @@
+{{- define "app-proxy.resources.ingress" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels: {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.class }}
+  {{- end }}
+  {{- if .Values.ingress.tlsSecret }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.tlsSecret }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.pathPrefix | default "/" }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "app-proxy.fullname" . }}
+                port:
+                  number: 80
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "app-proxy.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "app-proxy.serviceAccountName" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "app-proxy.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "app-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/app-proxy/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "app-proxy.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 3000
+  selector:
+    {{- include "app-proxy.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_deployment.yaml

@@ -0,0 +1,62 @@
+{{- define "event-exporter.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "event-exporter.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: event-exporter
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        args: [--running-in-cluster=true]
+        env:
+        {{- include "event-exporter.environment-variables" . | nindent 8 }}
+        ports:
+        - name: metrics
+          containerPort: 9102
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_env-vars.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables.calculated" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "event-exporter.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "event-exporter.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "event-exporter.labels" -}}
+{{ include "cf-runtime.labels" . }}
+app: event-exporter
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "event-exporter.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+app: event-exporter
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "event-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "event-exporter.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "event-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [get, list, watch]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "event-exporter.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "event-exporter.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "event-exporter.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 9102
+    targetPort: metrics
+    protocol: TCP
+  selector:
+    {{- include "event-exporter.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/event-exporter/_serviceMontor.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.resources.serviceMonitor" -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - port: metrics
+  selector:
+    matchLabels:
+    {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/monitor/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "monitor.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "monitor.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "monitor.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 9020
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /api/ping
+            port: 9020
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/monitor/_env-vars.yaml

@@ -0,0 +1,26 @@
+{{- define "monitor.environment-variables.defaults" }}
+SERVICE_NAME: {{ include "monitor.fullname" . }}
+PORT: 9020
+HELM3: true
+NODE_OPTIONS: "--max_old_space_size=4096"
+{{- end }}
+
+{{- define "monitor.environment-variables.calculated" }}
+API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
+API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
+ACCOUNT_ID: {{ .Values.global.accountId }}
+NAMESPACE: {{ .Release.Namespace }}
+{{- if .Values.rbac.namespaced }}
+ROLE_BINDING: true
+{{- end }}
+{{- end }}
+
+{{- define "monitor.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/monitor/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "monitor.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "monitor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/monitor/_rbac.yaml

@@ -0,0 +1,56 @@
+{{- define "monitor.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "monitor.serviceAccountName" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch", "create", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "deletecollection" ]
+  - apiGroups: [ "extensions" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "monitor.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ include "monitor.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/monitor/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "monitor.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 9020
+  selector:
+    {{- include "monitor.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/_deployment.yaml

@@ -0,0 +1,103 @@
+{{- define "runner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "runner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "runner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "runner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      initContainers:
+      - name: init
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
+        imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-init.environment-variables" . | nindent 8 }}
+        {{- with .Values.init.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      containers:
+      - name: runner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+        env:
+        {{- include "runner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+        {{- with .Values.extraVolumeMounts }}
+        volumeMounts:
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.sidecar.enabled }}
+      - name: reconcile-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
+        imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-sidecar.environment-variables" . | nindent 8 }}
+        {{- with .Values.sidecar.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.extraVolumes }}
+      volumes:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runner.name" -}}
+  {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runner.fullname" -}}
+  {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "runner.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/_rbac.yaml

@@ -0,0 +1,53 @@
+{{- define "runner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runner.serviceAccountName" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "persistentvolumeclaims" ]
+    verbs: [ "get", "create", "delete", patch ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps", "secrets" ]
+    verbs: [ "get", "create", "update", patch ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "runner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/environment-variables/_init-container.yaml

@@ -0,0 +1,30 @@
+{{- define "runner-init.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-init.environment-variables.calculated" }}
+AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+AGENT_CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+      optional: true
+EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+SECRET_NAME: {{ include "runner.fullname" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+{{- end }}
+
+{{- define "runner-init.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/environment-variables/_main-container.yaml

@@ -0,0 +1,28 @@
+{{- define "runner.environment-variables.defaults" }}
+AGENT_MODE: InCluster
+SELF_DEPLOYMENT_NAME:
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+{{- end }}
+
+{{- define "runner.environment-variables.calculated" }}
+AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+{{- end }}
+
+{{- define "runner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/runner/environment-variables/_sidecar-container.yaml

@@ -0,0 +1,22 @@
+{{- define "runner-sidecar.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables.calculated" }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.sidecar.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_cronjob.yaml

@@ -0,0 +1,58 @@
+{{- define "dind-volume-provisioner.resources.cronjob" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- if not (eq .Values.storage.backend "local") }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "dind-volume-cleanup.fullname" . }}
+  labels:
+    {{- include "dind-volume-cleanup.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: {{ .Values.concurrencyPolicy }}
+  schedule: {{ .Values.schedule | quote }}
+  successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
+  failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
+  {{- with .Values.suspend }}
+  suspend: {{ . }}
+  {{- end }}
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
+          serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+          {{- if .Values.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          restartPolicy: {{ .Values.restartPolicy | default "Never" }}
+          containers:
+          - name: dind-volume-cleanup
+            image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+            imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+            env:
+            {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
+            - name: PROVISIONED_BY
+              value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+            resources:
+            {{- toYaml .Values.resources | nindent 14 }}
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+  {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_daemonset.yaml

@@ -0,0 +1,98 @@
+{{- define "dind-volume-provisioner.resources.daemonset" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir  }}
+{{- if eq .Values.storage.backend "local" }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dind-lv-monitor.fullname" . }}
+  labels:
+    {{- include "dind-lv-monitor.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .Values.volumePermissions.enabled }}
+      initContainers:
+      - name: volume-permissions
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
+        imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
+        command:
+         - /bin/sh
+        args:
+         - -ec
+         - |
+           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          name: dind-volume-dir
+        {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+        securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
+        {{- else }}
+        securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
+      {{- end }}
+      containers:
+      - name: dind-lv-monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
+        command:
+          - /home/dind-volume-utils/bin/local-volumes-agent
+        env:
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: VOLUME_PARENT_DIR
+            value: {{ $localVolumeParentDir }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10  }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          readOnly: false
+          name: dind-volume-dir
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: dind-volume-dir
+        hostPath:
+          path: {{ $localVolumeParentDir }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_deployment.yaml

@@ -0,0 +1,67 @@
+{{- define "dind-volume-provisioner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: dind-volume-provisioner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        command:
+          - /usr/local/bin/dind-volume-provisioner
+          - -v=4
+          - --resync-period=50s
+        env:
+        {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_env-vars.yaml

@@ -0,0 +1,88 @@
+{{- define "dind-volume-provisioner.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables.calculated" }}
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+AWS_ACCESS_KEY_ID:
+  {{- if .Values.storage.ebs.accessKeyId }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_access_key_id
+  {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+AWS_SECRET_ACCESS_KEY:
+  {{- if .Values.storage.ebs.secretAccessKey }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_secret_access_key
+  {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
+{{- end }}
+
+{{- if and .Values.storage.mountAzureJson }}
+AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
+CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
+{{- end }}
+
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
+
+
+{{- define "dind-volume-provisioner.volumes.calculated" }}
+  {{- if .Values.storage.gcedisk.serviceAccountJson }}
+- name: credentials
+  secret:
+    secretName: {{ include "dind-volume-provisioner.fullname" . }}
+    optional: true
+  {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  secret:
+    secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
+    optional: true
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  hostPath:
+    path: /etc/kubernetes/azure.json
+    type: File
+  {{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
+  {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  readOnly: true
+  mountPath: "/etc/dind-volume-provisioner/credentials"
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  readOnly: true
+  mountPath: "/etc/kubernetes/azure.json"
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_helpers.tpl

@@ -0,0 +1,93 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dind-volume-provisioner.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dind-volume-provisioner.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-volume-cleanup.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-lv-monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Provisioner name for storage class
+*/}}
+{{- define "dind-volume-provisioner.volumeProvisionerName" }}
+    {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
+{{- end }}
+
+{{/*
+Common labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Selector labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Common labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Selector labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dind-volume-provisioner.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.storageClassName" }}
+{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_rbac.yaml

@@ -0,0 +1,71 @@
+{{- define "dind-volume-provisioner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch", "create", "update", "delete" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "get", "create", "update" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_secret.yaml

@@ -0,0 +1,22 @@
+{{- define "dind-volume-provisioner.resources.secret" -}}
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.storage.gcedisk.serviceAccountJson }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.storage.ebs.accessKeyId }}
+  aws_access_key_id: {{ . }}
+  {{- end }}
+  {{- with .Values.storage.ebs.secretAccessKey }}
+  aws_secret_access_key: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_components/volume-provisioner/_storageclass.yaml

@@ -0,0 +1,47 @@
+{{- define "dind-volume-provisioner.resources.storageclass" -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  {{/* has to be exactly that */}}
+  name: {{ include "dind-volume-provisioner.storageClassName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+parameters:
+{{- if eq .Values.storage.backend "local" }}
+  volumeBackend: local
+  volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
+{{- else if eq .Values.storage.backend "gcedisk" }}
+  volumeBackend: {{ .Values.storage.backend }}
+  type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
+  zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
+  AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
+  {{- with .Values.storage.ebs.kmsKeyId }}
+  kmsKeyId: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.iops }}
+  iops: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.throughput }}
+  throughput: {{ . | quote }}
+  {{- end }}
+{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  kind: managed
+  skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
+  {{- with .Values.storage.azuredisk.availabilityZone }}
+  availabilityZone: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.azuredisk.resourceGroup }}
+  resourceGroup: {{ . | quote }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.4.1/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cf-runtime.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cf-runtime.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cf-runtime.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cf-runtime.labels" -}}
+helm.sh/chart: {{ include "cf-runtime.chart" . }}
+{{ include "cf-runtime.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cf-runtime.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/app-proxy/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.deployment" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/app-proxy/ingress.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.ingress" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/app-proxy/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.rbac" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/app-proxy/service.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.service" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/event-exporter/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.deployment" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/event-exporter/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.rbac" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/event-exporter/service.yaml

@@ -0,0 +1,11 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.service" $eventExporterContext }}
+---
+{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/extra/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+
+{{- range .Values.extraResources }}
+---
+{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/extra/runtime-images-cm.yaml

@@ -0,0 +1,19 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.engine.runtimeImages }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  {{- /* dummy template just to list runtime images */}}
+  name: {{ include "runtime.fullname" . }}-images
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  images: |
+    {{- range $key, $val := $values }}
+    image: {{ $val }}
+    {{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/post-install/cm-update-runtime.yaml

@@ -0,0 +1,18 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "runtime.fullname" . }}-spec
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  runtime.yaml: |
+    {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/post-install/job-gencerts-dind.yaml

@@ -0,0 +1,68 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-gencerts-dind
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: gencerts-dind
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
+        env:
+        - name: NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: RELEASE
+          value: {{ .Release.Name }}
+        - name: CF_API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: CF_API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/post-install/job-update-runtime.yaml

@@ -0,0 +1,77 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-patch
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-patch
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: patch-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - |
+          codefresh auth create-context --api-key $API_KEY --url $API_HOST
+          cat /usr/share/extras/runtime.yaml
+          codefresh get re
+{{- if .Values.runtime.agent }}
+          codefresh patch re -f /usr/share/extras/runtime.yaml
+{{- else }}
+          codefresh patch sys-re -f /usr/share/extras/runtime.yaml
+{{- end }}
+        env:
+        - name: API_KEY
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+        volumeMounts:
+        - name: config
+          mountPath: /usr/share/extras/runtime.yaml
+          subPath: runtime.yaml
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "runtime.fullname" . }}-spec
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/post-install/rbac-gencerts-dind.yaml

@@ -0,0 +1,37 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-gencerts-dind
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/pre-delete/job-cleanup-resources.yaml

@@ -0,0 +1,73 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy:  hook-succeeded,before-hook-creation
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-cleanup
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: cleanup
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
+        env:
+        - name: AGENT_NAME
+          value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+        - name: RUNTIME_NAME
+          value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: AGENT
+          value: {{ .Values.runtime.agent | quote }}
+        - name: AGENT_SECRET_NAME
+          value: {{ include "runner.fullname" . }}
+        - name: DIND_SECRET_NAME
+          value: codefresh-certs-server
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/hooks/pre-delete/rbac-cleanup-resources.yaml

@@ -0,0 +1,46 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-cleanup
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/6.4.1/templates/monitor/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.deployment" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/monitor/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.rbac" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/monitor/service.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.service" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/other/external-secrets.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.4.1/templates/other/podMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.4.1/templates/other/serviceMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.4.1/templates/runner/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.deployment" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/runner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.rbac" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/runtime/_helpers.tpl

@@ -0,0 +1,123 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runtime.name" -}}
+    {{- printf "%s" (include "cf-runtime.name" .)  | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runtime.fullname" -}}
+    {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runtime.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runtime.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Return runtime image (classic runtime) with private registry prefix
+*/}}
+{{- define "runtime.runtimeImageName" -}}
+  {{- if .registry -}}
+    {{- $imageName :=  (trimPrefix "quay.io/" .imageFullName) -}}
+    {{- printf "%s/%s" .registry $imageName -}}
+  {{- else -}}
+    {{- printf "%s" .imageFullName -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Environment variable value of Codefresh installation token
+*/}}
+{{- define "runtime.installation-token-env-var-value" -}}
+  {{- if .Values.global.codefreshToken }}
+valueFrom:
+  secretKeyRef:
+    name: {{ include "runtime.installation-token-secret-name" . }}
+    key: codefresh-api-token
+  {{- else if .Values.global.codefreshTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Environment variable value of Codefresh agent token
+*/}}
+{{- define "runtime.agent-token-env-var-value" -}}
+  {{- if .Values.global.agentToken }}
+{{- printf "%s" .Values.global.agentToken | toYaml }}
+  {{- else if .Values.global.agentTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Print Codefresh API token secret name
+*/}}
+{{- define "runtime.installation-token-secret-name" }}
+{{- print "codefresh-user-token" }}
+{{- end }}
+
+{{/*
+Print Codefresh host
+*/}}
+{{- define "runtime.runtime-environment-spec.codefresh-host" }}
+{{- if and (not .Values.global.codefreshHost) }}
+  {{- fail "ERROR: .global.codefreshHost is required" }}
+{{- else }}
+  {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print runtime-environment name
+*/}}
+{{- define "runtime.runtime-environment-spec.runtime-name" }}
+{{- if and (not .Values.global.runtimeName) }}
+  {{- printf "%s/%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.runtimeName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print agent name
+*/}}
+{{- define "runtime.runtime-environment-spec.agent-name" }}
+{{- if and (not .Values.global.agentName) }}
+  {{- printf "%s_%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.agentName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print context
+*/}}
+{{- define "runtime.runtime-environment-spec.context-name" }}
+{{- if and (not .Values.global.context) }}
+  {{- fail "ERROR: .global.context is required" }}
+{{- else }}
+  {{- printf "%s" .Values.global.context }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/runtime/cm-dind-daemon.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-dind-config
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+data:
+  daemon.json: |
+{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}

charts/codefresh/cf-runtime/6.4.1/templates/runtime/rbac.yaml

@@ -0,0 +1,48 @@
+{{ $values := .Values.runtime }}
+---
+{{- if or $values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-engine
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  {{- with $values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if $values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with $values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and $values.serviceAccount.create $values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: codefresh-engine
+roleRef:
+  kind: Role
+  name: codefresh-engine
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+

charts/codefresh/cf-runtime/6.4.1/templates/runtime/runtime-env-spec-tmpl.yaml

@@ -0,0 +1,214 @@
+{{- define "runtime.runtime-environment-spec.template" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
+{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $engineContext := .Values.runtime.engine -}}
+{{- $dindContext := .Values.runtime.dind -}}
+{{- $imageRegistry := .Values.global.imageRegistry -}}
+metadata:
+  name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+  agent: {{ .Values.runtime.agent }}
+runtimeScheduler:
+  type: KubernetesPod
+  {{- if $engineContext.image }}
+  image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $engineContext.image.pullPolicy }}
+  {{- with $engineContext.command }}
+  command: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  envVars:
+  {{- with $engineContext.env }}
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+    COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
+    CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
+    DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
+    DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
+    DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
+    DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
+    FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
+    GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
+    KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
+    PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
+    TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
+    CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
+    GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
+    COSIGN_IMAGE_SIGNER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COSIGN_IMAGE_SIGNER_IMAGE) | squote }}
+  {{- with $engineContext.userEnvVars }}
+  userEnvVars:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.workflowLimits }}
+  workflowLimits: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $engineContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $engineContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $engineContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.tolerations }}
+  tolerations:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $engineContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $engineContext.schedulerName }}
+  schedulerName: {{ $engineContext.schedulerName }}
+  {{- end }}
+  resources:
+  {{- if $engineContext.resources}}
+  {{- toYaml $engineContext.resources | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+dockerDaemonScheduler:
+  type: DindKubernetesPod
+  {{- if $dindContext.image }}
+  dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $dindContext.image.pullPolicy }}
+  {{- with $dindContext.userAccess }}
+  userAccess: {{ . }}
+  {{- end }}
+  {{- with $dindContext.env }}
+  envVars:
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $dindContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $dindContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $dindContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.tolerations }}
+  tolerations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $dindContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.schedulerName }}
+  schedulerName: {{ $dindContext.schedulerName }}
+  {{- end }}
+  {{- if $dindContext.pvcs }}
+  pvcs:
+  {{- range $index, $pvc := $dindContext.pvcs }}
+    - name: {{ $pvc.name }}
+      reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
+      reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
+      storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
+      volumeSize: {{ $pvc.volumeSize }}
+      {{- with $pvc.annotations }}
+      annotations: {{ . | toYaml | nindent 8 }}
+      {{- end }}
+  {{- end }}
+  {{- end }}
+  defaultDindResources:
+  {{- with $dindContext.resources }}
+  {{- if not .requests }}
+    limits: {{- toYaml .limits | nindent 6 }}
+    requests: null
+  {{- else }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- with $dindContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+  {{- with $dindContext.userVolumeMounts }}
+  userVolumeMounts: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.userVolumes }}
+  userVolumes: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if and (not .Values.runtime.agent)  }}
+  clientCertPath: /etc/ssl/cf/
+  volumeMounts:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      mountPath: /etc/ssl/cf
+      readOnly: false
+  volumes:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      secret:
+        secretName: codefresh-certs-server
+  {{- end }}
+extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
+  {{- if .Values.runtime.description }}
+description: {{ .Values.runtime.description }}
+  {{- else }}
+description: null
+  {{- end }}
+{{- if .Values.global.accountId }}
+accountId: {{ .Values.global.accountId }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
+{{- end }}
+{{- if .Values.appProxy.enabled }}
+appProxy:
+  externalIP: >-
+    {{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+systemHybrid: true
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/runtime/secret.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.global.codefreshToken }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "runtime.installation-token-secret-name" . }}
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+stringData:
+  codefresh-api-token: {{ .Values.global.codefreshToken }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/runtime/svc-dind.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+    app: dind
+  {{/* has to be a constant */}}
+  name: dind
+spec:
+  ports:
+  - name: "dind-port"
+    port: 1300
+    protocol: TCP
+  clusterIP: None
+  selector:
+    app: dind

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/cronjob.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/daemonset.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/deployment.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/secret.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/templates/volume-provisioner/storageclass.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.4.1/values.yaml

@@ -0,0 +1,951 @@
+# -- String to partially override cf-runtime.fullname template (will maintain the release name)
+nameOverride: ""
+# -- String to fully override cf-runtime.fullname template
+fullnameOverride: ""
+
+# -- Global parameters
+# @default -- See below
+global:
+  # -- Global Docker image registry
+  imageRegistry: ""
+  # -- Global Docker registry secret names as array
+  imagePullSecrets: []
+
+  # -- URL of Codefresh Platform (required!)
+  codefreshHost: "https://g.codefresh.io"
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+
+  # -- DEPRECATED Agent token in plain text.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentToken: ""
+  # -- DEPRECATED Agent token that references an existing secret containing API key.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentTokenSecretKeyRef: {}
+  # E.g.
+  # agentTokenSecretKeyRef:
+  #   name: my-codefresh-agent-secret
+  #   key: codefresh-agent-token
+
+# DEPRECATED -- Use `.Values.global.imageRegistry` instead
+dockerRegistry: ""
+
+# DEPRECATED -- Use `.Values.runtime` instead
+re: {}
+
+# -- Runner parameters
+# @default -- See below
+runner:
+  # -- Enable the runner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/venona
+    tag: 1.10.2
+
+  # -- Init container
+  init:
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+
+    resources:
+      limits:
+        memory: 512Mi
+        cpu: '1'
+      requests:
+        memory: 256Mi
+        cpu: '0.2'
+
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: false
+    image:
+      registry: quay.io
+      repository: codefresh/codefresh-shell
+      tag: 0.0.2
+    env:
+      RECONCILE_INTERVAL: 300
+    resources: {}
+
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 10001
+    runAsGroup: 10001
+    fsGroup: 10001
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Volume Provisioner parameters
+# @default -- See below
+volumeProvisioner:
+  # -- Enable volume-provisioner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/dind-volume-provisioner
+    tag: 1.35.0
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+  # -- `dind-lv-monitor` DaemonSet parameters
+  # (local volumes cleaner)
+  # @default -- See below
+  dind-lv-monitor:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-utils
+      tag: 1.29.4
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    containerSecurityContext: {}
+    env: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations:
+    - key: 'codefresh/dind'
+      operator: 'Exists'
+      effect: 'NoSchedule'
+    volumePermissions:
+      enabled: true
+      image:
+        registry: docker.io
+        repository: alpine
+        tag: 3.18
+      resources: {}
+      securityContext:
+        runAsUser: 0 # auto
+
+  # `dind-volume-cleanup` CronJob parameters
+  # (external volumes cleaner)
+  # @default -- See below
+  dind-volume-cleanup:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-cleanup
+      tag: 1.2.0
+    env: {}
+    concurrencyPolicy: Forbid
+    schedule: "*/10 * * * *"
+    successfulJobsHistory: 3
+    failedJobsHistory: 1
+    suspend: false
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      fsGroup: 3000
+      runAsGroup: 3000
+      runAsUser: 3000
+    nodeSelector: {}
+    affinity: {}
+    tolerations: []
+
+# Storage parameters for volume-provisioner
+# @default -- See below
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: local
+  # -- Set filesystem type (`ext4`/`xfs`)
+  fsType: "ext4"
+
+  # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
+  # https://kubernetes.io/docs/concepts/storage/volumes/#local
+  # @default -- See below
+  local:
+    # -- Set volume path on the host filesystem
+    volumeParentDir: /var/lib/codefresh/dind-volumes
+
+  # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
+  # https://aws.amazon.com/ebs/
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
+  # @default -- See below
+  ebs:
+    # -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
+    volumeType: "gp2"
+    # -- Set EBS volumes availability zone (required)
+    availabilityZone: "us-east-1a"
+    # -- Enable encryption (optional)
+    encrypted: "false"
+    # -- Set KMS encryption key ID (optional)
+    kmsKeyId: ""
+
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+
+    # E.g.
+    # ebs:
+    #   volumeType: gp3
+    #   availabilityZone: us-east-1c
+    #   encrypted: false
+    #   iops: "5000"
+    #   # I/O operations per second. Only effetive when gp3 volume type is specified.
+    #   # Default value - 3000.
+    #   # Max - 16,000
+    #   throughput: "500"
+    #   # Throughput in MiB/s. Only effective when gp3 volume type is specified.
+    #   # Default value - 125.
+    #   # Max - 1000.
+    # ebs:
+    #   volumeType: gp2
+    #   availabilityZone: us-east-1c
+    #   encrypted: true
+    #   kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
+    #   accessKeyId: "MYKEYID"
+    #   secretAccessKey: "MYACCESSKEY"
+
+  # Storage parameters example for gce disks
+  # https://cloud.google.com/compute/docs/disks#pdspecs
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
+  # @default -- See below
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-ssd"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-west1-a"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: ""
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.
+    # gcedisk:
+    #   volumeType: pd-ssd
+    #   availabilityZone: us-central1-c
+    #   serviceAccountJson: |-
+    #          {
+    #           "type": "service_account",
+    #           "project_id": "...",
+    #           "private_key_id": "...",
+    #           "private_key": "...",
+    #           "client_email": "...",
+    #           "client_id": "...",
+    #           "auth_uri": "...",
+    #           "token_uri": "...",
+    #           "auth_provider_x509_cert_url": "...",
+    #           "client_x509_cert_url": "..."
+    #           }
+
+  # Storage parameters example for Azure Disks
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
+  # @default -- See below
+  azuredisk:
+    # -- Set storage type (`Premium_LRS`)
+    skuName: Premium_LRS
+    cachingMode: None
+    # availabilityZone: northeurope-1
+    # resourceGroup:
+    # DiskIOPSReadWrite: 500
+    # DiskMBpsReadWrite: 100
+
+  mountAzureJson: false
+
+# -- Set runtime parameters
+# @default -- See below
+
+runtime:
+  # -- Set annotation on engine Service Account
+  # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
+  serviceAccount:
+    create: true
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- Set parent runtime to inherit.
+  # Should not be changes. Parent runtime is controlled from Codefresh side.
+  runtimeExtends:
+    - system/default/hybrid/k8s_low_limits
+  # -- Runtime description
+  description: ""
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the engine role
+    rules: []
+
+  # -- (for On-Premise only) Enable agent
+  agent: true
+  # -- (for On-Premise only) Set inCluster runtime
+  inCluster: true
+  # -- (for On-Premise only) Assign accounts to runtime (list of account ids)
+  accounts: []
+
+  # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
+  dind:
+    # -- Set dind image.
+    image:
+      registry: quay.io
+      repository: codefresh/dind
+      tag: 26.1.4-1.28.7  # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind
+      pullPolicy: IfNotPresent
+    # -- Set dind resources.
+    resources:
+      requests: null
+      limits:
+        cpu: 400m
+        memory: 800Mi
+    # -- Set termination grace period.
+    terminationGracePeriodSeconds: 30
+    # -- PV claim spec parametes.
+    pvcs:
+      # -- Default dind PVC parameters
+      dind:
+        # -- PVC name prefix.
+        # Keep `dind` as default! Don't change!
+        name: dind
+        # -- PVC storage class name.
+        # Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
+        storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
+        # -- PVC size.
+        volumeSize: 16Gi
+        # -- PV reuse selector.
+        # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
+        reuseVolumeSelector: codefresh-app,io.codefresh.accountName
+        reuseVolumeSortOrder: pipeline_id
+        # -- PV annotations.
+        annotations: {}
+        # E.g.:
+        # annotations:
+        #   codefresh.io/volume-retention: 7d
+    # -- Set additional env vars.
+    env:
+      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Keep `true` as default!
+    userAccess: true
+    # -- Add extra volumes
+    userVolumes: {}
+    # E.g.:
+    # userVolumes:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     secret:
+    #       items:
+    #         - key: .dockerconfigjson
+    #           path: config.json
+    #       secretName: regctl-docker-registry
+    #       optional: true
+    # -- Add extra volume mounts
+    userVolumeMounts: {}
+    # E.g.:
+    # userVolumeMounts:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     mountPath: /home/appuser/.docker/
+    #     readOnly: true
+
+  # -- Parameters for Engine pod (aka "pipeline" orchestrator).
+  engine:
+    # -- Set image.
+    image:
+      registry: quay.io
+      repository: codefresh/engine
+      tag: 1.174.12
+      pullPolicy: IfNotPresent
+    # -- Set container command.
+    command:
+      - npm
+      - run
+      - start
+    # -- Set resources.
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 1000m
+        memory: 2048Mi
+    # -- Set termination grace period.
+    terminationGracePeriodSeconds: 180
+    # -- Set system(base) runtime images.
+    # @default -- See below.
+    runtimeImages:
+      COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0
+      CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.6
+      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.13
+      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.17
+      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.16
+      DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14
+      FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3
+      GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.1.28
+      KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11
+      PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.0
+      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1
+      CR_6177_FIXER: 'quay.io/codefresh/alpine:edge'
+      GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3'
+      COSIGN_IMAGE_SIGNER_IMAGE: 'quay.io/codefresh/cf-cosign-image-signer:2.4.0-cf.2'
+    # -- Set additional env vars.
+    env:
+      # -- Interval to check the exec status in the container-logger
+      CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
+      # -- Timeout while doing requests to the Docker daemon
+      DOCKER_REQUEST_TIMEOUT_MS: 30000
+      # -- If "true", composition images will be pulled sequentially
+      FORCE_COMPOSE_SERIAL_PULL: false
+      # -- Level of logging for engine
+      LOGGER_LEVEL: debug
+      # -- Enable debug-level logging of outgoing HTTP/HTTPS requests
+      LOG_OUTGOING_HTTP_REQUESTS: false
+      # -- Enable emitting metrics from engine
+      METRICS_PROMETHEUS_ENABLED: true
+      # -- Enable legacy metrics
+      METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
+      # -- Enable collecting process metrics
+      METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
+      # -- Host for Prometheus metrics server
+      METRICS_PROMETHEUS_HOST: '0.0.0.0'
+      # -- Port for Prometheus metrics server
+      METRICS_PROMETHEUS_PORT: 9100
+    # -- Set workflow limits.
+    workflowLimits:
+      # -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
+      MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
+      # -- Maximum time for workflow execution; seconds.
+      MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
+      # -- Maximum time allowed to workflow to spend in "elected" state; seconds.
+      MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
+      # -- Maximum retry attempts allowed for workflow.
+      MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
+      # -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
+      # -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
+      # -- Time since the last health check report after which workflow is terminated; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
+      # -- Time since the last health check report after which the engine is considered unhealthy; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
+      # -- Time since the last workflow logs activity after which workflow is terminated; seconds.
+      TIME_INACTIVE_UNTIL_TERMINATION: 2700
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Set extra env vars
+    userEnvVars: []
+    # E.g.
+    # userEnvVars:
+    # - name: GITHUB_TOKEN
+    #   valueFrom:
+    #     secretKeyRef:
+    #       name: github-token
+    #       key: token
+
+  # -- Parameters for `runtime-patch` post-upgrade/install hook
+  # @default -- See below
+  patch:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+    env:
+      HOME: /tmp
+
+  # -- Parameters for `gencerts-dind` post-upgrade/install hook
+  # @default -- See below
+  gencerts:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/kubectl
+      tag: 1.28.4
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+
+  # -- DinD pod daemon config
+  # @default -- See below
+  dindDaemon:
+    hosts:
+      - unix:///var/run/docker.sock
+      - tcp://0.0.0.0:1300
+    tlsverify: true
+    tls: true
+    tlscacert: /etc/ssl/cf-client/ca.pem
+    tlscert: /etc/ssl/cf/server-cert.pem
+    tlskey: /etc/ssl/cf/server-key.pem
+    insecure-registries:
+      - 192.168.99.100:5000
+    metrics-addr: 0.0.0.0:9323
+    experimental: true
+
+# App-Proxy parameters
+# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
+# @default -- See below
+appProxy:
+  # -- Enable app-proxy
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-app-proxy
+    tag: 0.0.47
+  # -- Add additional env vars
+  env: {}
+
+  # Set app-proxy ingress parameters
+  # @default -- See below
+  ingress:
+    # -- Set path prefix for ingress (keep empty for default `/` path)
+    pathPrefix: ""
+    # -- Set ingress class
+    class: ""
+    # -- Set DNS hostname the ingress will use
+    host: ""
+    # -- Set k8s tls secret for the ingress object
+    tlsSecret: ""
+    # -- Set extra annotations for ingress object
+    annotations: {}
+    # E.g.
+    # ingress:
+    #   pathPrefix: "/cf-app-proxy"
+    #   class: "nginx"
+    #   host: "mydomain.com"
+    #   tlsSecret: "tls-cert-app-proxy"
+    #   annotations:
+    #     nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  podSecurityContext: {}
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# Monitor parameters
+# @default -- See below
+monitor:
+  # -- Enable monitor
+  # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
+  enabled: false
+
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-k8s-agent
+    tag: 1.3.18
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  podSecurityContext: {}
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Add serviceMonitor
+# @default -- See below
+serviceMonitor:
+  main:
+    # -- Enable service monitor for dind pods
+    enabled: false
+    nameOverride: dind
+    selector:
+      matchLabels:
+        app: dind
+    endpoints:
+    - path: /metrics
+      targetPort: 9100
+      relabelings:
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+
+# -- Add podMonitor (for engine pods)
+# @default -- See below
+podMonitor:
+  main:
+    # -- Enable pod monitor for engine pods
+    enabled: false
+    nameOverride: engine
+    selector:
+      matchLabels:
+        app: runtime
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 9100
+
+  runner:
+    # -- Enable pod monitor for runner pod
+    enabled: false
+    nameOverride: runner
+    selector:
+      matchLabels:
+        codefresh.io/application: runner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+  volume-provisioner:
+    # -- Enable pod monitor for volumeProvisioner pod
+    enabled: false
+    nameOverride: volume-provisioner
+    selector:
+      matchLabels:
+        codefresh.io/application: volume-provisioner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+# -- Event exporter parameters
+# @default -- See below
+event-exporter:
+  # -- Enable event-exporter
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: docker.io
+    repository: codefresh/k8s-event-exporter
+    tag: latest
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: false
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Array of extra objects to deploy with the release
+extraResources: []
+# E.g.
+# extraResources:
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRole
+#   metadata:
+#     name: codefresh-role
+#   rules:
+#     - apiGroups: [ "*"]
+#       resources: ["*"]
+#       verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# - apiVersion: v1
+#   kind: ServiceAccount
+#   metadata:
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRoleBinding
+#   metadata:
+#     name: codefresh-user
+#   roleRef:
+#     apiGroup: rbac.authorization.k8s.io
+#     kind: ClusterRole
+#     name: codefresh-role
+#   subjects:
+#   - kind: ServiceAccount
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: v1
+#   kind: Secret
+#   type: kubernetes.io/service-account-token
+#   metadata:
+#     name: codefresh-user-token
+#     namespace: "{{ .Release.Namespace }}"
+#     annotations:
+#       kubernetes.io/service-account.name: "codefresh-user"

charts/dell/csi-powerstore/2.11.1/Chart.yaml

@@ -0,0 +1,23 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Dell CSI PowerStore
+  catalog.cattle.io/kube-version: '>= 1.24.0'
+  catalog.cattle.io/release-name: powerstore
+apiVersion: v2
+appVersion: 2.11.1
+description: 'PowerStore CSI (Container Storage Interface) driver Kubernetes integration.
+  This chart includes everything required to provision via CSI as well as a PowerStore
+  StorageClass. '
+home: https://github.com/dell/csi-powerstore
+icon: file://assets/icons/csi-powerstore.png
+keywords:
+- csi
+- storage
+kubeVersion: '>= 1.24.0'
+maintainers:
+- name: DellEMC
+name: csi-powerstore
+sources:
+- https://github.com/dell/csi-powerstore
+type: application
+version: 2.11.1

charts/dell/csi-powerstore/2.11.1/app-readme.md

@@ -0,0 +1,92 @@
+# CSI Driver for Dell PowerStore Helm chart
+
+The [CSI Driver for Dell PowerStore](https://github.com/dell/csi-powerstore) is part of the CSM (Container Storage Modules) open-source suite of Kubernetes storage enablers for Dell EMC products. CSI Driver for PowerStore is a Container Storage Interface (CSI) driver that provides support for provisioning persistent storage using Dell EMC PowerStore storage array.
+
+## Prerequisites
+
+- Kubernetes version >= 1.23 (see [supported version](https://dell.github.io/csm-docs/docs/csidriver/#features-and-capabilities))
+- Helm 3
+- If you plan to use either the Fibre Channel or iSCSI or NVMe/TCP or NVMe/FC protocol, refer to either _Fibre Channel requirements_ or _Set up the iSCSI Initiator_ or _Set up the NVMe Initiator_ sections below. You can use NFS volumes without FC or iSCSI or NVMe/TCP or NVMe/FC configuration.
+> You can use either the Fibre Channel or iSCSI or NVMe/TCP or NVMe/FC protocol, but you do not need all the four.
+
+> If you want to use preconfigured iSCSI/FC hosts be sure to check that they are not part of any host group
+- Linux native multipathing requirements
+- Mount propagation is enabled on container runtime that is being used
+- If using Snapshot feature, satisfy all Volume Snapshot requirements
+- Nonsecure registries are defined in Docker or other container runtimes, for CSI drivers that are hosted in a non-secure location.
+- You can access your cluster with kubectl and helm.
+- Ensure that your nodes support mounting NFS volumes.
+- Install the Volume Snapshot CRDs by referring to [this](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/powerstore/#optional-volume-snapshot-requirements) page.
+
+> Refer [this](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/powerstore/#prerequisites) for setting up the prerequisites.
+
+## Optional Features
+- [Volume Snapshot](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/powerstore/#optional-volume-snapshot-requirements)
+- [Volume Health Monitoring](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/powerstore/#volume-health-monitoring)
+- [Replication](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/powerstore/#optional-replication-feature-requirements)
+
+## Install the Driver
+**Steps**
+1. Create a namespace where you want to install the driver (e.g. "csi-powerstore"). You can choose any name for the namespace, but make sure to align to the same namespace during the whole installation.
+2. Create a secret named "powerstore-config" in the namespace created above. Sample [secret.yaml](https://github.com/dell/csi-powerstore/blob/main/samples/secret/secret.yaml).
+    >Secret must be of type opaque.
+3. Create storage classes using ones from [samples](https://github.com/dell/csi-powerstore/tree/main/samples/storageclass) folder as an example.
+    > If you do not specify `arrayID` parameter in the storage class then the array that was specified as the default would be used for provisioning volumes.
+4. Install the chart with the name "powerstore". The value.yaml file used during installation can be found [here](https://github.com/dell/csi-powerstore/blob/main/helm/csi-powerstore/values.yaml)
+
+The following table lists the configurable parameters of the chart and their default values.
+
+| Parameter                           | Description                                                                                               | Required | Default                    |
+|-------------------------------------|-----------------------------------------------------------------------------------------------------------|----------|----------------------------|
+| logLevel                            | Defines CSI driver log level                                                                              | No       | "debug"                    |
+| logFormat                           | Defines CSI driver log format                                                                             | No       | "JSON"                     |
+| externalAccess                      | Defines additional entries for hostAccess of NFS volumes, single IP address and subnet are valid entries  | No       | " "                        |
+| kubeletConfigDir                    | Defines kubelet config path for cluster                                                                   | Yes      | "/var/lib/kubelet"         |
+| imagePullPolicy                     | Policy to determine if the image should be pulled prior to starting the container.                        | Yes      | "IfNotPresent"             |
+| nfsAcls                             | Defines permissions - POSIX mode bits or NFSv4 ACLs, to be set on NFS target mount directory.             | No       | "0777"                     |
+| connection.enableCHAP               | Defines whether the driver should use CHAP for iSCSI connections or not                                   | No       | False                      |
+| controller.controllerCount          | Defines number of replicas of controller deployment                                                       | Yes      | 2                          |
+| controller.volumeNamePrefix         | Defines the string added to each volume that the CSI driver creates                                       | No       | "csivol"                   |         
+| controller.snapshot.enabled         | Allows to enable/disable snapshotter sidecar with driver installation for snapshot feature                | No       | "true"                     |
+| controller.snapshot.snapNamePrefix  | Defines prefix to apply to the names of a created snapshots                                               | No       | "csisnap"                  |
+| controller.resizer.enabled          | Allows to enable/disable resizer sidecar with driver installation for volume expansion feature            | No       | "true"                     |
+| controller.healthMonitor.enabled    | Allows to enable/disable volume health monitor                                                            | No       | false                      |
+| controller.healthMonitor.interval   | Interval of monitoring volume health condition                                                            | No       | 60s                        |
+| controller.nodeSelector             | Defines what nodes would be selected for pods of controller deployment                                    | Yes      | " "                        |
+| controller.tolerations              | Defines toleration that would be applied to controller deployment                                        | Yes      | " "                        |
+| node.nodeNamePrefix                 | Defines the string added to each node that the CSI driver registers                                       | No       | "csi-node"                 |
+| node.nodeIDPath                     | Defines a path to file with a unique identifier identifying the node in the Kubernetes cluster            | No       | "/etc/machine-id"          |
+| node.healthMonitor.enabled          | Allows to enable/disable volume health monitor                                                            | No       | false                      |
+| node.nodeSelector                   | Defines what nodes would be selected for pods of node daemonset                                           | Yes      | " "                        |
+| node.tolerations                    | Defines toleration that would be applied to node daemonset                                               | Yes      | " "                        |
+| fsGroupPolicy                       | Defines which FS Group policy mode to be used, Supported modes `None, File and ReadWriteOnceWithFSType`   | No       | "ReadWriteOnceWithFSType"  |
+| controller.vgsnapshot.enabled       | To enable or disable the volume group snapshot feature                                                    | No       | "true"                     |
+| images.driverRepository             | To use an image from custom repository                                                                    | No       | dockerhub                  |
+| version                             | To use any driver version                                                                                 | No       | Latest driver version      |
+| allowAutoRoundOffFilesystemSize     | Allows the controller to round off filesystem to 3Gi which is the minimum supported value                 | No       | false                      |
+| storageCapacity.enabled             | Enable/Disable storage capacity tracking                                                                  | No       | true                       |
+| storageCapacity.pollInterval        | Configure how often the driver checks for changed capacity                                                | No       | 5m                         |
+
+*NOTE:* 
+- By default, the driver scans available SCSI adapters and tries to register them with the storage array under the SCSI hostname using `node.nodeNamePrefix` and the ID read from the file pointed to by `node.nodeIDPath`. If an adapter is already registered with the storage under a different hostname, the adapter is not used by the driver.
+- A hostname the driver uses for registration of adapters is in the form `<nodeNamePrefix>-<nodeID>-<nodeIP>`. By default, these are csi-node and the machine ID read from the file `/etc/machine-id`. 
+- To customize the hostname, for example if you want to make them more user friendly, adjust nodeIDPath and nodeNamePrefix accordingly. For example, you can set `nodeNamePrefix` to `k8s` and `nodeIDPath` to `/etc/hostname` to produce names such as `k8s-worker1-192.168.1.2`.
+- (Optional) Enable additional Mount Options - A user is able to specify additional mount options as needed for the driver. 
+   - Mount options are specified in storageclass yaml under _mountOptions_. 
+   - *WARNING*: Before utilizing mount options, you must first be fully aware of the potential impact and understand your environment's requirements for the specified option.
+
+## Support
+
+The CSI Driver for Dell PowerStore is fully supported by DELL.
+
+For all your support needs or to follow the latest ongoing discussions and updates, join our Slack group. Click [Here](http://del.ly/Slack_request) to request your invite.
+
+You can also interact with us on [GitHub](https://github.com/dell/csm) by creating a [GitHub Issue](https://github.com/dell/csm/issues).
+
+## Contributing
+
+We value all feedback and contributions. If you find any issues or want to contribute, please feel free to open an issue or file a PR. More details in [Contribution Guidelines](https://dell.github.io/csm-docs/docs/references/contributionguidelines/).
+
+## License
+
+This is open source software licensed using the Apache License 2.0. Please see [LICENSE](https://github.com/dell/csi-powerstore/blob/main/licenses/Apache.txt) for details.

charts/dell/csi-powerstore/2.11.1/templates/_helpers.tpl

@@ -0,0 +1,10 @@
+{{/*
+Return true if storage capacity tracking is enabled and is supported based on k8s version
+*/}}
+{{- define "csi-powerstore.isStorageCapacitySupported" -}}
+{{- if eq .Values.storageCapacity.enabled true -}}
+  {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}}
+      {{- true -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}

charts/dell/csi-powerstore/2.11.1/templates/controller.yaml

@@ -0,0 +1,457 @@
+#
+#
+# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#      http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-controller
+  namespace: {{ .Release.Namespace }}
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+  {{- if hasKey .Values "podmon" }}
+  {{- if eq .Values.podmon.enabled true }}
+    verbs: ["get", "list", "watch", "patch"]
+  {{- else }}
+    verbs: ["get", "list", "watch"]
+  {{- end }}
+  {{- end }}
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+  {{- if hasKey .Values "podmon" }}
+  {{- if eq .Values.podmon.enabled true }}
+    verbs: ["get", "list", "watch", "update", "patch", "delete"]
+  {{- else }}
+    verbs: ["get", "list", "watch", "update", "patch"]
+  {{- end }}
+  {{- end }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  {{- if hasKey .Values.controller "vgsnapshot" }}
+  {{- if eq .Values.controller.vgsnapshot.enabled true }}
+  - apiGroups: ["volumegroup.storage.dell.com"]
+    resources: ["dellcsivolumegroupsnapshots","dellcsivolumegroupsnapshots/status"]
+    verbs: ["create", "list", "watch", "delete", "update"]
+  {{- end }}
+  {{- end }}
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots", "volumesnapshots/status"]
+  {{- if hasKey .Values.controller "vgsnapshot" }}
+  {{- if eq .Values.controller.vgsnapshot.enabled true }}
+    verbs: ["get", "list", "watch", "update", "create", "delete"]
+  {{- else }}
+    verbs: ["get", "list", "watch", "update"]
+  {{- end }}
+  {{- end }}
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+  {{- if hasKey .Values "podmon" }}
+  {{- if eq .Values.podmon.enabled true }}
+    verbs: ["get", "list", "watch", "update", "delete"]
+  {{- else }}
+    verbs: ["get", "list", "watch"]
+  {{- end }}
+  {{- end }}
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "list", "watch", "delete"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch"]
+  # below for resizer
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  # below for dell-csi-replicator
+  {{- if hasKey .Values.controller "replication" }}
+  {{- if eq .Values.controller.replication.enabled true}}
+  - apiGroups: ["replication.storage.dell.com"]
+    resources: ["dellcsireplicationgroups"]
+    verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
+  - apiGroups: ["replication.storage.dell.com"]
+    resources: ["dellcsireplicationgroups/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "delete", "get", "list", "watch", "update", "patch"]
+  {{- end}}
+  {{- end}}
+  # Permissions for CSIStorageCapacity
+  {{- if eq (include "csi-powerstore.isStorageCapacitySupported" .) "true" }}
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csistoragecapacities"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get"]
+  {{- end }}
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-controller
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-controller
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      name: {{ .Release.Name }}-controller
+  {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}}
+  {{- fail "value for .Values.controller.controllerCount should be atleast 1" }}
+  {{- else }}
+  replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        name: {{ .Release.Name }}-controller
+      annotations:
+        kubectl.kubernetes.io/default-container: driver
+    spec:
+      {{ if .Values.controller.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{ end }}
+      {{ if .Values.controller.tolerations }}
+      tolerations:
+      {{- toYaml .Values.controller.tolerations | nindent 6 }}
+      {{ end }}
+      serviceAccountName: {{ .Release.Name }}-controller
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            - labelSelector:
+                matchExpressions:
+                  - key: "name"
+                    operator: In
+                    values:
+                      - {{ .Release.Name }}-controller
+              topologyKey: "kubernetes.io/hostname"
+      containers:
+        {{- if hasKey .Values "podmon" }}
+        {{- if eq .Values.podmon.enabled true }}
+        - name: podmon
+          image: {{ required "Must provide the podmon container image." .Values.images.podmon }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            {{- toYaml .Values.podmon.controller.args | nindent 12 }}
+          env:
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+            - name: powerstore-config-params
+              mountPath: /powerstore-config-params
+        {{- end }}
+        {{- end }}
+        {{- if hasKey .Values "dev" }}
+        {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }}
+        {{- end }}
+        - name: attacher
+          image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=5"
+            - "--leader-election"
+            - "--worker-threads=130"
+            - "--resync=10s"
+            - "--timeout=130s"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- if hasKey .Values.controller "resizer" }}
+        {{- if eq .Values.controller.resizer.enabled true }}
+        - name: resizer
+          image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=5"
+            - "--leader-election"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{end}}
+        {{end}}
+        - name: provisioner
+          image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--volume-name-prefix={{ required "Must provide a value to prefix to driver created volume names" .Values.controller.volumeNamePrefix }}"
+            - "--volume-name-uuid-length=10"
+            - "--v=5"
+            - "--leader-election"
+            - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}"
+            - "--extra-create-metadata"
+            - "--feature-gates=Topology=true"
+            - "--enable-capacity={{ (include "csi-powerstore.isStorageCapacitySupported" .) | default false }}"
+            - "--capacity-ownerref-level=2"
+            - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- if hasKey .Values.controller "snapshot" }}
+        {{- if eq .Values.controller.snapshot.enabled true }}
+        - name: snapshotter
+          image: {{ required "Must provide the CSI snapshotter container image." .Values.images.snapshotter }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=5"
+            - "--leader-election"
+            - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{end}}
+        {{end}}
+        {{- if hasKey .Values.controller "vgsnapshot" }}
+        {{- if eq .Values.controller.vgsnapshot.enabled true }}
+        - name: vg-snapshotter
+          image: {{ required "Must provide the vgsnapshotter container image." .Values.images.vgsnapshotter }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- end }}
+        {{- end }}
+        {{- if hasKey .Values.controller "replication" }}
+        {{- if eq .Values.controller.replication.enabled true}}
+        - name: dell-csi-replicator
+          image: {{ required "Must provide the Dell CSI Replicator image." .Values.images.replication }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election=true"
+            - "--worker-threads=2"
+            - "--retry-interval-start=1s"
+            - "--retry-interval-max=300s"
+            - "--timeout=300s"
+            - "--context-prefix={{ .Values.controller.replication.replicationContextPrefix}}"
+            - "--prefix={{ .Values.controller.replication.replicationPrefix}}"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+            - name: X_CSI_REPLICATION_CONFIG_DIR
+              value: /powerstore-config-params
+            - name: X_CSI_REPLICATION_CONFIG_FILE_NAME
+              value: driver-config-params.yaml
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+            - name: powerstore-config-params
+              mountPath: /powerstore-config-params
+        {{- end }}
+        {{- end }}
+        {{- if hasKey .Values.controller "healthMonitor" }}
+        {{- if eq .Values.controller.healthMonitor.enabled true}}
+        - name: csi-external-health-monitor-controller
+          image: {{ required "Must provide the CSI external health monitor controller image." .Values.images.healthmonitor }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--v=5"
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election"
+            - "--http-endpoint=:8080"
+            - "--enable-node-watcher=true"
+            - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}"
+            - "--timeout=180s"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- end }}
+        {{- end }}
+        - name: csi-metadata-retriever
+          image: {{ required "Must provide the CSI Metadata retriever container image." .Values.images.metadataretriever }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          command: [ "/csi-metadata-retriever" ]
+          env:
+            {{- if hasKey .Values "dev" }}
+            - name: ENABLE_TRACING
+              value: {{ .Values.dev.enableTracing | quote }}
+            {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }}
+            {{- end }}
+            - name: CSI_RETRIEVER_ENDPOINT
+              value: /var/run/csi/csi_retriever.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        - name: driver
+          image: {{ required "Must provide the PowerStore driver image repository." .Values.images.driver }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          command: [ "/csi-powerstore" ]
+          env:
+            {{- if hasKey .Values "dev" }}
+            - name: ENABLE_TRACING
+              value: {{ .Values.dev.enableTracing | quote }}
+            {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }}
+            {{- end }}
+            - name: CSI_ENDPOINT
+              value: /var/run/csi/csi.sock
+            - name: CSI_RETRIEVER_ENDPOINT
+              value: /var/run/csi/csi_retriever.sock
+            - name: X_CSI_MODE
+              value: controller
+            - name: X_CSI_DRIVER_NAME
+              value: {{ .Values.driverName }}
+            - name: X_CSI_POWERSTORE_EXTERNAL_ACCESS
+              value: {{ .Values.externalAccess }}
+            - name: X_CSI_NFS_ACLS
+              value: "{{ .Values.nfsAcls }}"
+            - name: X_CSI_POWERSTORE_CONFIG_PATH
+              value: /powerstore-config/config
+            - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH
+              value: /powerstore-config-params/driver-config-params.yaml
+            {{- if hasKey .Values "podmon" }}
+            - name: X_CSI_PODMON_ENABLED
+              value: "{{ .Values.podmon.enabled }}"
+            {{- if eq .Values.podmon.enabled true }}
+              {{- range $key, $value := .Values.podmon.controller.args }}
+                {{- if contains "--arrayConnectivityPollRate" $value }}
+            - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE
+              value: "{{ (split "=" $value)._1 }}"
+                {{- end }}
+              {{- end }}
+            {{- end }}
+            {{- end }}
+            - name: X_CSI_PODMON_API_PORT
+              value: "{{ .Values.podmonAPIPort }}"
+            {{- if hasKey .Values.controller "replication" }}
+            {{- if eq .Values.controller.replication.enabled true}}
+            - name: X_CSI_REPLICATION_CONTEXT_PREFIX
+              value: {{ .Values.controller.replication.replicationContextPrefix | default "powerstore"}}
+            - name: X_CSI_REPLICATION_PREFIX
+              value: {{ .Values.controller.replication.replicationPrefix | default "replication.storage.dell.com"}}
+            {{- end }}
+            {{- end }}
+            {{- if hasKey .Values.controller "healthMonitor" }}
+            {{- if eq .Values.controller.healthMonitor.enabled true}}
+            - name: X_CSI_HEALTH_MONITOR_ENABLED
+              value: "{{ .Values.controller.healthMonitor.enabled }}"
+            {{- end }}
+            {{- end }}
+            - name: GOPOWERSTORE_DEBUG
+              value: "true"
+            - name: CSI_AUTO_ROUND_OFF_FILESYSTEM_SIZE
+              value: "{{ .Values.allowAutoRoundOffFilesystemSize | default true }}"
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+            - name: powerstore-config
+              mountPath: /powerstore-config
+            - name: powerstore-config-params
+              mountPath: /powerstore-config-params
+      volumes:
+        - name: socket-dir
+          emptyDir:
+        - name: powerstore-config-params
+          configMap:
+            name: {{ .Release.Name }}-config-params
+        - name: powerstore-config
+          secret:
+            secretName: {{ .Release.Name }}-config

charts/dell/csi-powerstore/2.11.1/templates/csidriver.yaml

@@ -0,0 +1,27 @@
+#
+#
+# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#      http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: {{ .Values.driverName }}
+spec:
+  storageCapacity: {{ (include "csi-powerstore.isStorageCapacitySupported" .) | default false }}
+  podInfoOnMount: true
+  fsGroupPolicy: {{ .Values.fsGroupPolicy }}
+  volumeLifecycleModes:
+  - Persistent
+  - Ephemeral

charts/dell/csi-powerstore/2.11.1/templates/driver-config-params.yaml

@@ -0,0 +1,31 @@
+#
+#
+# Copyright © 2021-2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#      http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-config-params
+  namespace: {{ .Release.Namespace }}
+data:
+  driver-config-params.yaml: |
+    CSI_LOG_LEVEL: "{{ .Values.logLevel }}"
+    CSI_LOG_FORMAT: "{{ .Values.logFormat }}"
+    {{ if .Values.podmon.enabled }}
+    PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}"
+    PODMON_CONTROLLER_LOG_FORMAT: "{{ .Values.logFormat }}"
+    PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}"
+    PODMON_NODE_LOG_FORMAT: "{{ .Values.logFormat }}"
+    {{ end }}

charts/dell/csi-powerstore/2.11.1/templates/node.yaml

@@ -0,0 +1,353 @@
+#
+#
+# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#      http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-node
+  namespace: {{ .Release.Namespace }}
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-node
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["create", "delete", "get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["persistentvolumesclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["security.openshift.io"]
+    resourceNames: ["privileged"]
+    resources: ["securitycontextconstraints"]
+    verbs: ["use"]
+  {{- if hasKey .Values "podmon" }}
+  {{- if eq .Values.podmon.enabled true }}
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch", "update", "delete"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+  {{ end }}
+  {{ end }}
+
+---
+
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-node
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-node
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-node
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name }}-node
+  namespace: {{ .Release.Namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-node
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-node
+      {{- if .Values.podmon.enabled }}
+        driver.dellemc.com: dell-storage
+      {{- end }}
+      annotations:
+        kubectl.kubernetes.io/default-container: driver
+    spec:
+      {{ if .Values.node.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.node.nodeSelector | nindent 8 }}
+      {{ end }}
+      {{ if .Values.node.tolerations }}
+      tolerations:
+      {{- toYaml .Values.node.tolerations | nindent 6 }}
+      {{ end }}
+      serviceAccount: {{ .Release.Name }}-node
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      hostIPC: true
+      containers:
+      {{- if hasKey .Values "podmon" }}
+      {{- if eq .Values.podmon.enabled true }}
+        - name: podmon
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: {{ required "Must provide the podmon container image." .Values.images.podmon }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            {{- toYaml .Values.podmon.node.args | nindent 12 }}
+          env:
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: X_CSI_PRIVATE_MOUNT_DIR
+              value: {{ .Values.kubeletConfigDir }}
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: kubelet-pods
+              mountPath: {{ .Values.kubeletConfigDir }}/pods
+              mountPropagation: "Bidirectional"
+            - name: driver-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}
+              mountPropagation: "Bidirectional"
+            - name: csi-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+              mountPropagation: "Bidirectional"
+            - name: dev
+              mountPath: /dev
+            - name: usr-bin
+              mountPath: /usr-bin
+            - name: var-run
+              mountPath: /var/run
+            - name: powerstore-config-params
+              mountPath: /powerstore-config-params
+      {{- end }}
+      {{- end }}
+        {{- if hasKey .Values "dev" }}
+        {{ if .Values.dev.enableTracing }}{{- include "pstore.tracing" . | nindent 8 }}{{ end }}
+        {{- end}}
+        - name: driver
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: {{ required "Must provide the Powerstore driver image repository." .Values.images.driver }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          command: [ "/csi-powerstore" ]
+          env:
+            {{- if hasKey .Values "dev" }}
+            - name: ENABLE_TRACING
+              value: {{ .Values.dev.enableTracing | quote}}
+            {{ if .Values.dev.enableTracing }}{{- include "pstore.tracingenvvars" . | nindent 12 }}{{ end }}
+            {{- end}}
+            - name: CSI_ENDPOINT
+              value: unix://{{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/csi_sock
+            - name: X_CSI_MODE
+              value: node
+            - name: X_CSI_POWERSTORE_KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: X_CSI_POWERSTORE_NODE_NAME_PREFIX
+              value: {{ .Values.node.nodeNamePrefix }}
+            - name: X_CSI_POWERSTORE_NODE_ID_PATH
+              value: /node-id
+            - name: X_CSI_POWERSTORE_MAX_VOLUMES_PER_NODE
+              value: "{{ .Values.maxPowerstoreVolumesPerNode }}"
+            - name: X_CSI_POWERSTORE_NODE_CHROOT_PATH
+              value: /noderoot
+            - name: X_CSI_POWERSTORE_TMP_DIR
+              value: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/tmp
+            - name: X_CSI_DRIVER_NAME
+              value: {{ .Values.driverName }}
+            - name: X_CSI_FC_PORTS_FILTER_FILE_PATH
+              value: {{ .Values.nodeFCPortsFilterFile }}
+            {{- if eq .Values.connection.enableCHAP  true }}
+            - name: X_CSI_POWERSTORE_ENABLE_CHAP
+              value: "true"
+            {{- else }}
+            - name: X_CSI_POWERSTORE_ENABLE_CHAP
+              value: "false"
+            {{- end }}
+            - name: X_CSI_POWERSTORE_CONFIG_PATH
+              value: /powerstore-config/config
+            - name: X_CSI_POWERSTORE_CONFIG_PARAMS_PATH
+              value: /powerstore-config-params/driver-config-params.yaml
+            - name: GOPOWERSTORE_DEBUG
+              value: "true"
+            {{- if hasKey .Values.node "healthMonitor" }}
+            {{- if eq .Values.node.healthMonitor.enabled true}}
+            - name: X_CSI_HEALTH_MONITOR_ENABLED
+              value: "{{ .Values.controller.healthMonitor.enabled }}"
+            {{- end }}
+            {{- end }}
+            {{- if hasKey .Values "podmon" }}
+            - name: X_CSI_PODMON_ENABLED
+              value: "{{ .Values.podmon.enabled }}"
+            {{- if eq .Values.podmon.enabled true }}
+              {{- range $key, $value := .Values.podmon.node.args }}
+                {{- if contains "--arrayConnectivityPollRate" $value }}
+            - name: X_CSI_PODMON_ARRAY_CONNECTIVITY_POLL_RATE
+              value: "{{ (split "=" $value)._1 }}"
+                {{- end }}
+              {{- end }}
+            {{- end }}
+            {{- end }}
+            - name: X_CSI_PODMON_API_PORT
+              value: "{{ .Values.podmonAPIPort }}"
+          volumeMounts:
+            - name: driver-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}
+            - name: csi-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+              mountPropagation: "Bidirectional"
+            - name: pods-path
+              mountPath: {{ .Values.kubeletConfigDir }}/pods
+              mountPropagation: "Bidirectional"
+            - name: dev
+              mountPath: /dev
+            - name: sys
+              mountPath: /sys
+            - name: run
+              mountPath: /run
+            - name: node-id
+              mountPath: /node-id
+            - name: etciscsi
+              mountPath: /etc/iscsi
+            - name: mpath
+              mountPath: /etc/multipath.conf
+            - name: noderoot
+              mountPath: /noderoot
+            - name: powerstore-config
+              mountPath: /powerstore-config
+            - name: powerstore-config-params
+              mountPath: /powerstore-config-params
+        - name: registrar
+          image: {{ required "Must provide the CSI node registrar container image." .Values.images.registrar }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--v=5"
+            - "--csi-address=$(ADDRESS)"
+            - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}/csi_sock
+          env:
+            - name: ADDRESS
+              value: /csi/csi_sock
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: registration-dir
+              mountPath: /registration
+            - name: driver-path
+              mountPath: /csi
+      volumes:
+        - name: registration-dir
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins_registry/
+            type: DirectoryOrCreate
+        - name: driver-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins/{{ .Values.driverName }}
+            type: DirectoryOrCreate
+        - name: csi-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+        - name: pods-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/pods
+            type: Directory
+        - name: dev
+          hostPath:
+            path: /dev
+            type: Directory
+        - name: node-id
+          hostPath:
+            path: {{ required "Must provide the path to file with node identifier." .Values.node.nodeIDPath }}
+            type: File
+        - name: etciscsi
+          hostPath:
+            path: /etc/iscsi
+            type: DirectoryOrCreate
+        - name: mpath
+          hostPath:
+            path: /etc/multipath.conf
+            type: FileOrCreate
+        - name: noderoot
+          hostPath:
+            path: /
+            type: Directory
+        - name: sys
+          hostPath:
+            path: /sys
+            type: Directory
+        - name: run
+          hostPath:
+            path: /run
+            type: Directory
+        - name: powerstore-config-params
+          configMap:
+            name: {{ .Release.Name }}-config-params
+        - name: powerstore-config
+          secret:
+            secretName: {{ .Release.Name }}-config
+        {{- if hasKey .Values "podmon" }}
+        {{- if eq .Values.podmon.enabled true }}
+        - name: usr-bin
+          hostPath:
+            path: /usr/bin
+            type: Directory
+        - name: kubelet-pods
+          hostPath:
+            path: /var/lib/kubelet/pods
+            type: Directory
+        - name: var-run
+          hostPath:
+            path: /var/run
+            type: Directory
+        {{ end }}
+        {{ end }}

charts/dell/csi-powerstore/2.11.1/values.yaml

@@ -0,0 +1,350 @@
+#
+#
+# Copyright © 2020-2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#      http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+
+## K8S/DRIVER ATTRIBUTES
+########################
+
+# driverName: defines the name of driver
+# Allowed values: string
+# Default value: None
+driverName: "csi-powerstore.dellemc.com"
+# "version" is used to verify the values file matches driver version
+# Not recommend to change
+version: v2.11.1
+
+# "images" defines every container images used for the driver and its sidecars.
+#  To use your own images, or a private registry, change the values here.
+images:
+  # "driver" defines the container image, used for the driver container.
+  driver: dellemc/csi-powerstore:v2.11.1
+  # CSI sidecars
+  attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1
+  provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
+  snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
+  resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1
+  registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
+  healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1
+
+  # CSM sidecars
+  replication: dellemc/dell-csi-replicator:v1.9.0
+  vgsnapshotter: dellemc/csi-volumegroup-snapshotter:v1.6.0
+  podmon: dellemc/podmon:v1.10.0
+  metadataretriever: dellemc/csi-metadata-retriever:v1.8.0
+
+# Specify kubelet config dir path.
+# Ensure that the config.yaml file is present at this path.
+# Default value: /var/lib/kubelet
+kubeletConfigDir: /var/lib/kubelet
+
+# nodeFCPortsFilterFile: It is the name of the environment variable which store path to the file which
+# provide list of WWPN which should be used by the driver for FC connection on this node
+# If file not exist or empty or in invalid format, then the driver will use all available FC ports
+# Allowed Values: string
+# Default Value: None
+# Example:
+# content of the file:
+#   21:00:00:29:ff:48:9f:6e,21:00:00:29:ff:48:9f:6e
+nodeFCPortsFilterFile: /etc/fc-ports-filter
+
+# externalAccess: allows to specify additional entries for hostAccess of NFS volumes. Both single IP address and subnet are valid entries.
+# Allowed Values: x.x.x.x/xx or x.x.x.x
+# Default Value: None
+externalAccess:
+
+# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container.
+# Allowed values:
+#  Always: Always pull the image.
+#  IfNotPresent: Only pull the image if it does not already exist on the node.
+#  Never: Never pull the image.
+# Default value: None
+imagePullPolicy: IfNotPresent
+
+# maxPowerstoreVolumesPerNode: Specify default value for maximum number of volumes that controller can publish to the node.
+# If value is zero CO SHALL decide how many volumes of this type can be published by the controller to the node.
+# This limit is applicable to all the nodes in the cluster for which node label 'max-powerstore-volumes-per-node' is not set.
+# Allowed values: n, where n >= 0
+# Default value: 0
+maxPowerstoreVolumesPerNode: 0
+
+# nfsAcls: enables setting permissions on NFS mount directory
+# This value acts as default value for NFS ACL (nfsAcls), if not specified for an array config in secret
+# Permissions can be specified in two formats:
+#   1) Unix mode (NFSv3)
+#   2) NFSv4 ACLs (NFSv4)
+#      NFSv4 ACLs are supported on NFSv4 share only.
+# Allowed values:
+#   1) Unix mode: valid octal mode number
+#      Examples: "0777", "777", "0755"
+#   2) NFSv4 acls: valid NFSv4 acls, seperated by comma
+#      Examples: "A::OWNER@:RWX,A::GROUP@:RWX", "A::OWNER@:rxtncy"
+# Optional: true
+# Default value: "0777"
+nfsAcls: "0777"
+
+# podmonAPIPort: Defines the port to be used within the kubernetes cluster
+# Allowed values:
+#   Any valid and free port.
+# Default value: 8083
+podmonAPIPort: 8083
+
+# controller: configure controller specific parameters
+controller:
+  # controllerCount: defines the number of csi-powerstore controller pods to deploy to
+  # the Kubernetes release.
+  # Allowed values: n, where n > 0
+  # Default value: None
+  controllerCount: 2
+
+  # volumeNamePrefix: defines a string prepended to each volume created by the CSI driver.
+  # Allowed values: string
+  # Default value: None
+  volumeNamePrefix: csivol
+
+  # vgsnapshot: allows to configure volume-group-snapshot
+  # volume-group-snapshot CRDs must be installed before installing driver
+  vgsnapshot:
+    # enabled: Enable/Disable volume-group-snapshot feature
+    # Allowed values:
+    #   true: enable volume-group-snapshot feature(install vg-snapshotter sidecar)
+    #   false: disable volume-group-snapshot feature(do not install vg-snapshotter sidecar)
+    # Default value: false
+    enabled: false
+
+  # snapshot: allows to enable/disable snapshot feature
+  # snapshot CRDs needs to be installed before enabling this feature
+  snapshot:
+    # enabled: Enable/Disable volume snapshot feature
+    # Allowed values:
+    #   true: enable volume snapshot feature(install snapshotter sidecar)
+    #   false: disable volume snapshot feature(do not install snapshotter sidecar)
+    # Default value: None
+    enabled: true
+
+    # snapNamePrefix: Prefix to apply to the names of a created snapshots
+    # Allowed values: string
+    # Default value: None
+    snapNamePrefix: csisnap
+  # resizer: allows to enable/disable resizer feature
+  resizer:
+    # enabled: Enable/Disable volume expansion feature
+    # Allowed values:
+    #   true: enable volume expansion feature(install resizer sidecar)
+    #   false: disable volume expansion feature(do not install resizer sidecar)
+    # Default value: true
+    enabled: true
+
+  healthMonitor:
+    # enabled: Enable/Disable health monitor of CSI volumes
+    # Allowed values:
+    #   true: enable checking of health condition of CSI volumes
+    #   false: disable checking of health condition of CSI volumes
+    # Default value: false
+    enabled: false
+
+    # interval: Interval of monitoring volume health condition
+    # Allowed values: Number followed by unit (s,m,h)
+    # Examples: 60s, 5m, 1h
+    # Default value: 60s
+    interval: 60s
+
+  # replication: allows to configure replication
+  # Replication CRDs must be installed before installing driver
+  replication:
+    # enabled: Enable/Disable replication feature
+    # Allowed values:
+    #   true: enable replication feature(install dell-csi-replicator sidecar)
+    #   false: disable replication feature(do not install dell-csi-replicator sidecar)
+    # Default value: false
+    enabled: false
+
+    # replicationContextPrefix: prefix to use for naming of resources created by replication feature
+    # Allowed values: string
+    # Default value: powerstore
+    replicationContextPrefix: "powerstore"
+
+    # replicationPrefix: prefix to prepend to storage classes parameters
+    # Allowed values: string
+    # Default value: replication.storage.dell.com
+    replicationPrefix: "replication.storage.dell.com"
+
+  # nodeSelector: Define node selection constraints for controller pods.
+  # For the pod to be eligible to run on a node, the node must have each
+  # of the indicated key-value pairs as labels.
+  # Leave as blank to consider all nodes
+  # Allowed values: map of key-value pairs
+  # Default value: None
+  nodeSelector:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  node-role.kubernetes.io/master
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  node-role.kubernetes.io/control-plane
+
+  # tolerations: Define tolerations for the controllers, if required.
+  # Leave as blank to install controller on worker nodes
+  # Default value: None
+  tolerations:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  # - key: "node-role.kubernetes.io/master"
+  #   operator: "Exists"
+  #   effect: "NoSchedule"
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  # tolerations:
+  # - key: "node-role.kubernetes.io/control-plane"
+  #   operator: "Exists"
+  #   effect: "NoSchedule"
+
+# node: configure node pod specific parameters
+node:
+  # nodeNamePrefix: defines a string prepended to each node registered by the CSI driver.
+  # Allowed values: string
+  # Default value: None
+  nodeNamePrefix: csi-node
+
+  # nodeIDPath: defines the path to file with node identifier (e.g. /etc/machine-id, /etc/hostname).
+  # Allowed values: string
+  # Default value: None
+  nodeIDPath: /etc/machine-id
+
+  healthMonitor:
+    # enabled: Enable/Disable health monitor of CSI volumes- volume usage, volume condition
+    # Allowed values:
+    #   true: enable checking of health condition of CSI volumes
+    #   false: disable checking of health condition of CSI volumes
+    # Default value: None
+    enabled: false
+
+  # nodeSelector: Define node selection constraints for node pods.
+  # For the pod to be eligible to run on a node, the node must have each
+  # of the indicated key-value pairs as labels.
+  # Leave as blank to consider all nodes
+  # Allowed values: map of key-value pairs
+  # Default value: None
+  nodeSelector:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  node-role.kubernetes.io/master
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  node-role.kubernetes.io/control-plane
+
+  # tolerations: Define tolerations for the node pods, if required.
+  # Leave as blank to consider all worker nodes
+  # Default value: None
+  tolerations:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  # - key: "node-role.kubernetes.io/master"
+  #   operator: "Exists"
+  #   effect: "NoSchedule"
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  # tolerations:
+  # - key: "node-role.kubernetes.io/control-plane"
+  #   operator: "Exists"
+  #   effect: "NoSchedule"
+
+  # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled
+  # tolerations:
+  #  - key: "offline.vxflexos.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "vxflexos.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "offline.unity.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "unity.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "offline.isilon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "isilon.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "offline.powerstore.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "powerstore.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+
+## PLATFORM ATTRIBUTES
+######################
+
+# connection: allows to configure connection to storage array
+connection:
+  # connection.enableCHAP: allows to enable CHAP for iSCSI connections
+  # CHAP password will be autogenerated by driver
+  # Allowed values:
+  #   true : enable CHAP
+  #   false: disable CHAP
+  # Default value: false
+  enableCHAP: false
+
+# CSI driver log level
+# Allowed values: "error", "warn"/"warning", "info", "debug", "error"
+# Default value: "debug"
+logLevel: "debug"
+
+# CSI driver log format
+# Allowed values: "TEXT" or "JSON"
+# Default value: "JSON"
+logFormat: "JSON"
+
+# Following modes are supported: None, File and ReadWriteOnceWithFSType
+fsGroupPolicy: ReadWriteOnceWithFSType
+
+# Allows the controller to round off filesystem to 3Gi which is the minimum supported value
+allowAutoRoundOffFilesystemSize: true
+
+# Storage Capacity Tracking
+# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions.
+storageCapacity:
+  # enabled : Enable/Disable storage capacity tracking
+  # Allowed values:
+  #   true: enable storage capacity tracking
+  #   false: disable storage capacity tracking
+  # Default value: true
+  enabled: true
+  # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity
+  # Allowed values: 1m,2m,3m,...,10m,...,60m etc
+  # Default value: 5m
+  pollInterval: 5m
+
+# Enable this feature only after contact support for additional information
+podmon:
+  enabled: false
+  controller:
+    args:
+      - "--csisock=unix:/var/run/csi/csi.sock"
+      - "--labelvalue=csi-powerstore"
+      - "--arrayConnectivityPollRate=60"
+      - "--driverPath=csi-powerstore.dellemc.com"
+      - "--mode=controller"
+      - "--skipArrayConnectionValidation=false"
+      - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml"
+      - "--driverPodLabelValue=dell-storage"
+      - "--ignoreVolumelessPods=false"
+
+  node:
+    args:
+      - "--csisock=unix:/var/lib/kubelet/plugins/csi-powerstore.dellemc.com/csi_sock"
+      - "--labelvalue=csi-powerstore"
+      - "--arrayConnectivityPollRate=60"
+      - "--driverPath=csi-powerstore.dellemc.com"
+      - "--mode=node"
+      - "--leaderelection=false"
+      - "--driver-config-params=/powerstore-config-params/driver-config-params.yaml"
+      - "--driverPodLabelValue=dell-storage"
+      - "--ignoreVolumelessPods=false"

charts/dell/csi-unity/2.11.1/Chart.yaml

@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Dell CSI Unity
+  catalog.cattle.io/kube-version: '>= 1.24.0'
+  catalog.cattle.io/release-name: unity
+apiVersion: v2
+appVersion: 2.11.1
+description: 'Unity XT CSI (Container Storage Interface) driver Kubernetes integration.
+  This chart includes everything required to provision via CSI as well as a Unity
+  XT StorageClass. '
+icon: file://assets/icons/csi-unity.png
+keywords:
+- csi
+- storage
+kubeVersion: '>= 1.24.0'
+maintainers:
+- name: DellEMC
+name: csi-unity
+sources:
+- https://github.com/dell/csi-unity
+type: application
+version: 2.11.1

charts/dell/csi-unity/2.11.1/app-readme.md

@@ -0,0 +1,93 @@
+The [CSI Driver for Unity XT](https://github.com/dell/csi-unity) is part of the CSM (Container Storage Modules) open-source suite of Kubernetes storage enablers for Dell products. CSI Driver for Unity XT is a Container Storage Interface (CSI) driver that provides support for provisioning persistent storage using Dell Unity XT storage array.
+
+
+## Pre-Requisites
+- Install Kubernetes (see [supported versions](https://dell.github.io/csm-docs/docs/csidriver/#features-and-capabilities))
+- Install Helm v3 (follow [steps](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/unity/#install-helm-30))
+- Install sshpass
+- Configure the pre-installation steps according to the protocols you are using: 
+    - To use FC protocol, the host must be zoned with Unity XT array and Multipath needs to be configured
+    - To use iSCSI protocol, iSCSI initiator utils packages need to be installed and Multipath needs to be configured
+    - To use NFS protocol, NFS utility packages needs to be installed
+- Enable mount propagation on container runtime that is being used
+- In order to use the Kubernetes Volume Snapshot feature, ensure to deploy `Volume Snapshot CRDs` and `Volume Snapshot Controller` in the kubernetes cluster as a pre-requisite. Refer [here](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/unity/#installation-example) for installation example of CRD's and default snapshot controller
+
+For more information, refer to the [documentation](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/unity/#prerequisites)
+
+## Install CSI Driver for Unity XT
+
+1. Clone the [git repository](https://github.com/dell/csi-unity) that has the helm charts and install scripts
+2. Create a namespace called `unity`
+3. Collect information from the Unity XT Systems like Unique ArrayId, IP address, username, and password. Using the information, prepare `secrets.yaml`. Create the secrets. Samples available [here](https://github.com/dell/csi-unity/blob/main/samples/secret/secret.yaml)
+>NOTE: For certificate validation of Unisphere REST API calls refer [here](https://dell.github.io/csm-docs/docs/csidriver/installation/helm/unity/#certificate-validation-for-unisphere-rest-api-calls). Otherwise, create an empty secret. Samples available [here](https://github.com/dell/csi-unity/tree/main/samples/secret/emptysecret.yaml)
+4. Copy the `helm/csi-unity/values.yaml` into a file named `myvalues.yaml` in the same directory of csi-install.sh, to customize settings for installation
+5. Edit `myvalues.yaml` to set the following parameters for your installation:
+   
+    The following table lists the primary configurable parameters of the Unity XT driver chart and their default values. More detailed information can be found in the [`values.yaml`](https://github.com/dell/csi-unity/blob/master/helm/csi-unity/values.yaml) file in this repository.
+    
+    | Parameter | Description | Required | Default |
+    | --------- | ----------- | -------- |-------- |
+    | version | helm version | true | - |
+    | logLevel | LogLevel is used to set the logging level of the driver | true | info |
+    | allowRWOMultiPodAccess | Flag to enable multiple pods to use the same PVC on the same node with RWO access mode. | false | false |
+    | kubeletConfigDir | Specify kubelet config dir path | Yes | /var/lib/kubelet |
+    | syncNodeInfoInterval | Time interval to add node info to the array. Default 15 minutes. The minimum value should be 1 minute. | false | 15 |
+    | maxUnityVolumesPerNode | Maximum number of volumes that controller can publish to the node. | false | 0 |
+    | certSecretCount | Represents the number of certificate secrets, which the user is going to create for SSL authentication. (unity-cert-0..unity-cert-n). The minimum value should be 1. | false | 1 |
+    | imagePullPolicy |  The default pull policy is IfNotPresent which causes the Kubelet to skip pulling an image if it already exists. | Yes | IfNotPresent |
+    | podmon.enabled | service to monitor failing jobs and notify | false | - |
+    | podmon.image| pod man image name | false | - |
+    | tenantName | Tenant name added while adding host entry to the array | No |  |
+    | fsGroupPolicy | Defines which FS Group policy mode to be used, Supported modes `None, File and ReadWriteOnceWithFSType` | No | "ReadWriteOnceWithFSType" |
+    | **controller** | Allows configuration of the controller-specific parameters.| - | - |
+    | controllerCount | Defines the number of csi-unity controller pods to deploy to the Kubernetes release| Yes | 2 |
+    | volumeNamePrefix | Defines a string prefix for the names of PersistentVolumes created | Yes | "k8s" |
+    | snapshot.enabled | Enable/Disable volume snapshot feature | Yes | true |
+    | snapshot.snapNamePrefix | Defines a string prefix for the names of the Snapshots created | Yes | "snapshot" |
+    | resizer.enabled | Enable/Disable volume expansion feature | Yes | true |
+    | nodeSelector | Define node selection constraints for pods of controller deployment | No | |
+    | tolerations | Define tolerations for the controller deployment, if required | No | |
+    | healthMonitor.enabled | Enable/Disable deployment of external health monitor sidecar for controller side volume health monitoring. | No | false |
+    | healthMonitor.interval | Interval of monitoring volume health condition. Allowed values: Number followed by unit (s,m,h) | No | 60s |
+    | ***node*** | Allows configuration of the node-specific parameters.| - | - |
+    | dnsPolicy | Define the DNS Policy of the Node service | Yes | ClusterFirstWithHostNet |
+    | healthMonitor.enabled | Enable/Disable health monitor of CSI volumes- volume usage, volume condition | No | false |
+    | nodeSelector | Define node selection constraints for pods of node deployment | No | |
+    | tolerations | Define tolerations for the node deployment, if required | No | |
+
+
+    **Note**: 
+    
+      * User should provide all boolean values with double-quotes. This applies only for `myvalues.yaml`. Example: "true"/"false"  
+      * controllerCount parameter value should be <= number of nodes in the kubernetes cluster else install script fails
+
+6. Run the `./csi-install.sh --namespace unity --values ./myvalues.yaml` command to proceed with the installation using bash script or you can also install the driver using standalone helm chart by running helm install command `helm install --dry-run --values <myvalues.yaml-location> --namespace <namespace> <name-of-secret> <helmPath>` <br/>
+   `<namespace>` - namespace of the driver installation  <br/>
+   `<name of secret>` - unity in case of unity-creds and unity-certs-0 secrets <br/>
+   `<helmPath>` - Path of the helm directory <br/>
+
+7. Create storage classes from [samples](https://github.com/dell/csi-unity/tree/main/samples/storageclass)
+    
+    **Note**:
+
+    * At least one storage class is required for one array
+    * In case you want to make updates to an existing storage class, ensure to delete it using the `kubectl delete storageclass <storageclass-name>` command. Deleting a storage class has no impact on a running Pod with mounted PVCs. You cannot provision new PVCs until at least one storage class is newly created
+
+For full-length documentation, please visit Container Storage Modules documentation [page](https://dell.github.io/csm-docs/).
+
+## Support
+
+The CSI Driver for Dell Unity XT is fully supported by DELL.
+
+For all your support needs or to follow the latest ongoing discussions and updates, join our Slack group. Click [Here](http://del.ly/Slack_request) to request your invite.
+
+You can also interact with us on [GitHub](https://github.com/dell/csm) by creating a [GitHub Issue](https://github.com/dell/csm/issues).
+
+## Contributing
+
+We value all feedback and contributions. If you find any issues or want to contribute, please feel free to open an issue or file a PR. More details in [Contribution Guidelines](https://dell.github.io/csm-docs/docs/references/contributionguidelines/).
+
+## License
+
+This is open source software licensed using the Apache License 2.0. Please see [LICENSE](https://github.com/dell/csi-powerstore/blob/main/licenses/Apache.txt) for details.
+

charts/dell/csi-unity/2.11.1/templates/_helpers.tpl

@@ -0,0 +1,10 @@
+{{/*
+Return true if storage capacity tracking is enabled and is supported based on k8s version
+*/}}
+{{- define "csi-unity.isStorageCapacitySupported" -}}
+{{- if eq .Values.storageCapacity.enabled true -}}
+  {{- if and (eq .Capabilities.KubeVersion.Major "1") (ge (trimSuffix "+" .Capabilities.KubeVersion.Minor) "24") -}}
+      {{- true -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}

charts/dell/csi-unity/2.11.1/templates/controller.yaml

@@ -0,0 +1,328 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-controller
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "watch", "list", "delete", "update", "create"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+{{- if .Values.podmon.enabled }}
+    verbs: ["get", "list", "watch", "patch"]
+{{- else }}
+    verbs: ["get", "list", "watch"]
+{{- end }}
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete", "update","patch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "create", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments"]
+{{- if .Values.podmon.enabled }}
+    verbs: ["get", "list", "watch", "update", "patch", "delete"]
+{{- else }}
+    verbs: ["get", "list", "watch", "update","patch"]
+{{- end }}
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csinodes"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+  - apiGroups: ["csi.storage.k8s.io"]
+    resources: ["csinodeinfos"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+{{- if .Values.podmon.enabled }}
+    verbs: ["get", "list", "watch", "update", "delete"]
+{{- else }}
+    verbs: ["get", "list", "watch"]
+{{- end }}
+# below for snapshotter
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents"]
+    verbs: ["create", "get", "list", "watch", "update", "delete", "patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots/status"]
+    verbs: ["update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["volumeattachments/status"]
+    verbs: ["patch"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshots"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["create", "list", "watch", "delete"]
+  - apiGroups: ["snapshot.storage.k8s.io"]
+    resources: ["volumesnapshotcontents/status"]
+    verbs: ["update", "patch"]
+  # below for resizer
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims/status"]
+    verbs: ["update", "patch"]
+  # Permissions for CSIStorageCapacity
+  {{- if eq (include "csi-unity.isStorageCapacitySupported" .) "true" }}
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["csistoragecapacities"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get"]
+  - apiGroups: ["apps"]
+    resources: ["replicasets"]
+    verbs: ["get"]
+  {{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-controller
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-controller
+  apiGroup: rbac.authorization.k8s.io
+---
+{{ $releaseName := .Release.Name }}
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name }}-controller
+  namespace: {{ .Release.Namespace }}
+spec:
+  {{- if lt (.Values.controller.controllerCount | toString | atoi ) 1 -}}
+  {{- fail "value for .Values.controller.controllerCount should be atleast 1" }}
+  {{- else }}
+  replicas: {{ required "Must provide the number of controller instances to create." .Values.controller.controllerCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-controller
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: "driver"
+      labels:
+        app: {{ .Release.Name }}-controller
+    spec:
+      serviceAccountName: {{ .Release.Name }}-controller
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                    - {{ .Release.Name }}-controller
+            topologyKey: "kubernetes.io/hostname"
+      {{- if .Values.controller.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.controller.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controller.tolerations }}
+      tolerations:
+      {{- toYaml .Values.controller.tolerations | nindent 6 }}
+      {{- end }}
+      containers:
+{{- if .Values.podmon.enabled }}
+        - name: podmon
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          image: {{ required "Must provide the podmon container image." .Values.images.podmon }}
+          args:
+            {{- toYaml .Values.podmon.controller.args | nindent 12 }}
+          env:
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+            - name: unity-config
+              mountPath: /unity-config
+{{- end }}
+        - name: attacher
+          image: {{ required "Must provide the CSI attacher container image." .Values.images.attacher }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=5"
+            - "--leader-election"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        - name: provisioner
+          image: {{ required "Must provide the CSI provisioner container image." .Values.images.provisioner }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--volume-name-prefix={{ required "Must provide a Volume Name Prefix." .Values.controller.volumeNamePrefix }}"
+            - "--volume-name-uuid-length=10"
+            - "--timeout=180s"
+            - "--worker-threads=6"
+            - "--v=5"
+            - "--feature-gates=Topology=true"
+            - "--strict-topology=true"
+            - "--leader-election"
+            - "--leader-election-namespace={{ .Release.Namespace }}"
+            - "--default-fstype={{ .Values.defaultFsType | default "ext4" }}"
+            - "--enable-capacity={{ (include "csi-unity.isStorageCapacitySupported" .) | default false }}"
+            - "--capacity-ownerref-level=2"
+            - "--capacity-poll-interval={{ .Values.storageCapacity.pollInterval | default "5m" }}"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- if hasKey .Values.controller "snapshot" }}
+        {{- if eq .Values.controller.snapshot.enabled true }}
+        - name: snapshotter
+          image: {{ required "Must provide the CSI snapshotter container image. " .Values.images.snapshotter }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--snapshot-name-prefix={{ required "Must privided a Snapshot Name Prefix" .Values.controller.snapshot.snapNamePrefix }}"
+            - "--snapshot-name-uuid-length=10"
+            - "--timeout=360s"
+            - "--v=5"
+            - "--leader-election"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- end}}
+        {{- end}}
+        {{- if hasKey .Values.controller "resizer" }}
+        {{- if eq .Values.controller.resizer.enabled true }}
+        - name: resizer
+          image: {{ required "Must provide the CSI resizer container image." .Values.images.resizer }}
+          args:
+            - "--csi-address=$(ADDRESS)"
+            - "--v=5"
+            - "--leader-election"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{ end }}
+        {{ end }}
+        {{- if hasKey .Values.controller "healthMonitor" }}
+        {{- if eq .Values.controller.healthMonitor.enabled true }}
+        - name: csi-external-health-monitor-controller
+          image: {{ required "Must provide the CSI external health monitor image." .Values.images.healthmonitor }}
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          args:
+            - "--v=5"
+            - "--csi-address=$(ADDRESS)"
+            - "--leader-election"
+            - "--http-endpoint=:8080"
+            - "--enable-node-watcher=true"
+            - "--monitor-interval={{ .Values.controller.healthMonitor.interval | default "60s" }}"
+            - "--timeout=180s"
+          env:
+            - name: ADDRESS
+              value: /var/run/csi/csi.sock
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+        {{- end }}
+        {{- end }}
+        - name: driver
+          image: "{{ required "Must provide the driver image repository." .Values.images.driver }}"
+          args:
+            - "--driver-name=csi-unity.dellemc.com"
+            - "--driver-config=/unity-config/driver-config-params.yaml"
+            - "--driver-secret=/unity-secret/config"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          env:
+            - name: CSI_ENDPOINT
+              value: /var/run/csi/csi.sock
+            - name: X_CSI_MODE
+              value: controller
+            - name: X_CSI_UNITY_AUTOPROBE
+              value: "true"
+            - name: SSL_CERT_DIR
+              value: /certs
+            {{- if hasKey .Values.controller "healthMonitor" }}
+            {{- if eq .Values.controller.healthMonitor.enabled true }}
+            - name: X_CSI_HEALTH_MONITOR_ENABLED
+              value: "{{ .Values.controller.healthMonitor.enabled }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /var/run/csi
+            - name: certs
+              mountPath: /certs
+              readOnly: true
+            - name: unity-config
+              mountPath: /unity-config
+            - name: unity-secret
+              mountPath: /unity-secret
+      volumes:
+        - name: certs
+          projected:
+            sources:
+{{- range $i, $e := until (int .Values.certSecretCount ) }}
+              - secret:
+                  name: {{ print $releaseName "-certs-" $e }}
+                  items:
+                    - key: cert-{{ $e }}
+                      path: cert-{{ $e }}
+{{- end }}
+        - name: socket-dir
+          emptyDir:
+        - name: unity-config
+          configMap:
+              name: {{ .Release.Name }}-config-params
+        - name: unity-secret
+          secret:
+              secretName: {{ .Release.Name }}-creds

charts/dell/csi-unity/2.11.1/templates/csidriver.yaml

@@ -0,0 +1,12 @@
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: csi-unity.dellemc.com
+spec:
+  storageCapacity: {{ (include "csi-unity.isStorageCapacitySupported" .) | default false }}
+  attachRequired: true
+  podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
+    - Ephemeral
+  fsGroupPolicy: {{ .Values.fsGroupPolicy }}

charts/dell/csi-unity/2.11.1/templates/driver-config-params.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-config-params
+  namespace: {{ .Release.Namespace }}
+data:
+  driver-config-params.yaml: |
+    CSI_LOG_LEVEL: "{{ .Values.logLevel }}"
+    ALLOW_RWO_MULTIPOD_ACCESS: "{{ .Values.allowRWOMultiPodAccess }}"
+    MAX_UNITY_VOLUMES_PER_NODE: "{{ .Values.maxUnityVolumesPerNode }}"
+    SYNC_NODE_INFO_TIME_INTERVAL: "{{ .Values.syncNodeInfoInterval }}"
+    TENANT_NAME: "{{ .Values.tenantName }}"
+    {{ if .Values.podmon.enabled }}
+    PODMON_CONTROLLER_LOG_LEVEL: "{{ .Values.logLevel }}"
+    PODMON_CONTROLLER_LOG_FORMAT: "TEXT"
+    PODMON_NODE_LOG_LEVEL: "{{ .Values.logLevel }}"
+    PODMON_NODE_LOG_FORMAT: "TEXT"
+    {{ end }}

charts/dell/csi-unity/2.11.1/templates/node.yaml

@@ -0,0 +1,283 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-node
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-node
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "create", "delete", "get", "list", "watch", "update" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumesclaims" ]
+    verbs: [ "get", "list", "watch", "update" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch", "update", "patch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattachments" ]
+    verbs: [ "get", "list", "watch", "update" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "volumeattachments" ]
+    verbs: [ "get", "list", "watch", "update" ]
+  - apiGroups: [ "security.openshift.io" ]
+    resourceNames: [ "privileged" ]
+    resources: [ "securitycontextconstraints" ]
+    verbs: [ "use" ]
+{{- if .Values.podmon.enabled }}
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "get", "watch", "list", "delete", "update", "create" ]
+{{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-node
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-node
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}-node
+  apiGroup: rbac.authorization.k8s.io
+---
+{{ $releaseName := .Release.Name }}
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ .Release.Name }}-node
+  namespace: {{ .Release.Namespace }}
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-node
+  template:
+    metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: "driver"
+      labels:
+        app: {{ .Release.Name }}-node
+{{- if .Values.podmon.enabled }}
+        driver.dellemc.com: dell-storage
+{{- end }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}-node
+      {{- if .Values.node.nodeSelector }}
+      nodeSelector:
+      {{- toYaml .Values.node.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.node.tolerations }}
+      tolerations:
+      {{- toYaml .Values.node.tolerations | nindent 8 }}
+      {{- end }}
+      hostIPC: true
+      hostNetwork: true
+      dnsPolicy: {{ .Values.node.dnsPolicy }}
+      containers:
+{{- if .Values.podmon.enabled }}
+        - name: podmon
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          image: {{ required "Must provide the podmon container image." .Values.images.podmon }}
+          args:
+          {{- toYaml .Values.podmon.node.args | nindent 12 }}
+          env:
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: X_CSI_PRIVATE_MOUNT_DIR
+              value: "{{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/disks"
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: kubelet-pods
+              mountPath: {{ .Values.kubeletConfigDir }}/pods
+              mountPropagation: "Bidirectional"
+            - name: driver-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com
+              mountPropagation: "Bidirectional"
+            - name: volumedevices-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+              mountPropagation: "Bidirectional"
+            - name: dev
+              mountPath: /dev
+            - name: usr-bin
+              mountPath: /usr-bin
+            - name: var-run
+              mountPath: /var/run
+            - name: unity-config
+              mountPath: /unity-config
+{{- end }}
+        - name: driver
+          securityContext:
+            privileged: true
+            capabilities:
+              add: ["SYS_ADMIN"]
+            allowPrivilegeEscalation: true
+          image: "{{ required "Must provide the driver image repository." .Values.images.driver }}"
+          args:
+            - "--driver-name=csi-unity.dellemc.com"
+            - "--driver-config=/unity-config/driver-config-params.yaml"
+            - "--driver-secret=/unity-secret/config"
+          imagePullPolicy: {{ .Values.imagePullPolicy }}
+          env:
+            - name: CSI_ENDPOINT
+              value: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/csi_sock
+            - name: X_CSI_MODE
+              value: node
+            - name: X_CSI_UNITY_AUTOPROBE
+              value: "true"
+            - name: X_CSI_UNITY_ALLOW_MULTI_POD_ACCESS
+              value: {{ .Values.allowRWOMultiPodAccess | default "false" | lower | quote }}
+            - name: X_CSI_ALLOWED_NETWORKS
+              value: "{{ .Values.allowedNetworks }}"
+            - name: X_CSI_PRIVATE_MOUNT_DIR
+              value: "{{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/disks"
+            - name: X_CSI_EPHEMERAL_STAGING_PATH
+              value: "{{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi/pv/"
+            - name: X_CSI_ISCSI_CHROOT
+              value: {{ .Values.ISCSIChroot | default "/noderoot" }}
+            - name: X_CSI_UNITY_NODENAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: X_CSI_UNITY_NODENAME_PREFIX
+              value: {{ .Values.nodeNamePrefix }}
+            - name: SSL_CERT_DIR
+              value: /certs
+            - name: X_CSI_UNITY_SYNC_NODEINFO_INTERVAL
+              value: {{ .Values.syncNodeInfoInterval | default "15" | quote }}
+            {{- if hasKey .Values.node "healthMonitor" }}
+            {{- if eq .Values.node.healthMonitor.enabled true }}
+            - name: X_CSI_HEALTH_MONITOR_ENABLED
+              value: "{{ .Values.node.healthMonitor.enabled }}"
+            {{- end }}
+            {{- end }}
+          volumeMounts:
+            - name: driver-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com
+            - name: volumedevices-path
+              mountPath: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+              mountPropagation: "Bidirectional"
+            - name: pods-path
+              mountPath: {{ .Values.kubeletConfigDir }}/pods
+              mountPropagation: "Bidirectional"
+            - name: dev
+              mountPath: /dev
+            - name: noderoot
+              mountPath: /noderoot
+            - name: certs
+              mountPath: /certs
+              readOnly: true
+            - name: unity-config
+              mountPath: /unity-config
+            - name: unity-secret
+              mountPath: /unity-secret
+        - name: registrar
+          image: {{ required "Must provide the CSI registrar container image." .Values.images.registrar }}
+          args:
+            - "--v=5"
+            - "--csi-address=$(ADDRESS)"
+            - --kubelet-registration-path={{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com/csi_sock
+          env:
+            - name: ADDRESS
+              value: /csi/csi_sock
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+          volumeMounts:
+            - name: registration-dir
+              mountPath: /registration
+            - name: driver-path
+              mountPath: /csi
+      volumes:
+        - name: registration-dir
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins_registry/
+            type: DirectoryOrCreate
+        - name: driver-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins/unity.emc.dell.com
+            type: DirectoryOrCreate
+        - name: volumedevices-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/plugins/kubernetes.io/csi
+            type: DirectoryOrCreate
+        - name: pods-path
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/pods
+            type: Directory
+        - name: dev
+          hostPath:
+            path: /dev
+            type: Directory
+        - name: noderoot
+          hostPath:
+            path: /
+            type: Directory
+        - name: certs
+          projected:
+            sources:
+{{- range $i, $e := until (int .Values.certSecretCount ) }}
+              - secret:
+                  name: {{ print $releaseName "-certs-" $e }}
+                  items:
+                    - key: cert-{{ $e }}
+                      path: cert-{{ $e }}
+{{- end }}
+        - name: unity-config
+          configMap:
+              name: {{ .Release.Name }}-config-params
+        - name: unity-secret
+          secret:
+              secretName: {{ .Release.Name }}-creds
+{{- if .Values.podmon.enabled }}
+        - name: usr-bin
+          hostPath:
+            path: /usr/bin
+            type: Directory
+        - name: kubelet-pods
+          hostPath:
+            path: {{ .Values.kubeletConfigDir }}/pods
+            type: Directory
+        - name: var-run
+          hostPath:
+            path: /var/run
+            type: Directory
+{{- end }}

charts/dell/csi-unity/2.11.1/values.yaml

@@ -0,0 +1,273 @@
+## K8S/DRIVER ATTRIBUTES
+########################
+
+# version: version of this values file
+# Note: Do not change this value
+# Examples : "v2.9.0" , "nightly"
+version: "v2.11.1"
+
+images:
+  # "driver" defines the container image, used for the driver container.
+  driver: dellemc/csi-unity:v2.11.1
+  # CSI sidecars
+  attacher: registry.k8s.io/sig-storage/csi-attacher:v4.6.1
+  provisioner: registry.k8s.io/sig-storage/csi-provisioner:v5.0.1
+  snapshotter: registry.k8s.io/sig-storage/csi-snapshotter:v8.0.1
+  resizer: registry.k8s.io/sig-storage/csi-resizer:v1.11.1
+  registrar: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.1
+  healthmonitor: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.12.1
+
+  # CSM sidecars
+  podmon: dellemc/podmon:v1.10.0
+
+# LogLevel is used to set the logging level of the driver.
+# Allowed values: "error", "warn"/"warning", "info", "debug"
+# Default value: "info"
+logLevel: "info"
+
+# certSecretCount: Represents number of certificate secrets, which user is going to create for
+# ssl authentication. (unity-cert-0..unity-cert-n)
+# Allowed values: n, where n > 0
+# Default value: None
+certSecretCount: 1
+
+# allowedNetworks: Custom networks for Unity export
+# Specify list of networks which can be used for NFS I/O traffic; CIDR format should be used.
+# Allowed values: list of one or more networks (comma separated)
+# Default value: None
+# Examples: 192.168.1.0/24, 192.168.100.0/22
+allowedNetworks:
+
+# imagePullPolicy: Policy to determine if the image should be pulled prior to starting the container.
+# Allowed values:
+# Always: Always pull the image.
+# IfNotPresent: Only pull the image if it does not already exist on the node.
+# Never: Never pull the image.
+# Default value: IfNotPresent
+imagePullPolicy: Always
+
+# Specify kubelet config dir path.
+# Ensure that the config.yaml file is present at this path.
+# Default value: /var/lib/kubelet
+kubeletConfigDir: /var/lib/kubelet
+
+# fsGroupPolicy: Defines if the underlying volume supports changing ownership and permission of the volume before being mounted.
+# Allowed values:
+#   ReadWriteOnceWithFSType: supports volume ownership and permissions change only if the fsType is defined
+#   and the volume's accessModes contains ReadWriteOnce.
+#   File: kubernetes may use fsGroup to change permissions and ownership of the volume
+#   to match user requested fsGroup in the pod's security policy regardless of fstype or access mode.
+#   None: volumes will be mounted with no modifications.
+# Default value: ReadWriteOnceWithFSType
+fsGroupPolicy: ReadWriteOnceWithFSType
+
+# To set nodeSelectors and tolerations for controller.
+# controller: configure controller pod specific parameters
+controller:
+  # controllerCount: defines the number of csi-unity controller pods to deploy to
+  # the Kubernetes release.
+  # Allowed values: n, where n > 0
+  # Default value: None
+  controllerCount: 2
+
+  # volumeNamePrefix: Prefix of PersistentVolume names created
+  # Allowed values: string
+  # Default value: None
+  volumeNamePrefix: csivol
+
+  snapshot:
+    # enabled: Enable/Disable volume snapshot feature
+    # Allowed values:
+    #   true: enable volume snapshot feature(install snapshotter sidecar)
+    #   false: disable volume snapshot feature(do not install snapshotter sidecar)
+    # Default value: None
+    enabled: true
+
+    # snapNamePrefix: Prefix to apply to the names of a created snapshots
+    # Allowed values: string
+    # Default value: None
+    snapNamePrefix: csi-snap
+
+  resizer:
+    # enabled: Enable/Disable volume expansion feature
+    # Allowed values:
+    #   true: enable volume expansion feature(install resizer sidecar)
+    #   false: disable volume snapshot feature(do not install resizer sidecar)
+    # Default value: None
+    enabled: true
+
+  # nodeSelector: Define node selection constraints for controller pods.
+  # For the pod to be eligible to run on a node, the node must have each
+  # of the indicated key-value pairs as labels.
+  # Leave as blank to consider all nodes
+  # Allowed values: map of key-value pairs
+  # Default value: None
+  nodeSelector:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  node-role.kubernetes.io/master: ""
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  node-role.kubernetes.io/control-plane: ""
+
+  # tolerations: Define tolerations for the controllers, if required.
+  # Leave as blank to install controller on worker nodes
+  # Default value: None
+  tolerations:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  - key: "node-role.kubernetes.io/master"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  - key: "node-role.kubernetes.io/control-plane"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+
+  healthMonitor:
+    # enabled: Enable/Disable health monitor of CSI volumes- volume state, volume condition
+    # Allowed values:
+    #   true: enable checking of health condition of CSI volumes
+    #   false: disable checking of health condition of CSI volumes
+    # Default value: None
+    enabled: false
+
+    # interval: Interval of monitoring volume health condition
+    # Allowed values: Number followed by unit of time (s,m,h)
+    # Default value: 60s
+    interval: 60s
+
+# node: configure node pod specific parameters
+node:
+  # dnsPolicy : Define the DNS Policy of the Node service.
+  # ClusterFirstWithHostNet is the recommended and default DNS policy for the driver.
+  # Prior to v1.6 of the driver, the default DNS policy was ClusterFirst.
+  # In certain scenarios, users might need to change the default dnsPolicy.
+  # Default value: None
+  dnsPolicy: "ClusterFirstWithHostNet"
+
+  healthMonitor:
+    # enabled: Enable/Disable health monitor of CSI Volumes - volume usage
+    # Allowed values:
+    #   true: enable checking of health condition of CSI volumes
+    #   false: disable checking of health condition of CSI volumes
+    # Default value: None
+    enabled: false
+
+  # nodeSelector: Define node selection constraints for node pods.
+  # For the pod to be eligible to run on a node, the node must have each
+  # of the indicated key-value pairs as labels.
+  # Leave as blank to consider all nodes
+  # Allowed values: map of key-value pairs
+  # Default value: None
+  nodeSelector:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  node-role.kubernetes.io/master: ""
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  node-role.kubernetes.io/control-plane: ""
+
+  # tolerations: Define tolerations for the node daemonset, if required.
+  # Default value: None
+  tolerations:
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/master taint
+  #  - key: "node-role.kubernetes.io/master"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  # Uncomment if nodes you wish to use have the node-role.kubernetes.io/control-plane taint
+  #  - key: "node-role.kubernetes.io/control-plane"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  #  - key: "node.kubernetes.io/memory-pressure"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  #  - key: "node.kubernetes.io/disk-pressure"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  #  - key: "node.kubernetes.io/network-unavailable"
+  #    operator: "Exists"
+  #    effect: "NoExecute"
+  # Uncomment if CSM for Resiliency and CSI Driver pods monitor are enabled
+  #  - key: "offline.vxflexos.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "vxflexos.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "offline.unity.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "unity.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "offline.isilon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+  #  - key: "isilon.podmon.storage.dell.com"
+  #    operator: "Exists"
+  #    effect: "NoSchedule"
+
+# CSM module attributes
+# service to monitor failing jobs and notify
+podmon:
+  # enabled - flag to enable or disable podmon
+  # allowed values : boolean
+  # defaule value : None
+  # Examples : true , false
+  enabled: false
+  controller:
+    args:
+      - "--csisock=unix:/var/run/csi/csi.sock"
+      - "--labelvalue=csi-unity"
+      - "--driverPath=csi-unity.dellemc.com"
+      - "--mode=controller"
+      - "--skipArrayConnectionValidation=false"
+      - "--driver-config-params=/unity-config/driver-config-params.yaml"
+      - "--driverPodLabelValue=dell-storage"
+      - "--ignoreVolumelessPods=false"
+  node:
+    args:
+      - "--csisock=unix:/var/lib/kubelet/plugins/unity.emc.dell.com/csi_sock"
+      - "--labelvalue=csi-unity"
+      - "--driverPath=csi-unity.dellemc.com"
+      - "--mode=node"
+      - "--leaderelection=false"
+      - "--driver-config-params=/unity-config/driver-config-params.yaml"
+      - "--driverPodLabelValue=dell-storage"
+      - "--ignoreVolumelessPods=false"
+
+### The below parameters have been discontinued for configuration from secret.yaml and will have to be configured only in values.yaml
+
+# syncNodeInfoInterval - Time interval to add node info to array. Default 15 minutes. Minimum value should be 1.
+# Allowed values: integer
+# Default value: 15
+# Examples : 0 , 2
+syncNodeInfoInterval: 15
+
+# allowRWOMultiPodAccess - Flag to enable sharing of volumes across multiple pods within the same node in RWO access mode.
+# Allowed values: boolean
+# Default value: "false"
+# Examples : "true" , "false"
+allowRWOMultiPodAccess: "false"
+
+# maxUnityVolumesPerNode - Maximum number of volumes that controller can publish to the node.
+# Allowed values: integer
+# Default value: 0
+# Examples : 0 , 1
+maxUnityVolumesPerNode: 0
+
+# tenantName - Tenant name that need to added while adding host entry to the array.
+# Allowed values: string
+# Default value: ""
+# Examples : "tenant2" , "tenant3"
+tenantName: ""
+
+# Storage Capacity Tracking
+# Note: Capacity tracking is supported in kubernetes v1.24 and above, this feature will be automatically disabled in older versions.
+storageCapacity:
+  # enabled : Enable/Disable storage capacity tracking
+  # Allowed values:
+  #   true: enable storage capacity tracking
+  #   false: disable storage capacity tracking
+  # Default value: true
+  enabled: true
+  # pollInterval : Configure how often external-provisioner polls the driver to detect changed capacity
+  # Allowed values: 1m,2m,3m,...,10m,...,60m etc
+  # Default value: 5m
+  pollInterval: 5m

charts/external-secrets/external-secrets/0.10.4/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: bitwarden-sdk-server
+  repository: oci://ghcr.io/external-secrets/charts
+  version: v0.3.1
+digest: sha256:2d01e9083fc32c18dca4f9614625e0172e338a663138c2670e5b911645b6b8ee
+generated: "2024-09-20T12:57:07.63511+02:00"

charts/external-secrets/external-secrets/0.10.4/Chart.yaml

@@ -0,0 +1,25 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: External Secrets Operator
+  catalog.cattle.io/kube-version: '>= 1.19.0-0'
+  catalog.cattle.io/release-name: external-secrets
+apiVersion: v2
+appVersion: v0.10.4
+dependencies:
+- condition: bitwarden-sdk-server.enabled
+  name: bitwarden-sdk-server
+  repository: file://./charts/bitwarden-sdk-server
+  version: v0.3.1
+description: External secret management for Kubernetes
+home: https://github.com/external-secrets/external-secrets
+icon: file://assets/icons/external-secrets.png
+keywords:
+- kubernetes-external-secrets
+- secrets
+kubeVersion: '>= 1.19.0-0'
+maintainers:
+- email: kellinmcavoy@gmail.com
+  name: mcavoyk
+name: external-secrets
+type: application
+version: 0.10.4

charts/external-secrets/external-secrets/0.10.4/README.md

@@ -0,0 +1,225 @@
+# External Secrets
+
+<p><img src="https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png" width="100x"  alt="external-secrets"></p>
+
+[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
+
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 0.10.4](https://img.shields.io/badge/Version-0.10.4-informational?style=flat-square)
+
+External secret management for Kubernetes
+
+## TL;DR
+```bash
+helm repo add external-secrets https://charts.external-secrets.io
+helm install external-secrets external-secrets/external-secrets
+```
+
+## Installing the Chart
+To install the chart with the release name `external-secrets`:
+```bash
+helm install external-secrets external-secrets/external-secrets
+```
+
+### Custom Resources
+By default, the chart will install external-secrets CRDs, this can be controlled with `installCRDs` value.
+
+## Uninstalling the Chart
+To uninstall the `external-secrets` deployment:
+```bash
+helm uninstall external-secrets
+```
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| bitwarden-sdk-server.enabled | bool | `false` |  |
+| certController.affinity | object | `{}` |  |
+| certController.create | bool | `true` | Specifies whether a certificate controller deployment be created. |
+| certController.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| certController.extraArgs | object | `{}` |  |
+| certController.extraEnv | list | `[]` |  |
+| certController.extraVolumeMounts | list | `[]` |  |
+| certController.extraVolumes | list | `[]` |  |
+| certController.fullnameOverride | string | `""` |  |
+| certController.hostNetwork | bool | `false` | Run the certController on the host network |
+| certController.image.flavour | string | `""` |  |
+| certController.image.pullPolicy | string | `"IfNotPresent"` |  |
+| certController.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| certController.image.tag | string | `""` |  |
+| certController.imagePullSecrets | list | `[]` |  |
+| certController.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| certController.metrics.listen.port | int | `8080` |  |
+| certController.metrics.service.annotations | object | `{}` | Additional service annotations |
+| certController.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| certController.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| certController.nameOverride | string | `""` |  |
+| certController.nodeSelector | object | `{}` |  |
+| certController.podAnnotations | object | `{}` | Annotations to add to Pod |
+| certController.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| certController.podLabels | object | `{}` |  |
+| certController.podSecurityContext.enabled | bool | `true` |  |
+| certController.priorityClassName | string | `""` | Pod priority class name. |
+| certController.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| certController.readinessProbe.address | string | `""` | Address for readiness probe |
+| certController.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| certController.replicaCount | int | `1` |  |
+| certController.requeueInterval | string | `"5m"` |  |
+| certController.resources | object | `{}` |  |
+| certController.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| certController.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| certController.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| certController.securityContext.enabled | bool | `true` |  |
+| certController.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| certController.securityContext.runAsNonRoot | bool | `true` |  |
+| certController.securityContext.runAsUser | int | `1000` |  |
+| certController.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| certController.tolerations | list | `[]` |  |
+| certController.topologySpreadConstraints | list | `[]` |  |
+| commonLabels | object | `{}` | Additional labels added to all helm chart resources. |
+| concurrent | int | `1` | Specifies the number of concurrent ExternalSecret Reconciles external-secret executes at a time. |
+| controllerClass | string | `""` | If set external secrets will filter matching Secret Stores with the appropriate controller values. |
+| crds.annotations | object | `{}` |  |
+| crds.conversion.enabled | bool | `true` |  |
+| crds.createClusterExternalSecret | bool | `true` | If true, create CRDs for Cluster External Secret. |
+| crds.createClusterSecretStore | bool | `true` | If true, create CRDs for Cluster Secret Store. |
+| crds.createPushSecret | bool | `true` | If true, create CRDs for Push Secret. |
+| createOperator | bool | `true` | Specifies whether an external secret operator deployment be created. |
+| deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| dnsConfig | object | `{}` | Specifies `dnsOptions` to deployment |
+| dnsPolicy | string | `"ClusterFirst"` | Specifies `dnsPolicy` to deployment |
+| extendedMetricLabels | bool | `false` | If true external secrets will use recommended kubernetes annotations as prometheus metric labels. |
+| extraArgs | object | `{}` |  |
+| extraContainers | list | `[]` |  |
+| extraEnv | list | `[]` |  |
+| extraObjects | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| extraVolumes | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| global.affinity | object | `{}` |  |
+| global.compatibility.openshift.adaptSecurityContext | string | `"auto"` | Manages the securityContext properties to make them compatible with OpenShift. Possible values: auto - Apply configurations if it is detected that OpenShift is the target platform. force - Always apply configurations. disabled - No modification applied. |
+| global.nodeSelector | object | `{}` |  |
+| global.tolerations | list | `[]` |  |
+| global.topologySpreadConstraints | list | `[]` |  |
+| hostNetwork | bool | `false` | Run the controller on the host network |
+| image.flavour | string | `""` | The flavour of tag you want to use There are different image flavours available, like distroless and ubi. Please see GitHub release notes for image tags for these flavors. By default, the distroless image is used. |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| imagePullSecrets | list | `[]` |  |
+| installCRDs | bool | `true` | If set, install and upgrade CRDs through helm chart. |
+| leaderElect | bool | `false` | If true, external-secrets will perform leader election between instances to ensure no more than one instance of external-secrets operates at a time. |
+| log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| metrics.listen.port | int | `8080` |  |
+| metrics.service.annotations | object | `{}` | Additional service annotations |
+| metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| metrics.service.port | int | `8080` | Metrics service port to scrape |
+| nameOverride | string | `""` |  |
+| namespaceOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podAnnotations | object | `{}` | Annotations to add to Pod |
+| podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| podLabels | object | `{}` |  |
+| podSecurityContext.enabled | bool | `true` |  |
+| podSpecExtra | object | `{}` | Any extra pod spec on the deployment |
+| priorityClassName | string | `""` | Pod priority class name. |
+| processClusterExternalSecret | bool | `true` | if true, the operator will process cluster external secret. Else, it will ignore them. |
+| processClusterStore | bool | `true` | if true, the operator will process cluster store. Else, it will ignore them. |
+| processPushSecret | bool | `true` | if true, the operator will process push secret. Else, it will ignore them. |
+| rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| rbac.servicebindings.create | bool | `true` | Specifies whether a clusterrole to give servicebindings read access should be created. |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| scopedNamespace | string | `""` | If set external secrets are only reconciled in the provided namespace |
+| scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
+| securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| securityContext.enabled | bool | `true` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `1000` |  |
+| securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| service.ipFamilies | list | `[]` | Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| service.ipFamilyPolicy | string | `""` | Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| serviceMonitor.enabled | bool | `false` | Specifies whether to create a ServiceMonitor resource for collecting Prometheus metrics |
+| serviceMonitor.honorLabels | bool | `false` | Let prometheus add an exported_ prefix to conflicting labels |
+| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| serviceMonitor.metricRelabelings | list | `[]` | Metric relabel configs to apply to samples before ingestion. [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) |
+| serviceMonitor.namespace | string | `""` | namespace where you want to install ServiceMonitors |
+| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) |
+| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| tolerations | list | `[]` |  |
+| topologySpreadConstraints | list | `[]` |  |
+| webhook.affinity | object | `{}` |  |
+| webhook.certCheckInterval | string | `"5m"` | Specifices the time to check if the cert is valid |
+| webhook.certDir | string | `"/tmp/certs"` |  |
+| webhook.certManager.addInjectorAnnotations | bool | `true` | Automatically add the cert-manager.io/inject-ca-from annotation to the webhooks and CRDs. As long as you have the cert-manager CA Injector enabled, this will automatically setup your webhook's CA to the one used by cert-manager. See https://cert-manager.io/docs/concepts/ca-injector |
+| webhook.certManager.cert.annotations | object | `{}` | Add extra annotations to the Certificate resource. |
+| webhook.certManager.cert.create | bool | `true` | Create a certificate resource within this chart. See https://cert-manager.io/docs/usage/certificate/ |
+| webhook.certManager.cert.duration | string | `"8760h"` | Set the requested duration (i.e. lifetime) of the Certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec One year by default. |
+| webhook.certManager.cert.issuerRef | object | `{"group":"cert-manager.io","kind":"Issuer","name":"my-issuer"}` | For the Certificate created by this chart, setup the issuer. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.IssuerSpec |
+| webhook.certManager.cert.renewBefore | string | `""` | How long before the currently issued certificate’s expiry cert-manager should renew the certificate. See https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec Note that renewBefore should be greater than .webhook.lookaheadInterval since the webhook will check this far in advance that the certificate is valid. |
+| webhook.certManager.enabled | bool | `false` | Enabling cert-manager support will disable the built in secret and switch to using cert-manager (installed separately) to automatically issue and renew the webhook certificate. This chart does not install cert-manager for you, See https://cert-manager.io/docs/ |
+| webhook.create | bool | `true` | Specifies whether a webhook deployment be created. |
+| webhook.deploymentAnnotations | object | `{}` | Annotations to add to Deployment |
+| webhook.extraArgs | object | `{}` |  |
+| webhook.extraEnv | list | `[]` |  |
+| webhook.extraVolumeMounts | list | `[]` |  |
+| webhook.extraVolumes | list | `[]` |  |
+| webhook.failurePolicy | string | `"Fail"` | Specifies whether validating webhooks should be created with failurePolicy: Fail or Ignore |
+| webhook.fullnameOverride | string | `""` |  |
+| webhook.hostNetwork | bool | `false` | Specifies if webhook pod should use hostNetwork or not. |
+| webhook.image.flavour | string | `""` | The flavour of tag you want to use |
+| webhook.image.pullPolicy | string | `"IfNotPresent"` |  |
+| webhook.image.repository | string | `"oci.external-secrets.io/external-secrets/external-secrets"` |  |
+| webhook.image.tag | string | `""` | The image tag to use. The default is the chart appVersion. |
+| webhook.imagePullSecrets | list | `[]` |  |
+| webhook.log | object | `{"level":"info","timeEncoding":"epoch"}` | Specifices Log Params to the Webhook |
+| webhook.lookaheadInterval | string | `""` | Specifices the lookaheadInterval for certificate validity |
+| webhook.metrics.listen.port | int | `8080` |  |
+| webhook.metrics.service.annotations | object | `{}` | Additional service annotations |
+| webhook.metrics.service.enabled | bool | `false` | Enable if you use another monitoring tool than Prometheus to scrape the metrics |
+| webhook.metrics.service.port | int | `8080` | Metrics service port to scrape |
+| webhook.nameOverride | string | `""` |  |
+| webhook.nodeSelector | object | `{}` |  |
+| webhook.podAnnotations | object | `{}` | Annotations to add to Pod |
+| webhook.podDisruptionBudget | object | `{"enabled":false,"minAvailable":1}` | Pod disruption budget - for more details see https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
+| webhook.podLabels | object | `{}` |  |
+| webhook.podSecurityContext.enabled | bool | `true` |  |
+| webhook.port | int | `10250` | The port the webhook will listen to |
+| webhook.priorityClassName | string | `""` | Pod priority class name. |
+| webhook.rbac.create | bool | `true` | Specifies whether role and rolebinding resources should be created. |
+| webhook.readinessProbe.address | string | `""` | Address for readiness probe |
+| webhook.readinessProbe.port | int | `8081` | ReadinessProbe port for kubelet |
+| webhook.replicaCount | int | `1` |  |
+| webhook.resources | object | `{}` |  |
+| webhook.revisionHistoryLimit | int | `10` | Specifies the amount of historic ReplicaSets k8s should keep (see https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) |
+| webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
+| webhook.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| webhook.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| webhook.securityContext.enabled | bool | `true` |  |
+| webhook.securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| webhook.securityContext.runAsNonRoot | bool | `true` |  |
+| webhook.securityContext.runAsUser | int | `1000` |  |
+| webhook.securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
+| webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
+| webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
+| webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| webhook.tolerations | list | `[]` |  |
+| webhook.topologySpreadConstraints | list | `[]` |  |