andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Updated:
  kasten/k10:
    - 6.5.13
  speedscale/speedscale-operator:
    - 2.1.320
```
pull/1014/head
github-actions[bot] 2024-05-04 00:52:43 +00:00
parent 66544849ce
commit 50966c9800
22 changed files with 292 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/kasten/k10-6.5.1301.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.1.320.tgz Normal file
View File

Binary file not shown.

2
charts/kasten/k10/Chart.lock
View File

@ -6,4 +6,4 @@ dependencies:
repository: "" repository: ""
version: 25.18.0 version: 25.18.0
digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066 digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066
generated: "2024-04-20T03:47:20.475656567Z" generated: "2024-05-03T18:14:59.697223332Z"

4
charts/kasten/k10/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: k10 catalog.cattle.io/release-name: k10
apiVersion: v2 apiVersion: v2
appVersion: 6.5.12 appVersion: 6.5.13
dependencies: dependencies:
- condition: grafana.enabled - condition: grafana.enabled
name: grafana name: grafana
@ -21,4 +21,4 @@ maintainers:
- email: contact@kasten.io - email: contact@kasten.io
name: kastenIO name: kastenIO
name: k10 name: k10
version: 6.5.1201 version: 6.5.1301

3
charts/kasten/k10/README.md
View File

@ -59,6 +59,7 @@ Parameter | Description | Default
`license` | License string obtained from Kasten | `None` `license` | License string obtained from Kasten | `None`
`rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true` `rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true`
`scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false` `scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false`
`scc.priority` | Sets the SecurityContextConstraints priority | `15`
`services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false` `services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false`
`services.executor.hostNetwork` | Whether the executor pods may use the node network | `false` `services.executor.hostNetwork` | Whether the executor pods may use the node network | `false`
`services.executor.workerCount` | Specifies count of running executor workers | 8 `services.executor.workerCount` | Specifies count of running executor workers | 8
@ -103,6 +104,7 @@ Parameter | Description | Default
`secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` `secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None`
`secrets.awsSecretAccessKey` | AWS access key secret | `None` `secrets.awsSecretAccessKey` | AWS access key secret | `None`
`secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` `secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None`
`secrets.awsClientSecretName` | The secret that contains AWS access key ID, AWS access key secret and AWS IAM role for AWS | `None`
`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None` `secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None`
`secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None` `secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None`
`secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` `secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None`
@ -118,6 +120,7 @@ Parameter | Description | Default
`secrets.vsphereEndpoint` | vSphere endpoint for login | `None` `secrets.vsphereEndpoint` | vSphere endpoint for login | `None`
`secrets.vsphereUsername` | vSphere username for login | `None` `secrets.vsphereUsername` | vSphere username for login | `None`
`secrets.vspherePassword` | vSphere password for login | `None` `secrets.vspherePassword` | vSphere password for login | `None`
`secrets.vsphereClientSecretName` | The secret that contains vSphere username, vSphere password and vSphere endpoint | `None`
`secrets.dockerConfig` | Set base64 encoded docker config to use for image pull operations. Alternative to the ``secrets.dockerConfigPath`` | `None` `secrets.dockerConfig` | Set base64 encoded docker config to use for image pull operations. Alternative to the ``secrets.dockerConfigPath`` | `None`
`secrets.dockerConfigPath` | Use ``--set-file secrets.dockerConfigPath=path_to_docker_config.yaml`` to specify docker config for image pull. Will be overwritten if ``secrets.dockerConfig`` is set | `None` `secrets.dockerConfigPath` | Use ``--set-file secrets.dockerConfigPath=path_to_docker_config.yaml`` to specify docker config for image pull. Will be overwritten if ``secrets.dockerConfig`` is set | `None`
`cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None` `cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None`

2
charts/kasten/k10/templates/_definitions.tpl
View File

@ -35,8 +35,8 @@ crypto:
dashboardbff: dashboardbff:
- vbrintegrationapi - vbrintegrationapi
state: state:
- admin
- events - events
- admin
{{- end -}} {{- end -}}
{{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}} {{- define "k10.aggregatedAPIs" -}}actions apps repositories vault{{- end -}}
{{- define "k10.configAPIs" -}}config{{- end -}} {{- define "k10.configAPIs" -}}config{{- end -}}

97
charts/kasten/k10/templates/_helpers.tpl
View File

@ -118,11 +118,7 @@
{{- /* FIPS */ -}} {{- /* FIPS */ -}}
{{- $fips := .Values.fips | default dict -}} {{- $fips := .Values.fips | default dict -}}
{{- if $fips.enabled -}} {{- if $fips.enabled -}}
{{- $internal_capabilities = append $internal_capabilities "fips" -}} {{- $internal_capabilities = append $internal_capabilities "fips.strict" -}}
{{- if not $fips.allowNonFIPSImports -}}
{{- $internal_capabilities = append $internal_capabilities "fips.strict.migrations" -}}
{{- end -}}
{{- end -}} {{- end -}}
{{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}} {{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}}
@ -467,6 +463,12 @@ Check if AWS creds are specified
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "check.awsSecretName" -}}
{{- if .Values.secrets.awsClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Check if Azure MSI with Default ID is specified Check if Azure MSI with Default ID is specified
*/}} */}}
@ -602,14 +604,29 @@ Check if Google creds are specified
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "check.googleCredsSecret" -}}
{{- if .Values.secrets.googleClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}
{{- define "check.googleCredsOrSecret" -}}
{{- if or (eq (include "check.googlecreds" .) "true") (eq (include "check.googleCredsSecret" .) "true")}}
{{- print true -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Check if Google Project ID is specified Check if Google Project ID is not set without Google API Key
*/}} */}}
{{- define "check.googleproject" -}} {{- define "check.googleproject" -}}
{{- if .Values.secrets.googleProjectId -}} {{- if .Values.secrets.googleProjectId -}}
{{- if not .Values.secrets.googleApiKey -}} {{- if not .Values.secrets.googleApiKey -}}
{{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}} {{- print false -}}
{{- else -}}
{{- print true -}}
{{- end -}} {{- end -}}
{{- else -}}
{{- print true -}} {{- print true -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
@ -638,6 +655,12 @@ Check if Vsphere creds are specified
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- define "check.vsphereClientSecret" -}}
{{- if .Values.secrets.vsphereClientSecretName -}}
{{- print true -}}
{{- end -}}
{{- end -}}
{{/* {{/*
Check if Vault token secret creds are specified Check if Vault token secret creds are specified
*/}} */}}
@ -1158,6 +1181,55 @@ running in the same cluster.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{/* Fail if FIPS is enabled and Grafana is turned on */}}
{{- define "k10.fail.fipsGrafana" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.grafana.enabled) -}}
{{- fail "fips.enabled and grafana.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Prometheus is turned on */}}
{{- define "k10.fail.fipsPrometheus" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.prometheus.server.enabled) -}}
{{- fail "fips.enabled and prometheus.server.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Multicluster is turned on */}}
{{- define "k10.fail.fipsMulticluster" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.multicluster.enabled) -}}
{{- fail "fips.enabled and multicluster.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and PDF reporting is turned on */}}
{{- define "k10.fail.fipsPDFReports" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.reporting.pdfReports) -}}
{{- fail "fips.enabled and reporting.pdfReports cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and next gen gateway is turned off */}}
{{- define "k10.fail.fipsGatewayNextGen" -}}
{{- if and ((.Values.fips | default dict).enabled) (not .Values.gateway.next_gen) -}}
{{- fail "gateway.next_gen must be enabled if fips.enabled=true" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and auth.ldap is turned on */}}
{{- define "k10.fail.fipsDexAuthLDAP" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.auth.ldap.enabled) -}}
{{- fail "fips.enabled and auth.ldap.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and auth.openshift is turned on */}}
{{- define "k10.fail.fipsDexAuthOpenshift" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.auth.openshift.enabled) -}}
{{- fail "fips.enabled and auth.openshift.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Check to see whether SIEM logging is enabled */}} {{/* Check to see whether SIEM logging is enabled */}}
{{- define "k10.siemEnabled" -}} {{- define "k10.siemEnabled" -}}
{{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}} {{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}}
@ -1188,3 +1260,14 @@ running in the same cluster.
{{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}} {{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}}
{{ printf "%s-k10-secret" $serviceAccount | quote }} {{ printf "%s-k10-secret" $serviceAccount | quote }}
{{- end -}} {{- end -}}
{{/*
Returns the required environment variables to enforce FIPS mode using
the Microsoft Go toolchain and Red Hat's OpenSSL.
*/}}
{{- define "k10.enforceFIPSEnvironmentVariables" }}
- name: GOFIPS
value: "1"
- name: OPENSSL_FORCE_FIPS_MODE
value: "1"
{{- end }}

82
charts/kasten/k10/templates/_k10_container.tpl
View File

@ -94,16 +94,27 @@ stating that types are not same for the equality check
- name: {{ include "k10.disabledServicesEnvVar" . }} - name: {{ include "k10.disabledServicesEnvVar" . }}
value: {{ include "get.disabledServices" . | quote }} value: {{ include "get.disabledServices" . | quote }}
{{- end -}} {{- end -}}
{{- if eq (include "check.googlecreds" .) "true" }} {{- if not (eq (include "check.googleproject" . ) "true") -}}
- name: GOOGLE_APPLICATION_CREDENTIALS {{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}}
value: "/var/run/secrets/kasten.io/kasten-gke-sa.json" {{- end -}}
{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }}
{{- $gkeProjectId := "kasten-gke-project" }}
{{- $gkeApiKey := "/var/run/secrets/kasten.io/kasten-gke-sa.json"}}
{{- if eq (include "check.googleCredsSecret" .) "true" }}
{{- $gkeProjectId = "google-project-id" }}
{{- $gkeApiKey = "/var/run/secrets/kasten.io/google-api-key" }}
{{- end }} {{- end }}
{{- if eq (include "check.googleproject" .) "true" }} {{- if eq (include "check.googleCredsOrSecret" .) "true" }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: {{ $gkeApiKey }}
{{- end }}
{{- if eq (include "check.googleCredsOrSecret" .) "true" }}
- name: projectID - name: projectID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: google-secret name: {{ $gkeSecret }}
key: kasten-gke-project key: {{ $gkeProjectId }}
optional: true
{{- end }} {{- end }}
{{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }} {{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }}
{{- if eq (include "check.azuresecret" .) "true" }} {{- if eq (include "check.azuresecret" .) "true" }}
@ -190,24 +201,44 @@ stating that types are not same for the equality check
value: "{{ .Values.azure.useDefaultMSI }}" value: "{{ .Values.azure.useDefaultMSI }}"
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq (include "check.awscreds" .) "true" }}
{{- /*
There are 3 valid states of the secret provided by customer:
1. Only role set
2. Both aws_access_key_id and aws_secret_access_key are set
3. All of role, aws_access_key_id and aws_secret_access_key are set.
*/}}
{{- if eq (include "check.awsSecretName" .) "true" }}
{{- $customerSecret := (lookup "v1" "Secret" .Release.Namespace .Values.secrets.awsClientSecretName )}}
{{- if $customerSecret }}
{{- if and (not $customerSecret.data.role) (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key) }}
{{ fail "Provided secret must contain at least AWS IAM Role or AWS access key ID together with AWS secret access key"}}
{{- end }}
{{- if not (or (and $customerSecret.data.aws_access_key_id $customerSecret.data.aws_secret_access_key) (and (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key))) }}
{{ fail "Provided secret lacks aws_access_key_id or aws_secret_access_key" }}
{{- end }}
{{- end }}
{{- end }}
{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "metering" "kanister" | has $service}}
{{- $awsSecretName := default "aws-creds" .Values.secrets.awsClientSecretName }}
- name: AWS_ACCESS_KEY_ID - name: AWS_ACCESS_KEY_ID
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: aws-creds name: {{ $awsSecretName }}
key: aws_access_key_id key: aws_access_key_id
optional: true
- name: AWS_SECRET_ACCESS_KEY - name: AWS_SECRET_ACCESS_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: aws-creds name: {{ $awsSecretName }}
key: aws_secret_access_key key: aws_secret_access_key
{{- if .Values.secrets.awsIamRole }} optional: true
- name: K10_AWS_IAM_ROLE - name: K10_AWS_IAM_ROLE
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: aws-creds name: {{ $awsSecretName }}
key: role key: role
{{- end }} optional: true
{{- end }} {{- end }}
{{- if list "controllermanager" "executor" "catalog" | has $service}} {{- if list "controllermanager" "executor" "catalog" | has $service}}
{{- if eq (include "check.gwifenabled" .) "true"}} {{- if eq (include "check.gwifenabled" .) "true"}}
@ -242,21 +273,22 @@ stating that types are not same for the equality check
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq (include "check.vspherecreds" .) "true" }} {{- if or (eq (include "check.vspherecreds" .) "true") (eq (include "check.vsphereClientSecret" .) "true") }}
{{- $vsphereSecretName := default "vsphere-creds" .Values.secrets.vsphereClientSecretName }}
- name: VSPHERE_ENDPOINT - name: VSPHERE_ENDPOINT
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: vsphere-creds name: {{ $vsphereSecretName }}
key: vsphere_endpoint key: vsphere_endpoint
- name: VSPHERE_USERNAME - name: VSPHERE_USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: vsphere-creds name: {{ $vsphereSecretName }}
key: vsphere_username key: vsphere_username
- name: VSPHERE_PASSWORD - name: VSPHERE_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: vsphere-creds name: {{ $vsphereSecretName }}
key: vsphere_password key: vsphere_password
{{- end }} {{- end }}
- name: VERSION - name: VERSION
@ -270,6 +302,9 @@ stating that types are not same for the equality check
configMapKeyRef: configMapKeyRef:
name: k10-config name: k10-config
key: clustername key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }} {{- end }}
{{- with $capabilities := include "k10.capabilities" . }} {{- with $capabilities := include "k10.capabilities" . }}
- name: K10_CAPABILITIES - name: K10_CAPABILITIES
@ -730,7 +765,7 @@ stating that types are not same for the equality check
value: {{ .Values.multicluster.primary.ingressURL | quote }} value: {{ .Values.multicluster.primary.ingressURL | quote }}
{{- end }} {{- end }}
{{- end -}} {{- end -}}
{{- if or $.stateful (or (eq (include "check.googlecreds" .) "true") (eq $service "auth" "logging")) }} {{- if or $.stateful (or (eq (include "check.googleCredsOrSecret" .) "true") (eq $service "auth" "logging")) }}
volumeMounts: volumeMounts:
{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} {{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }}
volumeMounts: volumeMounts:
@ -777,7 +812,7 @@ stating that types are not same for the equality check
readOnly: true readOnly: true
{{- end }} {{- end }}
{{- end }} {{- end }}
{{- if eq (include "check.googlecreds" .) "true" }} {{- if eq (include "check.googleCredsOrSecret" .) "true"}}
- name: service-account - name: service-account
mountPath: "/var/run/secrets/kasten.io" mountPath: "/var/run/secrets/kasten.io"
{{- end }} {{- end }}
@ -812,6 +847,10 @@ stating that types are not same for the equality check
image: {{ include "get.kanisterToolsImage" .}} image: {{ include "get.kanisterToolsImage" .}}
imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }}
{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}}
{{- if (.Values.fips | default dict).enabled }}
env:
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
volumeMounts: volumeMounts:
- name: {{ $service }}-persistent-storage - name: {{ $service }}-persistent-storage
mountPath: {{ .Values.global.persistence.mountPath | quote }} mountPath: {{ .Values.global.persistence.mountPath | quote }}
@ -831,6 +870,10 @@ stating that types are not same for the equality check
image: {{ include "get.dexImage" . }} image: {{ include "get.dexImage" . }}
{{- if .Values.auth.ldap.enabled }} {{- if .Values.auth.ldap.enabled }}
command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"]
{{- if (.Values.fips | default dict).enabled }}
env:
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
{{- else if .Values.auth.openshift.enabled }} {{- else if .Values.auth.openshift.enabled }}
{{- /* {{- /*
In the case of OpenShift, a template config is used instead of a plain config for Dex. In the case of OpenShift, a template config is used instead of a plain config for Dex.
@ -852,6 +895,9 @@ stating that types are not same for the equality check
{{- else }} {{- else }}
value: {{ .Values.auth.openshift.clientSecret }} value: {{ .Values.auth.openshift.clientSecret }}
{{- end }} {{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- end }} {{- end }}
ports: ports:
- name: http - name: http

2
charts/kasten/k10/templates/_k10_image_tag.tpl
View File

@ -1 +1 @@
{{- define "k10.imageTag" -}}6.5.12{{- end -}} {{- define "k10.imageTag" -}}6.5.13{{- end -}}

3
charts/kasten/k10/templates/_k10_metering.tpl
View File

@ -181,6 +181,9 @@ spec:
configMapKeyRef: configMapKeyRef:
name: k10-config name: k10-config
key: clustername key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }} {{- end }}
{{- with $capabilities := include "k10.capabilities" . }} {{- with $capabilities := include "k10.capabilities" . }}
- name: K10_CAPABILITIES - name: K10_CAPABILITIES

5
charts/kasten/k10/templates/_k10_template.tpl
View File

@ -164,10 +164,11 @@ spec:
persistentVolumeClaim: persistentVolumeClaim:
claimName: {{ $statefulContainer }}-pv-claim claimName: {{ $statefulContainer }}-pv-claim
{{- end }} {{- end }}
{{- if eq (include "check.googlecreds" .) "true" }} {{- if eq (include "check.googleCredsOrSecret" .) "true" }}
{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }}
- name: service-account - name: service-account
secret: secret:
secretName: google-secret secretName: {{ $gkeSecret }}
{{- end }} {{- end }}
{{- if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" .) "true")}} {{- if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" .) "true")}}
- name: bound-sa-token - name: bound-sa-token

3
charts/kasten/k10/templates/gateway.yaml
View File

@ -150,6 +150,9 @@ spec:
configMapKeyRef: configMapKeyRef:
name: k10-config name: k10-config
key: version key: version
{{- if (.Values.fips | default dict).enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }} {{- with $capabilities := include "k10.capabilities" . }}
- name: K10_CAPABILITIES - name: K10_CAPABILITIES
value: {{ $capabilities | quote }} value: {{ $capabilities | quote }}

8
charts/kasten/k10/templates/ironbank.tpl
View File

@ -1,8 +0,0 @@
{{/*
This file is used to fail the helm deployment if certain values are set which are
not compatible with an Ironbank deployment.
*/}}
{{- include "k10.fail.ironbankGrafana" . -}}
{{- include "k10.fail.ironbankPdfReports" . -}}
{{- include "k10.fail.ironbankPrometheus" . -}}
{{- include "k10.fail.ironbankRHMarketplace" . -}}

2
charts/kasten/k10/templates/k10-scc.yaml
View File

@ -22,7 +22,7 @@ defaultAddCapabilities:
- DAC_OVERRIDE - DAC_OVERRIDE
fsGroup: fsGroup:
type: RunAsAny type: RunAsAny
priority: 15 priority: {{ .Values.scc.priority }}
readOnlyRootFilesystem: false readOnlyRootFilesystem: false
requiredDropCapabilities: requiredDropCapabilities:
- ALL - ALL

4
charts/kasten/k10/templates/rbac.yaml
View File

@ -94,7 +94,11 @@ rules:
resources: resources:
- configmaps - configmaps
verbs: verbs:
- create
- delete
- get - get
- list
- update
- apiGroups: - apiGroups:
- "batch" - "batch"
resources: resources:

6
charts/kasten/k10/templates/secrets.yaml
View File

@ -1,7 +1,7 @@
{{- include "enforce.singlecloudcreds" . -}} {{- include "enforce.singlecloudcreds" . -}}
{{- include "enforce.singleazurecreds" . -}} {{- include "enforce.singleazurecreds" . -}}
{{- include "check.validateImagePullSecrets" . -}} {{- include "check.validateImagePullSecrets" . -}}
{{- if eq (include "check.awscreds" . ) "true" }} {{- if and (eq (include "check.awscreds" . ) "true") (not (eq (include "check.awsSecretName" . ) "true")) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
@ -30,7 +30,7 @@ type: kubernetes.io/dockerconfigjson
data: data:
.dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }}
{{- end }} {{- end }}
{{- if eq (include "check.googlecreds" .) "true" }} {{- if and (eq (include "check.googlecreds" .) "true") ( not (eq (include "check.googleCredsSecret" .) "true")) }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
@ -73,7 +73,7 @@ data:
azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }} azure_ad_resource_id: {{ default "" .Values.secrets.azureADResourceID | b64enc | quote }}
azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }}
{{- end }} {{- end }}
{{- if eq (include "check.vspherecreds" .) "true" }} {{- if and (eq (include "check.vspherecreds" .) "true") (not (eq (include "check.vsphereClientSecret" . ) "true")) }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret

23
charts/kasten/k10/templates/secure_deployment.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/*
This file is used to fail the helm deployment if certain values are set which are
not compatible with a secure deployment.
A secure deployment is defined as one of the following:
- Iron Bank
- FIPS
*/}}
{{/* Iron Bank */}}
{{- include "k10.fail.ironbankGrafana" . -}}
{{- include "k10.fail.ironbankPdfReports" . -}}
{{- include "k10.fail.ironbankPrometheus" . -}}
{{- include "k10.fail.ironbankRHMarketplace" . -}}
{{/* FIPS */}}
{{- include "k10.fail.fipsGrafana" . -}}
{{- include "k10.fail.fipsPrometheus" . -}}
{{- include "k10.fail.fipsMulticluster" . -}}
{{- include "k10.fail.fipsPDFReports" . -}}
{{- include "k10.fail.fipsGatewayNextGen" . -}}
{{- include "k10.fail.fipsDexAuthLDAP" . -}}
{{- include "k10.fail.fipsDexAuthOpenshift" . -}}

24
charts/kasten/k10/values.schema.json
View File

@ -44,6 +44,12 @@
"default": false, "default": false,
"title": "Create K10 SSC", "title": "Create K10 SSC",
"description": "Whether to create a SecurityContextConstraints for K10 ServiceAccounts" "description": "Whether to create a SecurityContextConstraints for K10 ServiceAccounts"
},
"priority": {
"type": "integer",
"default": 15,
"title": "SCC priority",
"description": "Sets the SecurityContextConstraints priority"
} }
} }
}, },
@ -1002,6 +1008,12 @@
"title": "AWS IAM Role", "title": "AWS IAM Role",
"description": "ARN of the AWS IAM role assumed by K10 to perform any AWS operation" "description": "ARN of the AWS IAM role assumed by K10 to perform any AWS operation"
}, },
"awsClientSecretName": {
"type": "string",
"default": "",
"title": "Secret with AWS credentials and/or IAM Role",
"description": "Specify a Secret directly instead of having to provide awsAccessKeyId, awsSecretAccessKey and awsIamRole"
},
"googleApiKey": { "googleApiKey": {
"type": "string", "type": "string",
"default": "", "default": "",
@ -1014,6 +1026,12 @@
"title": "Google Project ID", "title": "Google Project ID",
"description": "Set Google Project ID other than the one in the GCP Service Account" "description": "Set Google Project ID other than the one in the GCP Service Account"
}, },
"googleClientSecretName": {
"type": "string",
"default": "",
"title": "Secret with Google credentials",
"description": "Specify a Secret directly instead of having to provide googleApiKey and googleProjectId"
},
"tlsSecret": { "tlsSecret": {
"type": "string", "type": "string",
"default": "", "default": "",
@ -1121,6 +1139,12 @@
"default": "", "default": "",
"title": "vSphere password", "title": "vSphere password",
"description": "vSphere password for login" "description": "vSphere password for login"
},
"vsphereClientSecretName": {
"type": "string",
"default": "",
"title": "Secret with vSphere credentials",
"description": "Specify a Secret directly instead of having to provide vsphereUsername, vspherePassword and vspherePassword"
} }
} }
}, },

4
charts/kasten/k10/values.yaml
View File

@ -13,6 +13,7 @@ serviceAccount:
scc: scc:
create: false create: false
priority: 15
networkPolicy: networkPolicy:
create: true create: true
@ -203,8 +204,10 @@ secrets:
awsAccessKeyId: '' awsAccessKeyId: ''
awsSecretAccessKey: '' awsSecretAccessKey: ''
awsIamRole: '' awsIamRole: ''
awsClientSecretName: ''
googleApiKey: '' googleApiKey: ''
googleProjectId: '' googleProjectId: ''
googleClientSecretName: ''
dockerConfig: '' dockerConfig: ''
dockerConfigPath: '' dockerConfigPath: ''
azureTenantId: '' azureTenantId: ''
@ -223,6 +226,7 @@ secrets:
vsphereEndpoint: '' vsphereEndpoint: ''
vsphereUsername: '' vsphereUsername: ''
vspherePassword: '' vspherePassword: ''
vsphereClientSecretName: ''
metering: metering:
reportingKey: "" #[base64-encoded key] reportingKey: "" #[base64-encoded key]

4
charts/speedscale/speedscale-operator/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.17.0-0' catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1 apiVersion: v1
appVersion: 2.1.313 appVersion: 2.1.320
description: Stress test your APIs with real world scenarios. Collect and replay description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting. traffic without scripting.
home: https://speedscale.com home: https://speedscale.com
@ -24,4 +24,4 @@ maintainers:
- email: support@speedscale.com - email: support@speedscale.com
name: Speedscale Support name: Speedscale Support
name: speedscale-operator name: speedscale-operator
version: 2.1.313 version: 2.1.320

2
charts/speedscale/speedscale-operator/values.yaml
View File

@ -20,7 +20,7 @@ clusterName: "my-cluster"
# Speedscale components image settings. # Speedscale components image settings.
image: image:
registry: gcr.io/speedscale registry: gcr.io/speedscale
tag: v2.1.313 tag: v2.1.320
pullPolicy: Always pullPolicy: Always
# Log level for Speedscale components. # Log level for Speedscale components.

59
index.yaml
View File

@ -29745,6 +29745,34 @@ entries:
- assets/trilio/k8s-triliovault-operator-v2.0.200.tgz - assets/trilio/k8s-triliovault-operator-v2.0.200.tgz
version: v2.0.200 version: v2.0.200
k10: k10:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: K10
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: k10
apiVersion: v2
appVersion: 6.5.13
created: "2024-05-04T00:52:28.271815838Z"
dependencies:
- condition: grafana.enabled
name: grafana
repository: file://./charts/grafana
version: 7.3.2
- condition: prometheus.server.enabled
name: prometheus
repository: file://./charts/prometheus
version: 25.18.0
description: Kastens K10 Data Management Platform
digest: 2507b1c0b00fe153b6c6f31a8f0146300908d97d428b6dafead2c8bc756f2cc1
home: https://kasten.io/
icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png
maintainers:
- email: contact@kasten.io
name: kastenIO
name: k10
urls:
- assets/kasten/k10-6.5.1301.tgz
version: 6.5.1301
- annotations: - annotations:
catalog.cattle.io/certified: partner catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: K10 catalog.cattle.io/display-name: K10
@ -49882,6 +49910,37 @@ entries:
- assets/shipa/shipa-1.4.0.tgz - assets/shipa/shipa-1.4.0.tgz
version: 1.4.0 version: 1.4.0
speedscale-operator: speedscale-operator:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1
appVersion: 2.1.320
created: "2024-05-04T00:52:30.78129258Z"
description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting.
digest: f705993719557e7cdb62d4b525b683db63e9c42d5686ec9d5fbccf6d660227f4
home: https://speedscale.com
icon: https://raw.githubusercontent.com/speedscale/assets/main/logo/gold_logo_only.png
keywords:
- speedscale
- test
- testing
- regression
- reliability
- load
- replay
- network
- traffic
kubeVersion: '>= 1.17.0-0'
maintainers:
- email: support@speedscale.com
name: Speedscale Support
name: speedscale-operator
urls:
- assets/speedscale/speedscale-operator-2.1.320.tgz
version: 2.1.320
- annotations: - annotations:
catalog.cattle.io/certified: partner catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator catalog.cattle.io/display-name: Speedscale Operator